{"id":50469509,"url":"https://github.com/beadon/ai-security-reviewer","last_synced_at":"2026-06-01T09:30:31.455Z","repository":{"id":358013050,"uuid":"1239484586","full_name":"beadon/ai-security-reviewer","owner":"beadon","description":"Two-layer AI security review pipeline for npm/JS — automated tool scanning + Claude semantic analysis of what tools cannot catch","archived":false,"fork":false,"pushed_at":"2026-05-15T09:32:25.000Z","size":77,"stargazers_count":0,"open_issues_count":4,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-15T09:38:10.739Z","etag":null,"topics":["claude","claude-code","code-review","devsecops","iac-security","javascript","llm","nodejs","owasp","sast","security","semgrep","supply-chain-security","terraform"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/beadon.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-15T06:19:22.000Z","updated_at":"2026-05-15T09:32:27.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/beadon/ai-security-reviewer","commit_stats":null,"previous_names":["beadon/ai-security-reviewer"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/beadon/ai-security-reviewer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/beadon%2Fai-security-reviewer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/beadon%2Fai-security-reviewer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/beadon%2Fai-security-reviewer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/beadon%2Fai-security-reviewer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/beadon","download_url":"https://codeload.github.com/beadon/ai-security-reviewer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/beadon%2Fai-security-reviewer/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33769490,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-01T02:00:06.963Z","response_time":115,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["claude","claude-code","code-review","devsecops","iac-security","javascript","llm","nodejs","owasp","sast","security","semgrep","supply-chain-security","terraform"],"created_at":"2026-06-01T09:30:30.834Z","updated_at":"2026-06-01T09:30:31.440Z","avatar_url":"https://github.com/beadon.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AI Security Reviewer\n\nA two-layer security review pipeline for npm/JavaScript codebases and their deployment infrastructure, powered by Claude Code.\n\n**Layer 1 — Automated tools:** Purpose-built scanners handle pattern-matching, known CVEs, hardcoded secrets, license compliance, IaC misconfigurations, and supply chain threats. These run first and produce structured findings.\n\n**Layer 2 — AI semantic analysis:** Claude triages tool output with business context, then analyzes what no pattern-matcher can catch: business logic flaws, authorization model errors, second-order vulnerabilities, privilege escalation chains, and cross-boundary trust violations.\n\n## Three Skills\n\n| Skill | Command | Scope |\n|-------|---------|-------|\n| `security-review.md` | `/security-review` | npm/JS code — injection, auth, business logic, supply chain |\n| `arch-review.md` | `/arch-review` | IaC, containers, CI/CD, cloud config — Terraform, K8s, Docker, Ansible |\n| `full-review.md` | `/full-review` | Orchestrator — runs both above in parallel, merges into one report |\n\nFor most PR reviews, use `/full-review`. Use the individual skills when you want a focused, faster scan of one layer only.\n\n---\n\n## Prerequisites\n\n- [Claude Code](https://claude.ai/code) installed and authenticated\n- [GitHub CLI (`gh`)](https://cli.github.com/) installed and authenticated (`gh auth login`)\n\nThe security scanning tools (Semgrep, gitleaks, njsscan) are **optional for local use**. If not installed, the AI analysis proceeds without their output. See [CI Workflow](#ci-workflow) for running tools in a reproducible environment.\n\n**Optional commercial tool:** [socket.dev](https://socket.dev) provides supply chain security analysis. It requires a `SOCKET_API_KEY` environment variable. Free for public repositories; paid plan required for private repositories. Without the key, the skill skips this scan and notes it in the report. See [socket.dev setup](#socketdev-setup) below.