Every day, developers merge pull requests (PRs) without realizing they might be introducing security vulnerabilities into production.
Sometimes it’s because security scanning tools are complex, paid, or simply not part of the workflow.
That’s why I built SecurePR – an open-source GitHub Action that runs Trivy and Semgrep on every pull request and posts the results directly as a comment.
No servers, no hidden costs, no setup headaches.
Why SecurePR?
No Manual Scanning – Runs automatically for every PR.
Free & Open Source – No licensing, no trial limits.
Lightweight – Works directly in GitHub Actions.
Two Powerful Scanners – Trivy for dependency scanning + Semgrep for static code analysis.
How It Works
A contributor opens a PR on your repo.
SecurePR runs Trivy to detect dependency vulnerabilities.
SecurePR runs Semgrep to find code security issues.
A single PR comment appears with all findings.
Getting Started
Go to your repo on GitHub.
Add the securepr.yml workflow file from our GitHub repo.
Commit & push.
Done – every new PR will be scanned automatically.
Support SecurePR
If you like this project, please star the repo ⭐ and consider sponsoring me on GitHub to support future development.
Links
🔗 GitHub Repo: https://github.com/saurabhxjha/SecurePR
💖 Sponsor Me: https://github.com/sponsors/saurabhxjha
🌐 Product Page: https://starkseek.com/products/securepr
Top comments (0)