explaingit

sphillips1337/repo-security-scan

Analysis updated 2026-05-18

0PythonAudience · developerComplexity · 2/5Setup · easy

TLDR

A command-line scanner that finds hardcoded API keys, passwords, and secrets in your code before they get committed to version control.

Mindmap

mindmap
  root((repo-security-scan))
    What it does
      Scans for secrets
      Ranks by severity
      Deduplicates findings
    Tech stack
      Python
      YAML config
      MCP server
    Use cases
      Pre-commit security
      Scheduled monitoring
    Audience
      Developers
      Security teams

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Scan a repository for accidentally hardcoded AWS, GitHub, Slack, or Stripe credentials

USE CASE 2

Run an incremental scan on just the files changed in your latest Git commits

USE CASE 3

Set up a daemon that emails alerts when critical secrets are found in new commits

What is it built with?

PythonYAMLMCP

How does it compare?

sphillips1337/repo-security-scan0xhassaan/nn-from-scratch3ks/embedoc
Stars00
LanguagePythonPythonPython
Last pushed2023-06-08
MaintenanceDormant
Setup difficultyeasymoderatehard
Complexity2/54/51/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Daemon and cron modes need additional email or scheduling configuration.

In plain English

Repo Security Scanner is a command-line tool written in Python that scans the files in a local code repository and looks for secrets that should not be there, API keys, passwords, private encryption keys, and cloud service tokens that a developer accidentally hardcoded into source files. The goal is to catch these before they get committed to version control and potentially exposed publicly. The scanner walks through a directory recursively, applying regular expression patterns to each file's content. It recognizes specific formats for AWS credentials, GitHub personal access tokens, RSA and other private key types, and keys for services including Slack, Stripe, Twilio, SendGrid, DigitalOcean, and Google APIs, along with generic patterns for password assignments and database connection strings. Three scan modes are available: a full scan of all files, a quick scan that checks only the highest-priority patterns, and an incremental scan that looks only at files changed in Git since a specified point. Findings are ranked by severity (CRITICAL, HIGH, MEDIUM, LOW), duplicate secrets found in multiple files are consolidated, and binary or large files are skipped automatically. The tool can run as a one-off scan from the command line, as a scheduled daemon that monitors for new commits and emails alerts when critical findings appear, or via cron for background monitoring. It also includes a Model Context Protocol (MCP) server, allowing AI assistants to run scans and retrieve reports programmatically. Configuration is handled through a YAML file and environment variables. The full README is longer than what was provided.

Copy-paste prompts

Prompt 1
Help me run Repo Security Scanner against my codebase to find leaked secrets
Prompt 2
Show me how to set up incremental scanning with repo-security-scan in a Git pre-commit hook
Prompt 3
Explain how to configure repo-security-scan as an MCP server for my AI assistant

Frequently asked questions

What is repo-security-scan?

A command-line scanner that finds hardcoded API keys, passwords, and secrets in your code before they get committed to version control.

What language is repo-security-scan written in?

Mainly Python. The stack also includes Python, YAML, MCP.

How hard is repo-security-scan to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is repo-security-scan for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.