\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eFirst-Time Setup (new users — start here)\u003c/strong\u003e\u003c/summary\u003e\n\n### What this is\n\nThis tool adds three slash commands to Claude Code that run a two-layer security review against your codebase: automated scanners (Semgrep, gitleaks, etc.) followed by AI semantic analysis of what the scanners miss — business logic flaws, authorization errors, and chained vulnerabilities.\n\nYou run it from your terminal, inside any project directory.\n\n---\n\n### Step 1 — Install Claude Code\n\nOpen **Terminal** on your Mac (or your OS terminal) and run:\n\n```bash\nnpm install -g @anthropic-ai/claude-code\n```\n\nThen authenticate it:\n\n```bash\nclaude\n```\n\nFollow the prompts to log in with your Anthropic account. Once you're at the `claude\u003e` prompt, type `/exit` to quit — setup is done.\n\n\u003e **VS Code users:** Claude Code has a VS Code extension (search \"Claude Code\" in the Extensions panel), but the security reviewer runs from a terminal. Use VS Code's built-in terminal (`Terminal → New Terminal`) so you can stay in your editor while running reviews.\n\n---\n\n### Step 2 — Install the security reviewer\n\n```bash\ngit clone https://github.com/beadon/ai-security-reviewer\ncd ai-security-reviewer\n./install.sh --global --with-deps\n```\n\n`--global` makes the three review commands available in every project on your machine. `--with-deps` installs the scanning tools (Semgrep, gitleaks, etc.) via Homebrew and pip.\n\nIf you hit permission errors on `npm install -g`, see the [npm EACCES fix](https://docs.npmjs.com/resolving-eacces-permissions-errors-when-installing-packages-globally) — never use `sudo npm`.\n\n---\n\n### Step 3 — Run your first review\n\nNavigate to the project you want to review and open Claude Code:\n\n```bash\ncd /path/to/your/project\nclaude\n```\n\nThen type one of these at the `claude\u003e` prompt:\n\n| Command | What it reviews |\n|---|---|\n| `/full-review` | Everything — code and infrastructure (start here) |\n| `/security-review` | JavaScript/npm code only |\n| `/arch-review` | Dockerfiles, Terraform, CI/CD config only |\n\nFor most people, `/full-review` is the right starting point.\n\n---\n\n### What to expect\n\nThe review takes 2–5 minutes. It will:\n\n1. Run the automated scanners against your codebase\n2. Have Claude triage the results and reason about what the scanners missed\n3. Print a markdown report with findings grouped by severity\n\nFindings below 2/10 confidence are suppressed — the goal is zero false positives.\n\n---\n\n### GitHub CLI (optional but recommended)\n\nThe tool can annotate pull requests on GitHub. If you want that, install and authenticate the GitHub CLI:\n\n```bash\nbrew install gh\ngh auth login\n```\n\n\u003c/details\u003e\n\n---\n\n## Installation\n\n```bash\ngit clone https://github.com/beadon/ai-security-reviewer\ncd ai-security-reviewer\n```\n\n### Scanning tools\n\nThe installer can install all scanning tools for you:\n\n```bash\n./install.sh --global --with-deps\n```\n\nOr install them manually. On macOS with Homebrew:\n\n```bash\n# Code-level tools (/security-review)\nbrew install semgrep gitleaks\npip install njsscan scancode-toolkit\nnpm install -g retire htmlhint\n\n# Infrastructure tools (/arch-review)\nbrew install checkov hadolint trivy tflint\npip install ansible-lint\n\n# License checker (no install needed — runs via npx)\n```\n\n`pip install njsscan` installs the njsscan binary into your Python environment's `bin/` directory — make sure that directory is on your `PATH` (e.g. `$(python3 -m site --user-base)/bin` for user installs, or your virtualenv's `bin/`).\n\nThen run the installer for your scenario:\n\n```bash\n# Make available across all projects\n./install.sh --global\n\n# Install to one specific project (skills only)\n./install.sh --project /path/to/your/project\n\n# Install skills + CI workflow to a project (Scenario 3)\n./install.sh --all /path/to/your/project\n```\n\nThe installer copies the skill files from `.claude/commands/` to the correct location and the CI workflow from `.github/workflows/` to the target repo. The orchestrator (`/full-review`) reads the other two skill files at runtime — all three must be installed in the same directory.\n\n---\n\n## Usage\n\n### Scenario 1 — Review a Pull Request (recommended)\n\nCheck out the PR branch locally, then invoke the full review. This runs both code-level and infrastructure analysis in parallel.