{"id":48634042,"url":"https://github.com/ez-appsec/ez-appsec","last_synced_at":"2026-05-12T05:02:23.482Z","repository":{"id":350035315,"uuid":"1199878292","full_name":"ez-appsec/ez-appsec","owner":"ez-appsec","description":"AI-powered application security scanning — free, open-source replacement for GitLab and GitHub security scanning","archived":false,"fork":false,"pushed_at":"2026-05-07T16:00:43.000Z","size":7514,"stargazers_count":1,"open_issues_count":57,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-07T18:05:39.870Z","etag":null,"topics":["appsec","devsecops","docker","github-actions","gitlab-ci","open-source","sast","secrets-detection","security","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"https://ez-appsec.github.io/ez-appsec","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ez-appsec.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-02T20:01:28.000Z","updated_at":"2026-04-29T06:48:22.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/ez-appsec/ez-appsec","commit_stats":null,"previous_names":["ez-appsec/ez-appsec"],"tags_count":32,"template":false,"template_full_name":null,"purl":"pkg:github/ez-appsec/ez-appsec","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ez-appsec%2Fez-appsec","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ez-appsec%2Fez-appsec/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ez-appsec%2Fez-appsec/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ez-appsec%2Fez-appsec/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ez-appsec","download_url":"https://codeload.github.com/ez-appsec/ez-appsec/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ez-appsec%2Fez-appsec/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32770544,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-08T02:36:36.067Z","status":"ssl_error","status_checked_at":"2026-05-08T02:36:07.210Z","response_time":54,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["appsec","devsecops","docker","github-actions","gitlab-ci","open-source","sast","secrets-detection","security","vulnerability-scanner"],"created_at":"2026-04-09T07:30:16.986Z","updated_at":"2026-05-08T07:05:13.643Z","avatar_url":"https://github.com/ez-appsec.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003c\u003c\u003c\u003c\u003c\u003c\u003c HEAD\n# ez-appsec v0.1.19\n=======\n# ez-appsec\n\u003e\u003e\u003e\u003e\u003e\u003e\u003e 5aa96925a10103948669132448082f7a080b9274\n\n**AI-powered application security scanning** — free, open-source, works with GitHub and GitLab.\n\nez-appsec orchestrates four best-in-class scanners (gitleaks, semgrep, kics, grype), normalises their output into a unified schema, and pushes results to a hosted security dashboard. No cloud account or API key required.\n\n```\nYour codebase\n     │\n     ▼  ez-appsec scan\n┌────────────────────────────────────────────┐\n│  gitleaks · semgrep · kics · grype         │\n│  secrets    SAST      IaC    dependencies  │\n└──────────────────┬─────────────────────────┘\n                   │  unified vulnerability schema\n                   ▼\n     CLI · JSON · SARIF · GitLab format\n                   │\n                   ▼\n     Security Dashboard (GitHub / GitLab Pages)\n```\n\n---\n\n## Quickstart with Claude Code\n\nThe fastest way to add ez-appsec to any repository is through the Claude Code skill.\n\n**Step 1 — Install the skill** (one-time, works in every project):\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/ez-appsec/ez-appsec/main/skills/install.sh | bash\n```\n\n**Step 2 — Add ez-appsec to a repository:**\n\n```\n# GitHub\n/ez-appsec install-app owner/repo\n\n# GitLab\n/ez-appsec install /path/to/repo\n```\n\nThat's it. The skill provisions the workflow, sets secrets, and triggers the first scan automatically.\n\n---\n\n## Platform Guides\n\n| Platform | Guide |\n|----------|-------|\n| GitHub | [docs/github.md](docs/github.md) |\n| GitLab | [docs/gitlab.md](docs/gitlab.md) |\n| Dashboard | [docs/dashboard.md](docs/dashboard.md) |\n\n---\n\n## ez-appsec Skills Reference\n\nThe `/ez-appsec` Claude Code skill is a dispatcher — the first word routes to the right subcommand.