explaingit

brkndc26/prism-guard

0PythonAudience · developerComplexity · 2/5ActiveSetup · easy

TLDR

A local read-only Python scanner that reviews a freshly downloaded repo for credential files, risky install hooks, container privileges, and combined risks, then suggests a human review order.

Mindmap

mindmap
  root((prism-guard))
    Inputs
      Local repo path
      Config files
      Source files
    Outputs
      Risk report
      Suggested review order
      Highlighted file list
    Use Cases
      Pre run safety review
      Audit downloaded GitHub repo
      Pre publish self check
      Spot agent permission configs
    Tech Stack
      Python
      CLI
      Regex scanners

Things people build with this

USE CASE 1

Scan an unknown downloaded GitHub repo before running npm install or docker compose up

USE CASE 2

Audit your own repo for leaked credentials and risky install hooks before publishing

USE CASE 3

Surface dangerous risk combinations like a real-looking .env plus an outbound network call

USE CASE 4

Get a suggested human review order for a large repo instead of an unsorted finding dump

Tech stack

PythonCLI

Getting it running

Difficulty · easy Time to first run · 5min

Runs fully locally, reads only, and never executes the target code; needs Python and a repo path to scan.

In plain English

PRISM Guard is a tool you run on your own computer that scans a code repository before you actually run that repository. The idea is that when you download a project from GitHub or anywhere else, there might be scripts, configuration files, or leftover secrets inside it that will do something you did not expect the moment you type a command like npm install or docker compose up. PRISM Guard reads through the files first and points out which ones look worth a closer look. It runs fully on your machine. The tool does not upload your source code to any server, and it does not modify, delete, execute, or auto-fix anything. It only reads. The README is clear that the goal is not to label a project as safe or unsafe overall, but to answer a narrower question: which files, commands, and combinations of risks should a human review first. The categories it looks for include things like credential-like values, API keys, tokens.env files, risky shell commands, Python and Go execution patterns, package lifecycle scripts that run automatically during install, Docker and Kubernetes settings that grant host access, CI and deployment files, and configuration for AI agents or MCP tool calls that ask for broad filesystem or network permission. It also tries to filter out obvious placeholders, mock values, and documentation examples so that fake secrets do not flood the report. A point the README repeats is that PRISM Guard cares about risk combinations, not just isolated findings. A single .env file on its own is normal, but a .env with a real-looking API key plus code that contacts an external service is a different story. The tool tries to surface those combinations and then suggest a review order, for example look at credential files first, then auto-running install scripts, then container and CI files, then code that runs shell commands, then agent permission configs. The author also positions the project relative to existing security scanners. It is not meant to replace Trivy, Semgrep, or Gitleaks. It has a narrower focus on the pre-run review moment for both unknown downloaded projects and a developer's own repositories before they get shared or published.

Copy-paste prompts

Prompt 1
Install prism-guard and scan a freshly cloned repo, then walk through the suggested review order
Prompt 2
Show me which prism-guard rule fires on a .env file with a real-looking API key plus an outbound HTTP call
Prompt 3
Add a new prism-guard rule that flags GitHub Actions workflows using pull_request_target with checkout
Prompt 4
Tune prism-guard's placeholder filter so it stops flagging documented mock keys in example folders
Prompt 5
Compare prism-guard's findings on a repo against Gitleaks and Semgrep and explain where each one is strongest
Open on GitHub → Explain another repo

Generated 2026-05-22 · Model: sonnet-4-6 · Verify against the repo before relying on details.