{"id":50770741,"url":"https://github.com/joemunene-by/securecommit","last_synced_at":"2026-06-11T18:01:43.071Z","repository":{"id":363847775,"uuid":"1213083568","full_name":"joemunene-by/securecommit","owner":"joemunene-by","description":"Pre-commit security hooks + code review — catches secrets, API keys, and security anti-patterns before they reach your repo. Works as pre-commit hook, GitHub Action, and CLI.","archived":false,"fork":false,"pushed_at":"2026-06-10T15:30:13.000Z","size":49,"stargazers_count":0,"open_issues_count":7,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-10T17:10:02.526Z","etag":null,"topics":["cli","code-review","devsecops","github-actions","pre-commit","sast","secret-detection","secret-scanning","security","shift-left"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/joemunene-by.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-17T02:59:31.000Z","updated_at":"2026-06-10T15:15:47.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/joemunene-by/securecommit","commit_stats":null,"previous_names":["joemunene-by/securecommit"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/joemunene-by/securecommit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joemunene-by%2Fsecurecommit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joemunene-by%2Fsecurecommit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joemunene-by%2Fsecurecommit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joemunene-by%2Fsecurecommit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/joemunene-by","download_url":"https://codeload.github.com/joemunene-by/securecommit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joemunene-by%2Fsecurecommit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34211067,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-11T02:00:06.485Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","code-review","devsecops","github-actions","pre-commit","sast","secret-detection","secret-scanning","security","shift-left"],"created_at":"2026-06-11T18:01:42.993Z","updated_at":"2026-06-11T18:01:43.059Z","avatar_url":"https://github.com/joemunene-by.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SecureCommit\n\n**Pre-commit security hooks and AI code review tool** -- catches secrets and security bugs before they reach the repo.\n\n[![CI](https://github.com/joemunene/securecommit/actions/workflows/ci.yml/badge.svg)](https://github.com/joemunene/securecommit/actions/workflows/ci.yml)\n[![Python 3.10+](https://img.shields.io/badge/python-3.10%2B-blue.svg)](https://www.python.org/downloads/)\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n\n---\n\n## What It Does\n\nSecureCommit scans your code for:\n\n- **Secrets and credentials**: AWS keys, GitHub/GitLab tokens, private keys, database connection strings, Stripe/Twilio/SendGrid keys, JWTs, Slack webhooks, and more\n- **Security anti-patterns**: SQL injection, XSS, command injection, insecure deserialization, hardcoded passwords, weak crypto, path traversal, SSRF\n- **High-entropy strings**: Shannon entropy analysis to catch random tokens assigned near secret-related keywords\n\nIt works as a **pre-commit hook**, a **GitHub Action**, or a standalone **CLI tool**.\n\n---\n\n## Quick Start\n\n### Install\n\n```bash\npip install securecommit\n```\n\n### Scan a directory\n\n```bash\nsecurecommit scan .\n```\n\n### Scan a single file\n\n```bash\nsecurecommit scan path/to/file.py\n```\n\n### Output formats\n\n```bash\nsecurecommit scan . --format json\nsecurecommit scan . --format sarif --output results.sarif\nsecurecommit scan . --format markdown\n```\n\n---\n\n## Pre-commit Hook Setup\n\n### Option 1: pre-commit framework\n\nAdd to your `.pre-commit-config.yaml`:\n\n```yaml\nrepos:\n  - repo: https://github.com/joemunene/securecommit\n    rev: v0.1.0\n    hooks:\n      - id: securecommit\n```\n\nThen run:\n\n```bash\npre-commit install\npre-commit run --all-files\n```\n\n### Option 2: Direct git hook\n\n```bash\n# Install as a git hook directly\nsecurecommit hook\n```\n\nOr manually add to `.git/hooks/pre-commit`:\n\n```bash\n#!/bin/sh\nsecurecommit hook\n```\n\n---\n\n## GitHub Action Setup\n\nAdd to `.github/workflows/security.yml`:\n\n```yaml\nname: Security Scan\non:\n  pull_request:\n    branches: [main]\n\npermissions:\n  contents: read\n  pull-requests: write\n  security-events: write\n\njobs:\n  securecommit:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n\n      - uses: joemunene/securecommit@v0.1.0\n        with:\n          severity_threshold: high\n          sarif_output: securecommit.sarif\n```\n\nThis will:\n1. Scan the PR diff for security issues\n2. Post a comment on the PR with findings\n3. Upload SARIF results to GitHub Code Scanning\n\n---\n\n## Configuration\n\nCreate a `.securecommit.yaml` in your project