English
"The best code review is the one that happens before the PR is opened."
Catch security issues before they hit your repo.
pr-guardian scans pull requests for the kind of dumb mistakes that get you pwned at 3am β hardcoded API keys, exposed tokens, missing auth checks, .env files committed by accident. Works as a Claude Code skill or a standalone CLI on any GitHub repo.
One command β instant security review.
Quick Start Β· What It Checks Β· Usage Β· Examples Β· FAQ Β· Contributing
You've got TruffleHog, Gitleaks, Talisman β they're great for secrets. But they miss:
- Auth gaps β routes without middleware, commented-out auth checks
- Config leaks β
.envfiles in commits, hardcoded connection strings - Logic-level bugs β SQL concat, eval(), insecure cookie flags
pr-guardian catches both: the secret-level stuff AND the code-level stuff. It's designed to be stupid simple β no build step, no npm install, just Python stdlib + common sense. And it works inside Claude Code so you don't have to leave your session.
curl -sSL https://raw.githubusercontent.com/subhansh-dev/pr-guardian/main/scripts/install.sh | bashiwr -Uri https://raw.githubusercontent.com/subhansh-dev/pr-guardian/main/scripts/install.ps1 -OutFile install.ps1; .\install.ps1cp pr-guardian/SKILL.md ~/.claude/commands/pr-guardian.md
# then in any Claude session:
"guard this PR"| Category | What It Finds |
|---|---|
| Secrets | AWS keys, GitHub tokens, Slack tokens, Stripe keys, JWT secrets, Google API keys, private keys |
| Credentials | Database connection strings with passwords, hardcoded passwords, API key literals |
| Config leaks | .env files tracked in git, exposed config files |
| Auth issues | Commented-out auth guards, hardcoded Authorization headers |
| Dangerous patterns | eval(), exec(), SQL injection via string concatenation, debug endpoints |
| Insecure config | Cookies without Secure/HttpOnly flags, CORS misconfigs |
# Scan a local repo
python3 scripts/scan.py /path/to/repo
# Scan a PR directly
python3 scripts/scan.py https://github.com/owner/repo/pull/123
# Scan only changes in a diff
python3 scripts/scan.py /path/to/repo --git-diff /tmp/pr-diff.txt
# Exit code is 1 if any HIGH findings are found β CI-friendlypr-guardian report β 3 issue(s) found
βββββββββββββββββββββββββββββββββββββββββββββββββ
[HIGH]
src/config/stripe.ts:42
> const STRIPE_SECRET = "sk_live_..."
stripe live key β rotate immediately
[MEDIUM]
.env:1
> DATABASE_URL=postgres://admin:***@localhost:5432/db
database connection string with password
[LOW]
src/routes/admin.ts:15
> // if (!req.user) return res.sendStatus(401)
commented-out auth check
βββββββββββββββββββββββββββββββββββββββββββββββββ
summary: 1 high, 1 medium, 1 low
scan took 2.3s
$ python3 scripts/scan.py https://github.com/hackclub/stardance
pr-guardian report β 3 issue(s) found
βββββββββββββββββββββββββββββββββββββββββββββββββ
[HIGH] stardance/app/controllers/application_controller.rb:47
missing authorization check on admin routes
[HIGH] stardance/config/initializers/lockbox.rb:1
Lockbox.master_key referenced from env β verify .env.example
[MEDIUM] stardance/.env:5
DATABASE_URL contains credentials β add to .gitignore
βββββββββββββββββββββββββββββββββββββββββββββββββ
real PRs have real findings. try it on yours.
Auto-scan every PR in your repo. Add this to .github/workflows/pr-guardian.yml:
name: pr-guardian
on: pull_request
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with: { python-version: '3.11' }
- run: |
curl -sSL https://raw.githubusercontent.com/subhansh-dev/pr-guardian/main/scripts/scan.py -o /tmp/scan.py
python3 /tmp/scan.py . --git-diff \${{ github.event.pull_request.number }}.diff || trueOnce set up, every PR gets an automatic security comment. Works on any public repo.
Does it send my code anywhere? No. Everything runs locally. It's a Python script that reads files on your machine. No network calls except optionally cloning a repo from a PR URL.
Can I add custom rules? Not yet β the rule set is hardcoded for now. Custom rule support is on the roadmap.
How is this different from Gitleaks/TruffleHog? Those are laser-focused on secret patterns. pr-guardian also checks for logic-level issues like missing auth guards and dangerous code patterns. It's broader but less deep in any single category. Use both for full coverage.
Will this catch every vulnerability? No scanner catches everything. pr-guardian targets the most common, highest-impact mistakes. For serious security audits, use a proper tool like Semgrep or CodeQL.
PRs welcome. Keep it simple β no build step, no npm install. Python stdlib only. The scanner lives in scripts/scan.py, the rule patterns are at the top of that file.
MIT β do whatever you want with it.
βββββββββββββββ ββββββββββββββββββββ ββββββββββββββββ
β GitHub PR β βββΆ β pr-guardian β βββΆ β Scan Report β
β or local β β scripts/scan.py β β (stdout) β
β repo path β β β β β
βββββββββββββββ β β’ 20+ regex β β HIGH: 1 β
β β’ 6 categories β β MEDIUM: 2 β
β β’ git-diff mode β β LOW: 1 β
ββββββββββββββββββββ ββββββββββββββββ
two modes:
- standalone β
python3 scripts/scan.py <target> - skill β
"guard this PR"in Claude Code / Codex
zero external dependencies. pure Python stdlib.
If this saved you from a late-night panic, give it a star β