\n\n```bash\ngh pr checkout \u003cPR-number\u003e\n```\n\nThen in Claude Code:\n\n```\n/full-review\n```\n\nFor a faster, focused scan of one layer only:\n\n```\n/security-review    # code only\n/arch-review        # infrastructure only\n```\n\nThe report covers only the changes introduced by that PR, not the entire codebase.\n\n**With socket.dev (optional):** If `SOCKET_API_KEY` is set in your environment, the skill automatically runs a supply chain scan as part of Phase 0. To configure it:\n\n```bash\nexport SOCKET_API_KEY=your_api_key_here\n```\n\n**With license-checker (no setup required):** Runs automatically via `npx` — no installation needed. Flags any dependency with a copyleft or unknown license introduced by the PR.\n\n---\n\n### Scenario 2 — Review a Full Repository or Arbitrary Branch\n\nClone any public or private repository you have access to, then run the review from within it.\n\n```bash\n# Clone and review the default branch (SSH)\ngit clone git@github.com:\u003corg\u003e/\u003crepo\u003e.git /tmp/target\ncd /tmp/target\n\n# Or via HTTPS\ngit clone https://github.com/\u003corg\u003e/\u003crepo\u003e.git /tmp/target\ncd /tmp/target\n```\n\nFor a specific branch:\n\n```bash\ngit clone --branch \u003cbranch-name\u003e git@github.com:\u003corg\u003e/\u003crepo\u003e.git /tmp/target\ncd /tmp/target\n```\n\nIf you have the GitHub CLI installed, `gh repo clone \u003corg\u003e/\u003crepo\u003e /tmp/target` is equivalent and handles auth automatically.\n\nThen in Claude Code (opened in `/tmp/target`):\n\n```\n/full-review\n```\n\nThis scenario is particularly useful for supply chain and license audits of a dependency or third-party repo before adopting it. Both license-checker and socket.dev (if configured) will scan the full dependency tree, and arch-review will inspect any IaC files present.\n\n**Note:** When reviewing a full repository rather than a PR diff, the git diff commands produce no output. Both skills proceed using tool scan results and semantic analysis of the codebase as a whole.\n\n---\n\n### Scenario 3 — CI-Integrated Review (recommended for teams)\n\nRunning tools locally is fragile — tools may not be installed, versions may differ, and results are not reproducible across machines. The recommended team deployment separates tool execution from AI analysis:\n\n```\nPR opened\n  → GitHub Actions runs all scanning tools (code + IaC) in a clean environment\n  → socket.dev GitHub App posts its own PR comment (if installed)\n  → All other tool results posted as a structured PR comment by the workflow\n  → Developer runs /full-review in Claude Code\n  → Orchestrator spawns parallel code-level + infrastructure sub-tasks\n  → Each sub-task reads tool results from CI, adds semantic analysis\n  → Unified report produced\n```\n\n**Setup:**\n\n1. Add the GitHub Actions workflow to your target repository (see [CI Workflow](#ci-workflow) below).\n2. *(Optional)* Install the [Socket GitHub App](https://socket.dev) on the repository. It runs automatically on every PR and posts supply chain findings as its own comment — no workflow step required.\n3. When reviewing a PR, check it out and run `/full-review`. Each sub-skill will detect and consume the tool results posted by CI.\n\n---\n\n## CI Workflow\n\nThe workflow file is at [`.github/workflows/security-scan.yml`](.github/workflows/security-scan.yml) in this repo. Install it to your target repository with:\n\n```bash\n./install.sh --ci /path/to/your/project\n# or as part of a full install:\n./install.sh --all /path/to/your/project\n```\n\nIt runs on every pull request, executes all scanning tools in a clean environment, and posts results as a PR comment that `/full-review` can consume.