This is a submission for the GitHub Copilot CLI Challenge
What I Built
The Story That Started It All
A few weeks ago, my friend Muhammad Khamzah (a fullstack developer) shared a chilling experience on LinkedIn. Someone approached him on LinkedIn offering a job opportunity. The conversation seemed legit, it moved from LinkedIn to email, and eventually they asked him to check out a project on GitHub.
But something felt off.
The repository had a .vscode folder committed to it, something that's rarely pushed unless there's a reason. When he dug deeper (still on GitHub, before even cloning), he found hidden malicious scripts tucked away in the code. The scripts were cleverly concealed, you couldn't see them unless you scrolled horizontally on GitHub. The malware was designed to:
- π― Run automatically when you open the project folder in VS Code (via
.vscode/tasks.jsonwithrunOn: folderOpen) - π Execute without
npm install, just opening the folder was enough - π Work on all operating systems, Windows, macOS, and Linux
- π΅οΈ Deploy via Vercel, making the payload look like a normal serverless function
Other developers who fell for similar scams lost thousands of dollars in cryptocurrency. The attackers stole wallet files, SSH keys, browser saved passwords, and API tokens, all from a single "job opportunity."
You can read his original post here.
Introducing ghsafe π‘οΈ
This story hit hard. Not every developer is as careful as Khamzah. So I built ghsafe, a CLI tool that scans any GitHub repository for malicious patterns before you clone and run it.
# Scan a suspicious repo before you run it
npx ghsafe scan https://github.com/suspicious-user/totally-legit-project
ghsafe acts as your first line of defense. It analyzes code for:
| Category | What It Catches |
|---|---|
| π£ Data Exfiltration | SSH key theft, env var harvesting, browser data access, crypto wallet targeting |
| πΈοΈ Network Exfiltration | Discord/Slack webhooks, raw IP connections, ngrok tunnels |
| π Code Obfuscation |
eval(), Function() constructor, Base64/hex payloads, String.fromCharCode chains |
| β‘ Dangerous Execution |
child_process, shell command injection, download-and-execute pipelines |
| βοΈ Crypto Mining | Mining pool connections, known miner libraries, wallet addresses |
| π Persistence | Crontab manipulation, shell profile modification, systemd services, Windows registry |
| π¦ Suspicious Install Scripts | Malicious postinstall hooks, setup.py backdoors |
It produces a beautiful, color-coded terminal report with a risk score from 0 to 100, code previews of suspicious lines, and a clear verdict: β SAFE, β οΈ SUSPICIOUS, or π¨ DANGEROUS.
For even deeper analysis, you can enable the --ai flag to send findings to GitHub Models for contextual threat assessment, staying fully within the GitHub ecosystem. It also supports OpenAI as a fallback.
Demo
π GitHub Repository: https://github.com/depapp/ghsafe
Scanning a malicious repository:
npx ghsafe scan https://github.com/user/suspicious-repo
The tool shows exactly where the suspicious code is, with line numbers and code previews:
And provides AI Analysis and a clear recommendation:
Scanning a clean repository:
Additional features:
# Scan a local directory
npx ghsafe scan ./path/to/project
# Enable AI-powered deep analysis (GitHub Models, recommended)
export GITHUB_TOKEN=your-github-token
npx ghsafe scan https://github.com/user/repo --ai
# Alternative: Use OpenAI directly
export OPENAI_API_KEY=your-openai-key
npx ghsafe scan https://github.com/user/repo --ai
# JSON output for CI/CD pipelines
npx ghsafe scan ./project --json
Exit codes make it CI/CD-friendly: 0 = safe, 1 = suspicious, 2 = dangerous.
My Experience with GitHub Copilot CLI
Building ghsafe in a single day would not have been possible without GitHub Copilot CLI. Here's how it supercharged my development:
ποΈ Project Scaffolding
I used Copilot CLI to help me scaffold the entire project structure from the TypeScript config and tsup bundler setup to the Commander.js CLI framework. Instead of copying boilerplate from old projects, I described what I needed and Copilot CLI generated the right configurations.
π Writing Detection Rules
This was where Copilot CLI truly shined. Writing 35+ regex-based detection rules across 7 categories is tedious and error-prone. I described the malicious patterns I wanted to detect in natural language like "detect when code reads SSH keys from the filesystem" or "find Base64-encoded strings longer than 80 characters" and Copilot CLI helped me craft precise regex patterns and structure them into the rule engine.
π¨ Rich Terminal UI
Building the beautiful terminal output with chalk, boxen, ora, and cli-table3 required getting a lot of formatting details right. Copilot CLI helped me compose the risk bar visualization, severity color coding, and the boxed report layout, turning a plain text scanner into something that looks and feels professional.
π€ AI Integration
Integrating the GitHub Models API for the optional deep analysis feature was a natural fit, it uses the same OpenAI SDK format but runs through GitHub's infrastructure, keeping the entire tool within the GitHub ecosystem. Copilot CLI helped me structure the provider selection logic (GitHub Models as primary, OpenAI as fallback) and craft the right system prompt for security analysis context.
π‘ The Verdict
GitHub Copilot CLI felt like pair programming with a security-savvy senior developer. It didn't just autocomplete, it understood the intent behind what I was building and helped me move from idea to working product in record time. The entire tool, 35+ detection rules, rich terminal UI, AI integration, and documentation was built in a single focused session.
If this tool helps even one developer avoid a phishing repo, it's worth it. Stay safe out there. π‘οΈ
Top comments (0)