DEV Community

Cover image for Scan Any Public GitHub Repo for Security Issues in Seconds (No Account)
Charles Kern
Charles Kern

Posted on

Scan Any Public GitHub Repo for Security Issues in Seconds (No Account)

TL;DR

  • You can now paste any public GitHub repo URL and get a security grade back in seconds, no signup.
  • It runs static analysis, secret detection, and dependency scanning on the source and ranks what it finds.
  • Handy before you adopt a dependency, review someone else's code, or ship your own weekend project.

Last month a friend sent me a repo. He'd vibe-coded a Stripe-backed side project over a weekend with Cursor, wired up auth, and wanted to know if it was safe to put in front of real users. Fair question. My honest answer was "give me an hour."

That hour is the problem. To get a real read on a repo I didn't write, I clone it, install the toolchain, run semgrep, run a secret scanner, run a dependency audit, then read three different output formats and try to hold them in my head at once. By the time I have an answer, I've spent more effort vetting the code than he spent writing it.

The thing I actually wanted was dumber and faster: paste a URL, get a grade, see the worst stuff first.

The requirement

Think about how often you're asked to trust code you didn't write.

You're about to npm install a library with 400 stars and a last commit from 14 months ago. You inherited a repo from a contractor who's already gone. You're reviewing a take-home from a job candidate. You forked something off Show HN and you're about to build on top of it. In every one of these cases the question is the same: is there anything obviously dangerous in here before I depend on it?

Cloning and setting up scanners for a five-minute question is friction nobody pays. So most people skip it and hope. That's how a hardcoded key or a three-year-old vulnerable dependency ends up in production.

The solution

SafeWeave now has a public repo scanner. Paste any public GitHub repository URL, and it runs static analysis, secret detection, and dependency scanning directly on the source, then hands back a security grade with ranked findings. No account, no clone, no config.

Here's the kind of thing it surfaces first. A hardcoded secret the AI dropped in during scaffolding:

const SECRET = 'my-super-secret-key-123'; // flagged, CWE-798
const SECRET = process.env.JWT_SECRET;     // the fix
Enter fullscreen mode Exit fullscreen mode

A SQL query built with string interpolation:

db.query(`SELECT * FROM users WHERE name = '${filter}'`); // flagged, CWE-89
db.query('SELECT * FROM users WHERE name = $1', [filter]); // the fix
Enter fullscreen mode Exit fullscreen mode

And a dependency with a known CVE sitting three levels deep in the lockfile, which no amount of reading the code would have caught by eye.

The grade starts at 100 and drops per finding by severity, so a repo full of criticals reads very differently from one with a couple of lows. You get the number and the ranked list in one screen, in seconds.

Why this matters for AI-generated code

The repos most worth scanning right now are the ones written fastest. AI editors produce syntactically clean, semantically risky code, and research keeps putting the vulnerability rate in AI-generated security-sensitive code somewhere in the 40 to 60 percent range. The speed that makes vibe coding fun is the same speed that ships the hardcoded key. A grade you can get before you adopt the repo is a cheap way to not inherit someone else's shortcut.

I built the public scanner into SafeWeave for exactly the "someone sent me a repo" moment. It's the same engine that runs inside Cursor and Claude Code as an MCP server, just pointed at a URL instead of your working directory. That said, if it's your own code, catching this stuff at write-time beats catching it at review-time. The important thing is catching it early, whatever tool you use.

Top comments (0)