(Built entirely in Python, installable via pip. Uses argparse for the CLI, regex pattern matching for secret detection, gitpython for history scanning, and subprocess calls for dependency auditing.)
I built a CLI tool with ClaudeCode called shinobi that runs a 10-second security scan on any project directory or GitHub repo. It checks for exposed API keys, dangerous defaults, vulnerable dependencies, missing security basics, and AI-specific risks. I pointed it at 22 popular open-source projects including FastAPI, Flask, Dify, Flowise, LiteLLM, and Lobe-Chat. The results were rough - 86% came back as high or critical threat level. The most common issue was exposed secret patterns (API key formats in source code), followed by dangerous defaults like debug mode and wildcard CORS. It's free, open source, runs 100% locally, zero data leaves your machine. pip install shinobi-scan or check it out on GitHub: https://github.com/AkrijSama/Shinobi
Even if half of these are test fixtures, the fact that real key patterns exist across thousands of files means any developer who forks and builds on these templates is inheriting security debt they don't know about
I'm new to the vibe-coding scene - I know a lot of people here don't like AI or vibe-coders but alas, it is unavoidably the way of the future - if the thing works, the results speak for themselves.
Lmk if this helps or if you have feedback - Im on X all day.
Top comments (0)