← Back to home
GitHub repository security scanner
Before you clone a repo into your agent or your machine, paste its GitHub URL and see what the code actually does — install hooks, shell and network use, prompt-injection surfaces, and exfiltration — with file:line evidence.
Scan a component — free →Scan any part of a repo
Paste a plain repository URL, or a browser link to a specific branch/tag, a subfolder (/tree/<ref>/<path>), or a commit. Non-code pages are reduced to the repository root. Only the component's own files are analyzed.
What you get
A risk verdict out of 100, a capability breakdown, and findings anchored to file and line — plus JSON and SARIF export to feed your own CI. Detection is deterministic and static: the repo is shallow-cloned and read, never executed, and no LLM is involved.
FAQ
- Which hosts are supported?
- Public repositories on GitHub, GitLab, Bitbucket and Hugging Face. The source URL is validated before any clone.
- Can I scan a monorepo subfolder?
- Yes — paste the /tree/<ref>/<path> URL and only that subfolder is treated as the component.
- Do you store my repository?
- The repo is shallow-cloned to a temporary directory for the scan and cleaned up afterward. Nothing is executed.