\n\n### Installation\n\n| Command | Description |\n|---------|-------------|\n| `/ez-appsec install-app [owner/repo]` | **GitHub** — installs the scan workflow, provisions App secrets, and triggers the first scan |\n| `/ez-appsec install [path]` | **GitLab** — patches `.gitlab-ci.yml` with the `scan.yml` include and opens a merge request |\n| `/ez-appsec install-dashboard [owner/repo]` | **GitHub** — creates and configures the dashboard repo with GitHub Pages and App secrets |\n\n### Scanning\n\n| Command | Description |\n|---------|-------------|\n| `/ez-appsec scan [path]` | Scan with Docker and load findings into context for analysis |\n| `/ez-appsec load [project]` | Load a project's vulnerabilities from the dashboard into context for analysis |\n| `/ez-appsec remediate [filter]` | Prioritized fix plan balancing severity vs risk — applies safe fixes immediately, confirms risky ones once |\n\n### Maintenance\n\n| Command | Description |\n|---------|-------------|\n| `/ez-appsec update-dashboard [owner/repo]` | Re-provision App secrets and update dashboard web assets to the latest release |\n| `/ez-appsec uninstall-app [owner/repo]` | **GitHub** — removes the scan workflow and prunes the repo's dashboard data |\n| `/ez-appsec uninstall [path]` | **GitLab** — removes the `scan.yml` include via merge request |\n\n### Help\n\n| Command | Description |\n|---------|-------------|\n| `/ez-appsec help` | Print available subcommands |\n\n---\n\n## Scanners\n\n| Scanner | What it finds |\n|---------|--------------|\n| [gitleaks](https://github.com/gitleaks/gitleaks) | Secrets and credentials (140+ patterns) |\n| [semgrep](https://semgrep.dev/) | SAST — logic bugs, injection, misuse (1000+ rules) |\n| [kics](https://www.kics.io/) | Infrastructure-as-code misconfigurations |\n| [grype](https://github.com/anchore/grype) | Known CVEs in dependencies and SBOMs |\n\nAll findings are normalised into a unified schema with consistent severity levels, file paths, and line numbers.\n\n---\n\n## Known Limitations\n\nez-appsec is in active development. Current coverage and accuracy reflect testing against OWASP Juice Shop, DVWA, and production codebases. See [TEST_RESULTS.md](TEST_RESULTS.md) for full details.\n\n### Detection Accuracy\n\n| Category | Detection Rate | Notes |\n|----------|----------------|-------|\n| Infrastructure/Config (KICS) | ~100% | 254 findings, 12.5% false positive rate |\n| Secrets Scanning | 0% | Gitleaks integration pending |\n| SQL Injection | 0% | Pattern-based rules planned |\n| XSS | 0% | Framework-specific rules needed |\n| Authentication Failures | 0% | Runtime analysis required |\n| CSRF | 0% | CSRF token patterns only |\n\n### Coverage Gaps (High Priority)\n\n1. **Secrets Scanning** (Critical) - Hardcoded API keys, credentials, tokens\n2. **SQL Injection** - MySQL, PostgreSQL, SQLite patterns\n3. **XSS** - Reflected, stored, DOM-based XSS\n4. **NoSQL Injection** - MongoDB, Redis, Elasticsearch\n5. **Framework-Specific** - Laravel, Django, Spring, Express security patterns\n\n### False Positive Sources\n\n1. **Code Quality Issues** (~75%) - Unused imports, style violations\n2. **Context-Insensitive Matches** (~20%) - String literals flagged as SQL\n3. **Test Code** (~5%) - Test fixtures flagged\n\nFalse positives can be suppressed using `.gitleaks.toml` (gitleaks) and `.semgrepignore` (semgrep) files.\n\n### Performance Characteristics\n\n| Codebase Size | Files | Scan Time | Memory |\n|---------------|-------|-----------|---------|\n| Small | 50 | \u003c10s | \u003c500MB |\n| Medium | 200 | \u003c30s | \u003c1GB |\n| Large | 1,000 | \u003c120s | \u003c2GB |\n\nLinear scaling validated. CI/CD compatible: GitHub Actions (2-core, 7GB), GitLab CI (4-core, 4GB).