Repo scanner
Submit any public GitHub repository URL. The scanner checks for governance violations, missing tests, security gaps, dependency vulnerabilities, and IaC misconfigurations. Free, no sign-up.
Scan results
Health Score
Severity Distribution
Layer Scores
Each finding links to the relevant methodology article. Browse all articles →
How the scanner works
Submit a repo URL
Enter any public GitHub repository URL. The scanner validates it against an allowlist (GitHub only) and queues a scan.
Async analysis
A Python Lambda fetches the repository tree via the GitHub API and analyses it for five categories: security, dependencies, IaC, code quality, and governance.
Structured findings
Each finding includes a severity rating, a description, the affected file, a remediation recommendation, and a link to the relevant methodology article.
What we check
SEC Security
Hardcoded credentials, insecure configurations, public S3 buckets, missing security policies (SECURITY.md, CODEOWNERS).
Security scanning article →DEP Dependencies
Known CVEs in dependencies, unpinned versions, missing lock files, outdated major versions.
Agentic development article →IAC Infrastructure as Code
Terraform/CloudFormation misconfigurations: public S3 buckets, missing encryption, unbounded Lambda concurrency, missing resource tagging.
Governance as code article →QA Code Quality
Missing type hints, print() in production code, no linting configuration, bare except clauses, missing docstrings on public functions.
AI remediation article →GOV Governance
No CI/CD pipeline, no test suite, no README, no contribution guide, no SECURITY.md, no code owners file.
Governance as code article →RL Rate limiting
10 scans per IP per 24 hours. No account required. Results are stored for 90 days — bookmark your scan URL.
Learn about the stack →