\n\n\u003cdetails\u003e\n\u003csummary\u003eView workflow YAML\u003c/summary\u003e\n\n```yaml\nname: Security Scan\n\non:\n  pull_request:\n    branches: [main, master]\n\njobs:\n  scan:\n    runs-on: ubuntu-latest\n    permissions:\n      pull-requests: write\n      contents: read\n\n    steps:\n      - uses: actions/checkout@v4\n        with:\n          fetch-depth: 0\n\n      - uses: actions/setup-node@v4\n        with:\n          node-version: '20'\n\n      - name: npm audit\n        run: npm audit --json \u003e /tmp/npm-audit.json 2\u003e/dev/null || true\n\n      - name: Semgrep\n        uses: semgrep/semgrep-action@v1\n        with:\n          config: \u003e-\n            p/javascript\n            p/nodejs\n            p/secrets\n          output: /tmp/semgrep.json\n          output-format: json\n        continue-on-error: true\n\n      - name: gitleaks\n        uses: gitleaks/gitleaks-action@v2\n        env:\n          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n        continue-on-error: true\n\n      - name: njsscan\n        run: |\n          pip install njsscan --quiet\n          njsscan --json . \u003e /tmp/njsscan.json 2\u003e/dev/null || true\n\n      - name: Checkov (IaC)\n        uses: bridgecrewio/checkov-action@v12\n        with:\n          output_format: json\n          output_file_path: /tmp/checkov.json\n        continue-on-error: true\n\n      - name: hadolint (Dockerfile)\n        uses: hadolint/hadolint-action@v3.1.0\n        with:\n          dockerfile: Dockerfile\n          format: json\n          output-file: /tmp/hadolint.json\n        continue-on-error: true\n\n      - name: Trivy config scan\n        uses: aquasecurity/trivy-action@master\n        with:\n          scan-type: config\n          format: json\n          output: /tmp/trivy-config.json\n        continue-on-error: true\n\n      - name: License Checker\n        run: npx license-checker-rseidelsohn --json --excludePrivatePackages \u003e /tmp/license-checker.json 2\u003e/dev/null || true\n\n      - name: Socket.dev CLI scan\n        if: env.SOCKET_API_KEY != ''\n        env:\n          SOCKET_API_KEY: ${{ secrets.SOCKET_API_KEY }}\n        run: |\n          npm install -g @socketsecurity/cli --quiet\n          socket scan create --json . \u003e /tmp/socket.json 2\u003e/dev/null || true\n\n      - name: Post results as PR comment\n        uses: actions/github-script@v7\n        with:\n          script: |\n            const fs = require('fs');\n            const read = (p) =\u003e { try { return fs.readFileSync(p, 'utf8'); } catch { return '{}'; } };\n\n            const body = [\n              '\u003c!-- security-scan-results --\u003e',\n              '## Security Scan Results',\n              '### npm audit',\n              '```json',\n              read('/tmp/npm-audit.json'),\n              '```',\n              '### Semgrep',\n              '```json',\n              read('/tmp/semgrep.json'),\n              '```',\n              '### njsscan',\n              '```json',\n              read('/tmp/njsscan.json'),\n              '```',\n              '### License Checker',\n              '```json',\n              read('/tmp/license-checker.json'),\n              '```',\n              '### Socket.dev',\n              '```json',\n              read('/tmp/socket.json'),\n              '```',\n              '### Checkov (IaC)',\n              '```json',\n              read('/tmp/checkov.json'),\n              '```',\n              '### hadolint',\n              '```json',\n              read('/tmp/hadolint.json'),\n              '```',\n              '### Trivy config',\n              '```json',\n              read('/tmp/trivy-config.json'),\n              '```',\n            ].join('\\n');\n\n            const { data: comments } = await github.rest.issues.listComments({\n              owner: context.repo.owner,\n              repo: context.repo.repo,\n              issue_number: context.issue.number,\n            });\n\n            const existing = comments.find(c =\u003e c.body.includes('\u003c!-- security-scan-results --\u003e'));\n\n            if (existing) {\n              await github.rest.issues.updateComment({\n                owner: context.repo.owner,\n                repo: context.repo.repo,\n                comment_id: existing.id,\n                body,\n              });\n            } else {\n              await github.rest.issues.createComment({\n                owner: context.repo.owner,\n                repo: context.repo.repo,\n                issue_number: context.issue.number,\n                body,\n              });\n            }\n```\n\n\u003c/details\u003e\n\n---\n\n## socket.dev Setup\n\nsocket.dev is optional but adds meaningful supply chain coverage that no other tool in this stack provides.\n\n**Free tier (public repos):** Install the [Socket GitHub App](https://socket.dev) on your repository. It runs automatically on every PR with no API key or workflow step needed.