Skip to content

subhansh-dev/pr-guardian

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

6 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

English

GitHub stars License PRs Welcome

pr-guardian πŸ“

"The best code review is the one that happens before the PR is opened."

Catch security issues before they hit your repo.

pr-guardian scans pull requests for the kind of dumb mistakes that get you pwned at 3am β€” hardcoded API keys, exposed tokens, missing auth checks, .env files committed by accident. Works as a Claude Code skill or a standalone CLI on any GitHub repo.

One command β†’ instant security review.

Quick Start Β· What It Checks Β· Usage Β· Examples Β· FAQ Β· Contributing


Why Another Security Scanner?

You've got TruffleHog, Gitleaks, Talisman β€” they're great for secrets. But they miss:

  • Auth gaps β€” routes without middleware, commented-out auth checks
  • Config leaks β€” .env files in commits, hardcoded connection strings
  • Logic-level bugs β€” SQL concat, eval(), insecure cookie flags

pr-guardian catches both: the secret-level stuff AND the code-level stuff. It's designed to be stupid simple β€” no build step, no npm install, just Python stdlib + common sense. And it works inside Claude Code so you don't have to leave your session.


Quick Start

Linux / macOS

curl -sSL https://raw.githubusercontent.com/subhansh-dev/pr-guardian/main/scripts/install.sh | bash

Windows (PowerShell)

iwr -Uri https://raw.githubusercontent.com/subhansh-dev/pr-guardian/main/scripts/install.ps1 -OutFile install.ps1; .\install.ps1

Claude Code (any platform)

cp pr-guardian/SKILL.md ~/.claude/commands/pr-guardian.md
# then in any Claude session:
"guard this PR"

What It Checks

Category What It Finds
Secrets AWS keys, GitHub tokens, Slack tokens, Stripe keys, JWT secrets, Google API keys, private keys
Credentials Database connection strings with passwords, hardcoded passwords, API key literals
Config leaks .env files tracked in git, exposed config files
Auth issues Commented-out auth guards, hardcoded Authorization headers
Dangerous patterns eval(), exec(), SQL injection via string concatenation, debug endpoints
Insecure config Cookies without Secure/HttpOnly flags, CORS misconfigs

Usage

# Scan a local repo
python3 scripts/scan.py /path/to/repo

# Scan a PR directly
python3 scripts/scan.py https://github.com/owner/repo/pull/123

# Scan only changes in a diff
python3 scripts/scan.py /path/to/repo --git-diff /tmp/pr-diff.txt

# Exit code is 1 if any HIGH findings are found β€” CI-friendly

Example Output

pr-guardian report β€” 3 issue(s) found
─────────────────────────────────────────────────

  [HIGH]
    src/config/stripe.ts:42
    > const STRIPE_SECRET = "sk_live_..."
    stripe live key β€” rotate immediately

  [MEDIUM]
    .env:1
    > DATABASE_URL=postgres://admin:***@localhost:5432/db
    database connection string with password

  [LOW]
    src/routes/admin.ts:15
    > // if (!req.user) return res.sendStatus(401)
    commented-out auth check

─────────────────────────────────────────────────
summary: 1 high, 1 medium, 1 low
scan took 2.3s

Demo

pr-guardian scan output

$ python3 scripts/scan.py https://github.com/hackclub/stardance

pr-guardian report β€” 3 issue(s) found
─────────────────────────────────────────────────

  [HIGH]    stardance/app/controllers/application_controller.rb:47
            missing authorization check on admin routes

  [HIGH]    stardance/config/initializers/lockbox.rb:1
            Lockbox.master_key referenced from env β€” verify .env.example

  [MEDIUM]  stardance/.env:5
            DATABASE_URL contains credentials β€” add to .gitignore

─────────────────────────────────────────────────
real PRs have real findings. try it on yours.

Badges

Python Platform PRs Welcome GitHub last commit


GitHub Actions

Auto-scan every PR in your repo. Add this to .github/workflows/pr-guardian.yml:

name: pr-guardian
on: pull_request
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with: { python-version: '3.11' }
      - run: |
          curl -sSL https://raw.githubusercontent.com/subhansh-dev/pr-guardian/main/scripts/scan.py -o /tmp/scan.py
          python3 /tmp/scan.py . --git-diff \${{ github.event.pull_request.number }}.diff || true

Once set up, every PR gets an automatic security comment. Works on any public repo.


FAQ

Does it send my code anywhere? No. Everything runs locally. It's a Python script that reads files on your machine. No network calls except optionally cloning a repo from a PR URL.

Can I add custom rules? Not yet β€” the rule set is hardcoded for now. Custom rule support is on the roadmap.

How is this different from Gitleaks/TruffleHog? Those are laser-focused on secret patterns. pr-guardian also checks for logic-level issues like missing auth guards and dangerous code patterns. It's broader but less deep in any single category. Use both for full coverage.

Will this catch every vulnerability? No scanner catches everything. pr-guardian targets the most common, highest-impact mistakes. For serious security audits, use a proper tool like Semgrep or CodeQL.


Contributing

PRs welcome. Keep it simple β€” no build step, no npm install. Python stdlib only. The scanner lives in scripts/scan.py, the rule patterns are at the top of that file.


License

MIT β€” do whatever you want with it.


Architecture

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚  GitHub PR  β”‚ ──▢ β”‚  pr-guardian     β”‚ ──▢ β”‚  Scan Report β”‚
β”‚  or local   β”‚     β”‚  scripts/scan.py β”‚     β”‚  (stdout)    β”‚
β”‚  repo path  β”‚     β”‚                  β”‚     β”‚              β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜     β”‚  β€’ 20+ regex     β”‚     β”‚  HIGH: 1     β”‚
                    β”‚  β€’ 6 categories  β”‚     β”‚  MEDIUM: 2   β”‚
                    β”‚  β€’ git-diff mode β”‚     β”‚  LOW: 1      β”‚
                    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

two modes:

  1. standalone β€” python3 scripts/scan.py <target>
  2. skill β€” "guard this PR" in Claude Code / Codex

zero external dependencies. pure Python stdlib.


Star History

If this saved you from a late-night panic, give it a star ⭐

Star History Chart

About

πŸ“ Security scanner for PRs β€” catches hardcoded secrets, exposed tokens, missing auth checks before they hit production. Works as a Claude Code skill or standalone CLI.

Topics

Resources

License

Contributing

Stars

2 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors