{"id":47744132,"url":"https://github.com/yashbarot/security-scanner","last_synced_at":"2026-04-07T04:01:11.208Z","repository":{"id":348208657,"uuid":"1196928611","full_name":"yashbarot/security-scanner","owner":"yashbarot","description":"A fast, zero-config CLI tool that scans your project dependencies and Dockerfiles for known security vulnerabilities — across 8 ecosystems, powered by free public vulnerability databases, with AI-powered analysis and scheduled scanning.","archived":false,"fork":false,"pushed_at":"2026-03-31T11:59:18.000Z","size":146,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-03T08:59:25.559Z","etag":null,"topics":["cli-tool","cve","dependency-check","devsecops","npm-audit","open-source-security","osv","pip-audit","python","sca","security","supply-chain-security","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"https://github.com/yashbarot/security-scanner#quick-start","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/yashbarot.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-31T07:07:17.000Z","updated_at":"2026-03-31T13:54:55.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/yashbarot/security-scanner","commit_stats":null,"previous_names":["yashbarot/security-scanner"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/yashbarot/security-scanner","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yashbarot%2Fsecurity-scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yashbarot%2Fsecurity-scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yashbarot%2Fsecurity-scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yashbarot%2Fsecurity-scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/yashbarot","download_url":"https://codeload.github.com/yashbarot/security-scanner/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yashbarot%2Fsecurity-scanner/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31383636,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-03T23:20:52.058Z","status":"ssl_error","status_checked_at":"2026-04-03T23:20:51.675Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli-tool","cve","dependency-check","devsecops","npm-audit","open-source-security","osv","pip-audit","python","sca","security","supply-chain-security","vulnerability-scanner"],"created_at":"2026-04-03T00:23:15.494Z","updated_at":"2026-04-04T01:00:31.962Z","avatar_url":"https://github.com/yashbarot.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n# security-scanner\n\n### Stop shipping vulnerabilities. Start scanning locally.\n\nA fast, zero-config CLI tool that scans your project dependencies **and Dockerfiles** for known security vulnerabilities — across **8 ecosystems**, powered by **free public vulnerability databases**, with **AI-powered analysis** and **scheduled scanning**.\n\n[![Python](https://img.shields.io/badge/Python-3.9+-3776AB?style=for-the-badge\u0026logo=python\u0026logoColor=white)](https://python.org)\n[![License: MIT](https://img.shields.io/badge/License-MIT-green?style=for-the-badge)](LICENSE)\n[![Ecosystems](https://img.shields.io/badge/Ecosystems-8-blue?style=for-the-badge)](#supported-ecosystems)\n[![Tests](https://img.shields.io/badge/Tests-129%20passing-brightgreen?style=for-the-badge)](#running-tests)\n[![Vuln Sources](https://img.shields.io/badge/Vuln%20Sources-10%2B%20Free-orange?style=for-the-badge)](#vulnerability-intelligence-sources)\n[![Early Warning](https://img.shields.io/badge/Early%20Warning-CISA%20%7C%20HN%20%7C%20RSS-7c3aed?style=for-the-badge)](#early-warning-system)\n[![LLM Analysis](https://img.shields.io/badge/AI%20Analysis-Claude%20%7C%20GPT-2563eb?style=for-the-badge)](#ai-powered-security-analysis)\n\n---\n\n**One command. Every dependency. Every known vulnerability.**\n\n```bash\npip install git+https://github.com/yashbarot/security-scanner.git\nrepo-scan /path/to/your/project\n```\n\n\u003c/div\u003e\n\n---\n\n## What's New\n\n### v0.3.1 — Severity Accuracy Fix\n\nMost UNKNOWN severity entries are now resolved. Root causes fixed:\n\n| Bug | Impact | Fix |\n|-----|--------|-----|\n| **MODERATE not mapped to MEDIUM** | GitHub Advisory uses \"MODERATE\" — our enum didn't recognize it, every MODERATE CVE showed UNKNOWN | `from_string()` now maps MODERATE -\u003e MEDIUM |\n| **Security feed flooding** | One Node.js digest created 973 duplicate UNKNOWN entries across all npm deps | Runtime feeds now create 1 entry per article, not 1 per dep |\n| **Hydration fallback returned stubs** | Network failures produced empty data parsed as UNKNOWN | Returns empty instead of unparseable stubs |\n| **Severity extraction crashes on None** | `from_string(None)` crashed silently, skipped valid data | Guarded with `isinstance(str)` checks |\n| **GitHub Advisory only fetched critical,high** | All MEDIUM/LOW CVEs missed from cross-reference | Removed severity filter, fetches all |\n| **Fix version from wrong package** | Multi-package CVE returned wrong package's fix | Now filters by package name |\n\n### v0.3.0 — Major Features\n\n| Feature | What It Does | Unique? |\n|---------|-------------|---------|\n| **Dockerfile scanning** | Detects EOL base images (node:14, python:3.8, ubuntu:18.04), unpinned `:latest` tags, docker-compose support | Integrated into same scan pipeline |\n| **AI security analysis** | `--llm` flag sends findings to Claude/GPT for priority ranking, mitigation steps, and posture assessment | No other open-source scanner has this |\n| **Scheduled scanning** | `repo-scan schedule add/run` — cron-based daemon scans projects on schedule, alerts on new critical vulns | Solves the \"code hasn't been touched in months\" problem |\n| **Security release feeds** | Auto-monitors Node.js, Python, Django, Rails, Go, Spring official security release pages | **No other scanner does this** — catches patches before CVE databases update |\n| **Configurable scan depth** | `--scan-depth quick\\|full\\|deep` controls speed vs thoroughness | Caps configurable per source |\n| **Parallel source queries** | All vuln sources queried concurrently — 5+ min reduced to ~30-60s | ThreadPoolExecutor throughout |\n\n---\n\n## The Problem\n\nOpen-source dependencies are under constant attack — and most teams find out **too late**.\n\n### Recent high-impact incidents\n\n| Year | Package | Ecosystem | What Happened | Impact |\n|------|---------|-----------|---------------|--------|\n| 2026 | **axios** | npm | SSRF + credential leak via crafted requests ([#10604](https://github.com/axios/axios/issues/10604)) | 60M+ weekly downloads affected |\n| 2026 | **litellm** | PyPI | Supply chain compromise — malicious code injected ([#24512](https://github.com/BerriAI/litellm/issues/24512)) | AI/ML pipelines across enterprises |\n| 2025 | **react** | npm | Pre-auth RCE in React Server Components ([CVE-2025-55182](https://nvd.nist.gov/vuln/detail/CVE-2025-55182)) | CVSS 10.0, CISA KEV, actively exploited |\n| 2024 | **xz-utils** | Linux | Backdoor injected via social engineering ([CVE-2024-3094](https://nvd.nist.gov/vuln/detail/CVE-2024-3094)) | Nearly every Linux distro at risk |\n| 2023 | **jsonwebtoken** | npm | JWT signature bypass ([CVE-2022-23529](https://nvd.nist.gov/vuln/detail/CVE-2022-23529)) | 36M+ weekly downloads |\n| 2021 | **log4j** | Maven | Remote code execution — Log4Shell ([CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)) | ~93% of enterprise cloud environments |\n\n### Current bottlenecks\n\n- **New CVEs are published daily** — over 35,000 in 2025 alone\n- **70% of codebases** contain open-source vulnerabilities\n- **Most scanners are single-ecosystem** — npm audit only checks npm, pip-audit only checks Python\n- **Enterprise scanners** are powerful but expensive and complex\n- **No one monitors official security release pages** (Node.js, Python, Django, etc.) proactively\n\n---\n\n## The Solution\n\n```\nNo accounts. No API keys. No config files. No paywalls.\nPoint it at any project directory and get instant results.