{"id":50859553,"url":"https://github.com/fletcherholt/frisk","last_synced_at":"2026-06-14T20:34:46.839Z","repository":{"id":362176675,"uuid":"1257747995","full_name":"fletcherholt/frisk","owner":"fletcherholt","description":"Free, no-login security scanner for any public GitHub repo. Check for leaked secrets, malware, malicious packages, typosquats, vulnerable dependencies (OSV) and bad binaries (VirusTotal) before you clone. Swap github.com to friskit.dev.","archived":false,"fork":false,"pushed_at":"2026-06-05T21:53:26.000Z","size":6563,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-14T20:34:43.766Z","etag":null,"topics":["appsec","cloudflare-workers","code-security","dependency-scanning","devsecops","github","malicious-packages","malware-scanner","osv","sast","secret-scanning","secrets-detection","security","security-tools","supply-chain-security","typescript","virustotal","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"https://friskit.dev","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fletcherholt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"ko_fi":"fletcherholt"}},"created_at":"2026-06-03T01:18:02.000Z","updated_at":"2026-06-07T15:09:06.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/fletcherholt/frisk","commit_stats":null,"previous_names":["fletcherholt/frisk"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/fletcherholt/frisk","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fletcherholt%2Ffrisk","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fletcherholt%2Ffrisk/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fletcherholt%2Ffrisk/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fletcherholt%2Ffrisk/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fletcherholt","download_url":"https://codeload.github.com/fletcherholt/frisk/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fletcherholt%2Ffrisk/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34337551,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-14T02:00:07.365Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["appsec","cloudflare-workers","code-security","dependency-scanning","devsecops","github","malicious-packages","malware-scanner","osv","sast","secret-scanning","secrets-detection","security","security-tools","supply-chain-security","typescript","virustotal","vulnerability-scanner"],"created_at":"2026-06-14T20:34:41.881Z","updated_at":"2026-06-14T20:34:46.833Z","avatar_url":"https://github.com/fletcherholt.png","language":"TypeScript","funding_links":["https://ko-fi.com/fletcherholt"],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n\u003cimg src=\"assets/favicon-source.png\" width=\"96\" alt=\"frisk\"\u003e\n\n# frisk\n\n**frisk it before you clone it.**\n\nA free, no-login security scanner for any public GitHub repository. Check any repo for leaked secrets, malware, malicious packages and vulnerable dependencies before you clone or run it, straight from the URL and without cloning. Live at **[friskit.dev](https://friskit.dev)**.\n\n[![live](https://img.shields.io/badge/live-friskit.dev-cba6f7?style=flat-square)](https://friskit.dev)\n[![licence](https://img.shields.io/github/license/fletcherholt/frisk?style=flat-square\u0026color=a6e3a1)](LICENSE)\n\n\u003cbr\u003e\n\n\u003ca href=\"https://friskit.dev\"\u003e\u003cimg src=\"assets/frisk-demo.webp\" alt=\"frisk scanning a GitHub repo for leaked secrets, malware and vulnerable dependencies\" width=\"840\"\u003e\u003c/a\u003e\n\n\u003c/div\u003e\n\n## Use it\n\nSwap the domain on any GitHub repo:\n\n```\ngithub.com/owner/repo   →   friskit.dev/owner/repo\n```\n\nOr paste a repo at [friskit.dev](https://friskit.dev). You get a report in seconds (instant if it was scanned recently). frisk does not retain your source, though it caches the report, which includes short snippets of the lines it flagged. Detected GitHub, Slack, Stripe and npm tokens are checked against their provider to see if they are live, committed binary hashes go to VirusTotal, and dependency names to OSV.\n\n## What it checks\n\n- **Secrets** committed to the repo: API keys, tokens and private keys. GitHub, Slack, Stripe and npm tokens are checked against their provider to see if they are still live.\n- **Malicious code**: obfuscated eval, shellcode blobs, curl piped to shell, credential and wallet stealers.\n- **Supply chain**: confirmed-malicious packages (OSSF malicious-packages), typosquats, and vulnerable dependencies via [OSV](https://osv.dev) across npm, PyPI, Go and Cargo.\n- **Bad binaries**: executables hashed and checked on [VirusTotal](https://www.virustotal.com).\n- **Infrastructure**: Dockerfile, compose, Terraform, Kubernetes and GitHub Actions misconfigurations.\n- **Repo health**: [OpenSSF Scorecard](https://securityscorecards.dev) signals, with a CycloneDX SBOM at `/api/sbom/owner/repo`.\n\n## Reading the results\n\nfrisk is a first pass. Findings are heuristic, so read them and check before you act on them.\n\nOne thing that surprises people: **security tools come back critical when you scan them, including frisk itself.** A scanner's own source and tests are full of the exact things it hunts for, obfuscated eval, fake API keys, malware keywords like MetaMask or wallet.dat, because those are the detection rules and the test fixtures. So pointing frisk at frisk reports critical. The rules are matching the rules, and frisk is fine. The same happens with any antivirus, linter or scanner.\n\nEvery finding is a flag to investigate. Open the file, look at the line, and decide for yourself. Use frisk to find what is worth a closer look, then actually look.\n\n## Run your own\n\n\u003cdetails\u003e\n\u003csummary\u003eSelf host on Cloudflare Workers\u003c/summary\u003e\n\n```sh\nnpm install\n\nwrangler kv namespace create SCAN_CACHE   # paste each id into wrangler.toml\nwrangler kv namespace create VT_CACHE\nwrangler kv namespace create RATELIMIT\n\nwrangler secret put GITHUB_TOKEN          # public repo read\nwrangler secret put VT_API_KEY            # free VirusTotal key\n\nnpm run deploy\n```\n\n`npm run dev` runs it locally, `npm test` runs the tests.\n\n`npm run regression` scans a corpus of known-clean popular repos and known-bad controls (`test/corpus.json`) against the live deploy and fails if a clean repo ever produces a heuristic high or critical finding, or a control stops firing. Run it after any rule change. Add `--fresh` to bust the cache and re-scan from scratch.\n\n\u003c/details\u003e\n\n## Licence\n\nMIT, by [Fletcher Holt](https://github.com/fletcherholt).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffletcherholt%2Ffrisk","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffletcherholt%2Ffrisk","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffletcherholt%2Ffrisk/lists"}