\n\n**Paid plan (private repos):** The GitHub App requires a paid plan for private repositories. Alternatively, use the CLI in Scenarios 1 and 2:\n\n```bash\nexport SOCKET_API_KEY=your_api_key_here  # add to ~/.zshrc or ~/.bashrc\n```\n\nFor CI (Scenario 3), add your key as a repository secret named `SOCKET_API_KEY` in GitHub → Settings → Secrets and variables → Actions. The workflow step runs conditionally only when the secret is present.\n\n---\n\n## What the Tools Cover\n\n### Code-Level Tools (`/security-review`)\n\n| Tool | Scope | Free? | OWASP |\n|------|-------|-------|-------|\n| `npm audit` | Known CVEs in the dependency tree | Yes (built-in) | A06 |\n| Semgrep | Injection sinks, XSS, prototype pollution, hardcoded credentials | Yes (OSS) | A02, A03, A08 |\n| gitleaks | Secrets and tokens in git history and diffs | Yes (OSS) | A02 |\n| njsscan | Express/Node misconfigurations, missing security middleware | Yes (OSS) | A05, A07 |\n| license-checker-rseidelsohn | Copyleft and unknown licenses in the dependency tree | Yes (OSS) | A06 |\n| scancode-toolkit | Copyright notices and license identifiers in source file headers; detects GPL-contaminated code copied directly into the codebase | Yes (OSS) | A06 |\n| socket.dev | Supply chain: malicious install scripts, typosquatting, new/unknown maintainers | Free for public repos; paid for private | A06 |\n\n### Infrastructure Tools (`/arch-review`)\n\n| Tool | Scope | Free? | OWASP |\n|------|-------|-------|-------|\n| Checkov | Terraform, CloudFormation, K8s, Dockerfile, Ansible, Helm, Bicep | Yes (OSS) | A01, A02, A05 |\n| hadolint | Dockerfile best practices, insecure ADD/RUN patterns, mutable base tags | Yes (OSS) | A05, A08 |\n| Trivy (config) | K8s, Terraform, CloudFormation, Dockerfile — complementary to Checkov | Yes (OSS) | A01, A05, A06 |\n| tflint | Terraform provider-specific rules and deprecated resources | Yes (OSS) | A05 |\n| ansible-lint | Ansible playbook security — shell injection, privilege escalation misuse | Yes (OSS) | A03, A05 |\n\n## What the AI Covers (tools cannot catch these)\n\n### Code-level (`/security-review`)\n\n| Category | Examples |\n|----------|---------|\n| Business logic flaws | Operations out of sequence, one-time token reuse, state assumptions violated |\n| Authorization model correctness | Authz after data fetch, check on wrong principal, branches that skip authz |\n| Second-order injection | Data stored safely, retrieved and used dangerously in a different file |\n| Cross-file trust boundary violations | Internal helper now called from a public handler without re-validation |\n| Chained vulnerabilities | Two low-privilege operations composed to escalate privilege |\n| Race conditions with business impact | TOCTOU on payments, role changes, quota enforcement |\n| Semantic SSRF | User input influences outbound URL host/protocol across multiple files |\n| Token and session logic | Missing claim validation, token replay across audiences |\n\n### Infrastructure-level (`/arch-review`)\n\n| Category | Examples |\n|----------|---------|\n| IAM privilege escalation chains | Role A → Role B → admin via multi-hop assume-role |\n| Cross-service trust exposure | Resource policy granting access broader than intended |\n| Secret handling anti-patterns | Plaintext env vars in task definitions, secrets in Dockerfile ARGs |\n| Network segmentation mismatches | Security group allows DB access from all app servers, not just payment service |\n| Container security context | Dangerous capabilities, host path mounts to `/var/run/docker.sock` |\n| CI/CD pipeline integrity | Mutable action tags, `pull_request_target` with untrusted checkout |\n| Image provenance | Mutable base tags, Docker Hub public images, `ADD` from URLs |\n| Data classification alignment | Unencrypted storage for resources that likely hold PII or credentials |\n\n---\n\n## Output\n\nThe review produces a markdown report with two sections:\n\n**Section A — Semantic Findings (AI-Detected):** Vulnerabilities the tools did not report, found through semantic reasoning about the codebase.\n\n**Section B — Tool Findings (Triaged and Enriched):** Confirmed true positives from the automated scans, with business-specific impact added by the AI.\n\nEach finding includes: severity (High/Medium/Low), OWASP category, confidence score, a concrete exploit scenario, and a specific remediation recommendation.