\n```\n\n\u003cdiv align=\"center\"\u003e\n\n| What You Get | Why It Matters |\n|:-------------|:---------------|\n| **8 ecosystems + Docker in one command** | No separate tools per ecosystem |\n| **20+ dependency file formats** | Catches what single-ecosystem scanners miss |\n| **10+ free vulnerability sources** | OSV, GitHub Advisory, CISA KEV, HN, RSS, registries, security feeds |\n| **AI-powered analysis** | LLM explains what to fix first and why |\n| **Dockerfile scanning** | Catches EOL base images and unpinned tags |\n| **Scheduled scanning** | Cron-based daemon alerts on new vulns in active projects |\n| **Official security release monitoring** | Catches patches before CVE databases update |\n| **CI-friendly exit codes** | Drop into any pipeline in 2 lines |\n\n\u003c/div\u003e\n\n---\n\n## Quick Start\n\n### Install\n\n```bash\n# From GitHub (always installs latest)\npip install git+https://github.com/yashbarot/security-scanner.git\n\n# From source\ngit clone https://github.com/yashbarot/security-scanner.git\ncd security-scanner\npip install .\n```\n\n\u003e **Tip**: For CI/production, pin to a specific version: `pip install git+...@v0.3.0`. See [Releases](https://github.com/yashbarot/security-scanner/releases).\n\n### Update to Latest\n\n```bash\ncd security-scanner\ngit pull origin main\npip install .\n```\n\nTo switch to a specific version:\n\n```bash\ngit checkout v0.3.0\npip install .\n```\n\nVerify your installed version:\n\n```bash\nrepo-scan --help\n# or\npython -c \"import repo_security_scanner; print(repo_security_scanner.__version__)\"\n```\n\n### Scan\n\n```bash\nrepo-scan . # scan current directory\nrepo-scan /path/to/project # scan any local project\nrepo-scan . -s high # only critical \u0026 high severity\nrepo-scan . --format json -o report.json # JSON report\nrepo-scan . --format html -o report.html # HTML report\nrepo-scan . --early-warning # enable early warning sources (~30-60s)\nrepo-scan . --early-warning --scan-depth full # check ALL deps, no caps (~2-5 min)\nrepo-scan . --llm # AI-powered security analysis\nrepo-scan --help # full help with all options\n```\n\n---\n\n## Example Output\n\n```\n╭──────────────────────────── Security Scan Results ─────────────────────────────╮\n│ Found 5 confirmed vulnerabilities in 3 of 42 dependencies │\n│ Critical: 1 High: 2 Medium: 1 Low: 1 │\n╰────────────────────────────────────────────────────────────────────────────────╯\n\nConfirmed Vulnerabilities\n┏━━━━━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━┓\n┃ Package ┃ Version ┃ Ecosystem ┃ Severity ┃ Vulnerability ┃ Fix ┃\n┡━━━━━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━┩\n│ node │ 14.21 │ Docker │ HIGH │ DOCKER-EOL-node-14.21 │ 22 │\n│ │ │ │ │ Base image is end-of-life │ │\n├───────────────┼─────────┼───────────┼──────────┼─────────────────────────────┼─────────┤\n│ axios │ 1.6.0 │ npm │ HIGH │ GHSA-8hc4-vh64-cxmj │ 1.8.2 │\n│ │ │ │ │ SSRF + credential leak │ │\n├───────────────┼─────────┼───────────┼──────────┼─────────────────────────────┼─────────┤\n│ flask │ 2.2.0 │ PyPI │ HIGH │ CVE-2023-30861 │ 2.3.2 │\n│ │ │ │ │ Cookie injection vuln │ │\n└───────────────┴─────────┴───────────┴──────────┴─────────────────────────────┴─────────┘\n\nAction Items:\n HIGH Upgrade node base image to 22 (fixes DOCKER-EOL-node-14.21)\n HIGH Upgrade axios to 1.8.2 (fixes GHSA-8hc4-vh64-cxmj)\n HIGH Upgrade flask to 2.3.2 (fixes CVE-2023-30861)\n```\n\n---\n\n## AI-Powered Security Analysis\n\nAdd `--llm` to any scan for AI-powered vulnerability analysis:\n\n```bash\nrepo-scan . --llm # uses Claude (default)\nrepo-scan . --llm --llm-provider openai # uses GPT\n```\n\nThe AI provides:\n- **Priority ranking** of what to fix first with reasoning\n- **Specific mitigation steps** for each critical/high finding\n- **Security posture assessment** (Good / Fair / Poor / Critical)\n\n```\n╭──────────────────────── AI Security Analysis ────────────────────────╮\n│ ## Priority Ranking │\n│ 1. **axios 1.6.0** (HIGH) — Fix immediately. SSRF allows │\n│ credential leakage. Run: npm install axios@1.8.2 │\n│ 2. **node:14** (HIGH) — EOL since April 2023, no security │\n│ patches. Update Dockerfile FROM to node:22-alpine │\n│ │\n│ ## Security Posture: FAIR │\n│ 2 high-severity issues require immediate attention. │\n│ No critical findings. Medium/low issues are acceptable short-term. │\n╰──────────────────────────────────────────────────────────────────────╯\n```\n\n**Requirements**: Set `ANTHROPIC_API_KEY` or `OPENAI_API_KEY` environment variable. No API key = scan runs normally without AI analysis.