\n\n---\n\n## Docker Images\n\n```bash\n# Standard (all scanners)\ndocker pull ghcr.io/ez-appsec/ez-appsec:latest\n\n# Slim (~300 MB, no semgrep)\ndocker pull ghcr.io/ez-appsec/ez-appsec:slim\n\n# Micro (secrets + CVEs only)\ndocker pull ghcr.io/ez-appsec/ez-appsec:micro\n\n# Run a scan\ndocker run --rm -v $(pwd):/scan ghcr.io/ez-appsec/ez-appsec:latest scan /scan\n```\n\n---\n\n## AI Remediation\n\nWhen `OPENAI_API_KEY` is set in the scanning environment, each finding is enriched with:\n- Plain-language risk explanation\n- Step-by-step fix instructions\n- Code example where applicable\n\n---\n\n## Contributing\n\nContributions are welcome from humans, AI agents, and human+AI teams.\n\nThere are two contribution paths depending on the size of the change.\n\n### Small changes — no plan required\n\nBug fixes, documentation corrections, minor refactors, and small tweaks can go straight to a PR.\n\nOpen a **[Small Change issue](https://github.com/ez-appsec/ez-appsec/issues/new?template=small-change.md)** to track the work, then submit a PR that references it. The bar is: `pytest tests/` passes, no scope creep.\n\n### Significant work — plan first\n\nNew features, integrations, and anything that touches multiple modules require a plan before implementation begins. This prevents conflicts between contributors working in parallel and keeps PRs reviewable.\n\n**Option A — Claim an existing roadmap item**\n\nBrowse the [ez-appsec Roadmap project](https://github.com/orgs/ez-appsec/projects/2) and pick an unassigned plan. Leave a comment on the issue saying you are claiming it, then self-assign and move it to *In Progress*. The issue already contains scope, technical approach, and done criteria.\n\n**Option B — Propose a new plan**\n\nIf your idea is not on the roadmap, open a **[Plan issue](https://github.com/ez-appsec/ez-appsec/issues/new?template=plan.md)** first. Describe what you are building, the scope, technical approach, and test strategy. Wait for a maintainer to acknowledge before opening a draft PR. This avoids duplicate work and surfaces conflicts early.\n\n### Human + AI workflows\n\nAI-assisted contributions are encouraged. When using Claude Code or another agent to implement a plan:\n\n- The plan issue is the agent's scope boundary — it should not touch modules outside the plan\n- Use `/ez-appsec test` to verify nothing regressed before opening a PR\n- The PR description should note which parts were AI-generated and which were human-reviewed\n- All tests must pass; the agent is not exempt from the done criteria\n\n### Ground rules\n\n- **Tests ship with the code.** Every plan lists required test files. PRs without tests for new behavior will not be merged.\n- **Plans are independent.** If your change conflicts with another open plan, coordinate in the issue before proceeding.\n- **Schema is append-only.** The `vulnerabilities.json` schema may gain new fields but existing fields must not be renamed or removed — downstream tools depend on them.\n- **Docker size budget.** Adding a runtime dependency requires verifying the standard image stays under 2 GB.\n\nSee [ROADMAP.md](ROADMAP.md) for the full list of planned work and [CONTRIBUTING.md](CONTRIBUTING.md) for environment setup and coding conventions.\n\n## Roadmap\n\nSee [ROADMAP.md](ROADMAP.md) for the path to feature parity with commercial AppSec platforms — 20 independent plans across developer feedback, compliance, platform expansion, enterprise features, and observability. Each plan is claimable by any contributor (human or AI).\n\n| | |\n|---|---|\n| GitHub Project | [ez-appsec Roadmap](https://github.com/orgs/ez-appsec/projects/2) |\n| GitLab Tracking | [jfelten.work-group/ez_appsec/ez-appsec-roadmap](https://gitlab.com/jfelten.work-group/ez_appsec/ez-appsec-roadmap) |\n\n## License\n\nMIT — see [LICENSE](LICENSE).\n\n## Author\n\nCreated by [John Felten](https://www.linkedin.com/in/john-felten/) — DevSecOps Engineer, 25+ years experience.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fez-appsec%2Fez-appsec","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fez-appsec%2Fez-appsec","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fez-appsec%2Fez-appsec/lists"}