root:\n\n```yaml\nseverity_threshold: high  # block on high + critical\ndetectors:\n  secrets: true\n  patterns: true\n  entropy: true\nallowlist:\n  - \"test_*.py\"   # skip test files for some checks\n  - \"*.md\"        # skip markdown\ncustom_patterns:\n  - name: \"internal_token\"\n    pattern: \"INTERNAL_[A-Z0-9]{32}\"\n    severity: critical\n    description: \"Internal service token detected\"\n```\n\n### Inline Suppression\n\nAdd `# securecommit:ignore` to any line to suppress findings on that line:\n\n```python\nTEST_KEY = \"AKIAIOSFODNN7EXAMPLE\"  # securecommit:ignore\n```\n\n### Allowlist File\n\nCreate a `.securecommit-allowlist` file:\n\n```\n# Skip all test files\nfile:test_*.py\n\n# Suppress a specific rule globally\nrule:SC-S013\n\n# Allowlist a specific snippet by hash\nhash:abc123def456\n```\n\n---\n\n## Sample Output\n\n### Console\n\n```\n                     SecureCommit Scan Results\n+----------+--------+--------------------------+-----------+------+\n| Severity | Rule   | Title                    | File      | Line |\n+----------+--------+--------------------------+-----------+------+\n| CRITICAL | SC-S001| AWS Access Key ID        | config.py |   12 |\n| CRITICAL | SC-P005| Command Injection via... | utils.py  |   45 |\n| HIGH     | SC-P010| Hardcoded Password       | auth.py   |    8 |\n| MEDIUM   | SC-P011| Insecure Hash (MD5)      | crypto.py |   22 |\n+----------+--------+--------------------------+-----------+------+\n4 finding(s) | 12 file(s) scanned | Status: FAILED\n```\n\n### SARIF (GitHub Code Scanning)\n\nSecureCommit produces SARIF v2.1.0 output compatible with GitHub Code Scanning:\n\n```bash\nsecurecommit scan . --format sarif --output results.sarif\n```\n\nUpload it with `github/codeql-action/upload-sarif@v3` to see results in the Security tab.\n\n---\n\n## Detectors\n\n### Secret Detector (`SC-S*`)\n\n| Rule     | Description                  | Severity |\n|----------|------------------------------|----------|\n| SC-S001  | AWS Access Key ID            | Critical |\n| SC-S002  | AWS Secret Access Key        | Critical |\n| SC-S003  | GCP Service Account Key      | Critical |\n| SC-S004  | Azure Secret / Connection    | High     |\n| SC-S005  | GitHub PAT (ghp_)            | Critical |\n| SC-S006  | GitLab PAT (glpat-)          | Critical |\n| SC-S007  | Generic API Key Assignment   | High     |\n| SC-S008  | Private Key (PEM)            | Critical |\n| SC-S009  | Database Connection String   | High     |\n| SC-S010  | JWT Token                    | Medium   |\n| SC-S011  | Slack Webhook URL            | High     |\n| SC-S012  | Stripe Secret Key            | Critical |\n| SC-S013  | Stripe Publishable Key       | Low      |\n| SC-S014  | Twilio Auth Token            | High     |\n| SC-S015  | SendGrid API Key             | High     |\n| SC-S016  | Password in URL              | High     |\n\n### Pattern Detector (`SC-P*`)\n\n| Rule     | Description                          | Severity |\n|----------|--------------------------------------|----------|\n| SC-P001  | SQL Injection (string formatting)    | High     |\n| SC-P002  | SQL Injection (concatenation with +) | High     |\n| SC-P003  | XSS via innerHTML                    | High     |\n| SC-P004  | XSS via dangerouslySetInnerHTML      | Medium   |\n| SC-P005  | Command Injection via os.system      | Critical |\n| SC-P006  | subprocess with shell=True           | High     |\n| SC-P007  | exec/eval usage                      | High     |\n| SC-P008  | Insecure Deserialization (pickle)    | Critical |\n| SC-P009  | Insecure YAML Loading                | High     |\n| SC-P010  | Hardcoded Password / Secret          | High     |\n| SC-P011  | Insecure Hash (MD5)                  | Medium   |\n| SC-P012  | Insecure Hash (SHA1)                 | Medium   |\n| SC-P013  | ECB Mode Usage                       | High     |\n| SC-P014  | Path Traversal                       | High     |\n| SC-P015  | SSRF Indicator                       | High     |\n| SC-P016  | TLS Verification Disabled            | Medium   |\n\n### Entropy Detector (`SC-E*`)\n\n| Rule     | Description              | Severity |\n|----------|--------------------------|----------|\n| SC-E001  | High-entropy string      | High     |\n\n---\n\n## Development\n\n```bash\ngit clone https://github.com/joemunene/securecommit.git\ncd securecommit\nmake dev       # install with dev dependencies\nmake test      # run test suite\nmake lint      # run linter\nmake scan      # self-scan the project\n```\n\n---\n\n## License\n\nMIT License. Copyright (c) 2026 Joe Munene.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoemunene-by%2Fsecurecommit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjoemunene-by%2Fsecurecommit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoemunene-by%2Fsecurecommit/lists"}