{"id":51370716,"url":"https://github.com/ludo-technologies/codescan","last_synced_at":"2026-07-03T06:08:29.534Z","repository":{"id":367365484,"uuid":"1154617378","full_name":"ludo-technologies/codescan","owner":"ludo-technologies","description":"Scan any GitHub repo for security issues — risky code, exposed keys, outdated packages","archived":false,"fork":false,"pushed_at":"2026-06-25T16:51:56.000Z","size":264,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-25T18:20:17.163Z","etag":null,"topics":["dependency-scanning","devsecops","gitleaks","golang","nextjs","sast","secrets-detection","security","security-tools","semgrep","static-analysis","trivy"],"latest_commit_sha":null,"homepage":"https://codescan.dev","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ludo-technologies.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-10T15:38:34.000Z","updated_at":"2026-06-25T16:48:08.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/ludo-technologies/codescan","commit_stats":null,"previous_names":["ludo-technologies/codescan"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/ludo-technologies/codescan","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ludo-technologies%2Fcodescan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ludo-technologies%2Fcodescan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ludo-technologies%2Fcodescan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ludo-technologies%2Fcodescan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ludo-technologies","download_url":"https://codeload.github.com/ludo-technologies/codescan/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ludo-technologies%2Fcodescan/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35074370,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-03T02:00:05.635Z","response_time":110,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dependency-scanning","devsecops","gitleaks","golang","nextjs","sast","secrets-detection","security","security-tools","semgrep","static-analysis","trivy"],"created_at":"2026-07-03T06:08:27.382Z","updated_at":"2026-07-03T06:08:29.515Z","avatar_url":"https://github.com/ludo-technologies.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n# [codescan.dev](https://codescan.dev)\n\n### Scan any GitHub repo for security issues.\n\nRisky code, exposed keys, outdated packages — one shareable grade.\n\n[![Scan a repo on codescan.dev](https://img.shields.io/badge/Scan_a_repo-codescan.dev-2563EB?style=for-the-badge\u0026logo=github)](https://codescan.dev)\n\n[Example report](https://codescan.dev/examples) · [Methodology](https://codescan.dev/methodology)\n\n\u003c/div\u003e\n\n---\n\n## Demo\n\n[https://github.com/user-attachments/assets/db41df8e-881e-4303-9634-d3aba7c853e1](https://github.com/user-attachments/assets/206d84be-585a-4f5c-966f-e4a70ef8664f)\n\n▶ **Try it yourself at [codescan.dev](https://codescan.dev)** — paste any public repo URL, no sign-up.\n\n## What it checks\n\n| Category | Description | Powered by |\n|---|---|---|\n| **Static Analysis (SAST)** | Finds patterns that can lead to security bugs, including unsafe input handling and other common mistakes | [Semgrep](https://semgrep.dev/) |\n| **Secret Detection** | Checks whether API keys, tokens, private keys, or credentials were accidentally committed | [Gitleaks](https://gitleaks.io/) |\n| **Dependency Vulnerabilities** | Looks for packages with known security problems so you can update the risky ones first | [Trivy](https://trivy.dev/) |\n\n## How it works\n\n1. **Paste a GitHub URL** — Drop the URL of any public repository into the scan box, or sign in with GitHub to scan your private repos.\n2. **Run the checks** — codescan.dev looks for risky code, exposed keys, and packages that should be updated.\n3. **Read the report card** — See a letter grade, a severity breakdown, and per-finding file, line, and rule details you can share.\n\nNo installation. No GitHub app. Public repos need no sign-up.\n\n## Add a badge to your README\n\nShow your latest security grade. Scan your repo, then hit **Copy README Badge** on the report card — or use:\n\n```markdown\n[![codescan security grade](https://codescan.dev/badge/OWNER/REPO)](https://codescan.dev)\n```\n\nThe badge reflects the most recent public scan and refreshes automatically when you re-scan. Repos that haven't been scanned yet show a neutral badge instead of a broken image.\n\n## Who it's for\n\n- **Maintainers** — Get a quick security baseline before publishing a release or accepting a large pull request.\n- **Developers evaluating dependencies** — Check a third-party repository for exposed credentials and risky packages before adopting it.\n- **Engineering teams** — Share a letter-grade report card alongside a PR or audit instead of pasting raw tool output.\n\n## FAQ\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eIs codescan.dev free?\u003c/strong\u003e\u003c/summary\u003e\n\u003cbr\u003e\nYes. Public repository scans are free and require no sign-up. Sign in with GitHub to scan private repositories — also free.\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eWhich repositories can I scan?\u003c/strong\u003e\u003c/summary\u003e\n\u003cbr\u003e\nAny public GitHub repository — just paste the repo URL (\u003ccode\u003ehttps://github.com/owner/name\u003c/code\u003e) into the scan box. Sign in with GitHub to scan private repositories you have access to.\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eWhat does the letter grade mean?\u003c/strong\u003e\u003c/summary\u003e\n\u003cbr\u003e\nThe grade summarizes how many issues were found and how serious they are, so you can compare repositories at a glance.\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDo you store my code?\u003c/strong\u003e\u003c/summary\u003e\n\u003cbr\u003e\nNo. codescan.dev clones the repository to run the scanners and only persists the resulting findings needed to render the report card.\n\u003c/details\u003e\n\n## Run it yourself\n\nMost people don't need to — just use the hosted version at **[codescan.dev](https://codescan.dev)** (free, no sign-up for public repos). But codescan is fully open source — both the web frontend and the scan engine that runs Semgrep, Gitleaks, and Trivy — so you can run the whole stack yourself with Docker:\n\n```bash\ngit clone https://github.com/ludo-technologies/codescan.git\ncd codescan\nBACKEND_API_KEY=dev-secret docker compose up --build\n```\n\nThen open \u003chttp://localhost:3000\u003e and scan any public repository. Set `GITHUB_PUBLIC_TOKEN` to lift GitHub's API rate limit from 60/hr to 5000/hr.\n\n## How it's built\n\n| Component | Path | Stack |\n|---|---|---|\n| **Web frontend** | repository root | Next.js (App Router), deployed on Vercel |\n| **Scan engine** | [`engine/`](engine) | Go module — orchestrates Semgrep/Gitleaks/Trivy, scores results, exposes the `/api/scan` API |\n\nThe engine is an importable Go module (`github.com/ludo-technologies/codescan/engine`): run it standalone via `engine/cmd/server`, or embed it in your own service by calling `engine.New(...)` and mounting it onto a [chi](https://github.com/go-chi/chi) router.\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and guidelines.\n\n## License\n\n[MIT](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fludo-technologies%2Fcodescan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fludo-technologies%2Fcodescan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fludo-technologies%2Fcodescan/lists"}