\n\n---\n\n## Confidence Threshold\n\nFindings below **2/10** confidence are suppressed. The goal is zero false positives surfaced to the developer — a missed finding is cheaper than alert fatigue.\n\n---\n\n## Security Lifecycle: Where This Tool Fits\n\nThis pipeline covers **pre-deployment, static analysis** — it runs against code and configuration files before anything ships. It answers: *is this safe to deploy?*\n\nIt is not a substitute for post-deployment scanning, which answers: *is the running system currently secure?*\n\n```\nCode written → PR opened → /full-review (this tool) → merged → deployed → post-deployment scanning\n                                    ↑                                              ↑\n                         Static: code + IaC files                     Dynamic: live systems\n                         Catches what will be introduced               Catches what is currently exposed\n```\n\n### Post-Deployment Tools (out of scope for this pipeline)\n\n| Tool | What it scans | When to run |\n|------|--------------|-------------|\n| **Nessus** (Tenable) | Live hosts — open ports, service versions, OS patch levels, authenticated configuration checks | After deployment; scheduled periodic scans of staging and production |\n| **OWASP ZAP** | Running web application — HTTP attack surface, auth flows, session handling | Against a deployed staging environment; part of a release gate |\n| **Burp Suite** | Running web application — deep HTTP/API testing, active scanning | Manual or automated against staging before major releases |\n| **AWS Inspector / GCP Security Command Center / Azure Defender** | Cloud workloads — running EC2/container/serverless vulnerabilities and exposure | Continuous; enabled at the account level |\n| **Trivy** (image scan mode) | Container images in a registry — CVEs in OS packages and application dependencies | On image push to registry; separate from the config scan this tool runs |\n\nNessus in particular operates by probing live IP addresses over the network — it requires a running target and network reachability, which makes it incompatible with a PR review workflow by design. The right place for it is a scheduled scan of your staging or production environment, or as a release gate check after deployment.\n\n### Copyright and IP Scanning: What Belongs Where\n\n| Tool | What it does | Fits in this pipeline? |\n|------|-------------|----------------------|\n| **scancode-toolkit** | Reads source file headers for copyright notices and license identifiers; detects GPL-contaminated code snippets copied into the codebase | Yes — in `security-review` Phase 0, scoped to changed files |\n| **license-checker** | Reads `package.json` metadata to identify what license each npm dependency is under | Yes — already in `security-review` Phase 0 |\n| **FOSSA** | Hosted service combining license compliance, copyright detection, and transitive obligation tracking; free tier for open source | Yes for per-PR (FOSSA GitHub App); full release-gate scans are better scheduled |\n| **Black Duck** (Synopsys) | Enterprise-grade: deep snippet matching against a massive database, export control classification, full transitive obligation tracking | No — too slow for per-PR; belongs as a release gate scan on the full codebase |\n\nThe key distinction: `scancode-toolkit` and `license-checker` catch copyright and license issues *introduced by this PR* cheaply and quickly. Black Duck / FOSSA full scans audit the *entire codebase* comprehensively — right for a release gate or a scheduled compliance audit, wrong for a fast PR check.\n\n---\n\n## Contributing\n\nContributions are welcome — see [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines on adding tools, new ecosystem skills, and submitting PRs.\n\nThis project is licensed under the **GNU Affero General Public License v3.0 (AGPLv3)**. See [LICENSE](LICENSE). If you modify this project and expose it as a network service, you must publish your source under the same terms.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbeadon%2Fai-security-reviewer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbeadon%2Fai-security-reviewer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbeadon%2Fai-security-reviewer/lists"}