\n\n---\n\n## Dockerfile \u0026 Docker Compose Scanning\n\nThe scanner **automatically detects** Dockerfiles and docker-compose files — no flags needed:\n\n```dockerfile\n# This gets flagged:\nFROM node:14 # EOL — suggests upgrading to node:22\nFROM python:3.8 # EOL — suggests upgrading to python:3.13\nFROM ubuntu:18.04 # EOL — suggests upgrading to ubuntu:24.04\nFROM nginx:latest # Unpinned — suggests pinning to specific version\nFROM nginx # Unpinned — same warning\n```\n\n### Supported Docker files\n\n| File | What's Detected |\n|------|----------------|\n| `Dockerfile` | FROM instructions — base image name, version, EOL status |\n| `Dockerfile.prod` / `.dev` / `.staging` | Same as above |\n| `docker-compose.yml` / `compose.yml` | `image:` directives in services |\n\n### EOL base images detected\n\n| Image | EOL Versions | Suggested Replacement |\n|-------|-------------|----------------------|\n| node | 10, 12, 14, 16 | 22 |\n| python | 2.7, 3.6, 3.7, 3.8 | 3.13 |\n| ubuntu | 14.04, 16.04, 18.04, 20.04 | 24.04 |\n| alpine | 3.14, 3.15, 3.16, 3.17 | 3.20 |\n| nginx | 1.18, 1.19, 1.20, 1.21 | 1.27 |\n| golang | 1.18, 1.19, 1.20 | 1.22 |\n| ruby | 2.6, 2.7, 3.0 | 3.3 |\n| php | 7.4, 8.0 | 8.3 |\n| postgres | 11, 12, 13 | 16 |\n| mysql | 5.7 | 8.0 |\n| redis | 5, 6 | 7 |\n| debian | stretch, buster, jessie | bookworm |\n\n---\n\n## Official Security Release Feeds\n\n**No other scanner does this.** The tool automatically monitors official security release pages from major runtimes and frameworks your project uses:\n\n| Feed | When Active | What It Catches |\n|------|------------|-----------------|\n| [Node.js Vulnerabilities](https://nodejs.org/en/blog/vulnerability/) | Project has `package.json` | Node.js runtime security patches |\n| [Python Security Blog](https://blog.python.org/) | Project has `requirements.txt` / `pyproject.toml` | CPython security advisories |\n| [Django Security Releases](https://www.djangoproject.com/weblog/) | Project uses Django | Django framework patches |\n| [Rails Security](https://rubyonrails.org/) | Project has `Gemfile` | Rails security patches |\n| [Go Security](https://groups.google.com/g/golang-announce) | Project has `go.mod` | Go runtime announcements |\n| [Spring Security](https://spring.io/blog) | Project uses Spring | Spring Framework CVEs |\n\nThese feeds are checked automatically (cached 4 hours). They announce patches **before CVE databases update** — giving you a head start.\n\n---\n\n## Scheduled Scanning\n\nFor projects that don't change often but still need monitoring (the \"we developed it and no one touched it\" problem):\n\n```bash\n# Add a project to scan daily at 8 AM\nrepo-scan schedule add /path/to/project --cron \"0 8 * * *\" --name \"my-project\"\n\n# List all scheduled scans\nrepo-scan schedule list\n\n# Remove a schedule\nrepo-scan schedule remove my-project\n\n# Start the daemon (runs in foreground, Ctrl+C to stop)\nrepo-scan schedule run\n```\n\n### How it works\n\n- Config stored at `~/.config/security-scanner/schedules.json`\n- Results saved to `~/.config/security-scanner/results/`\n- Alerts written to `~/.config/security-scanner/alerts.log` when new critical/high vulns are found\n- Supports standard 5-field cron expressions (`* * * * *`)\n- Each scan runs with OSV database (full hydration)\n\n### Example cron expressions\n\n| Expression | Schedule |\n|-----------|----------|\n| `0 8 * * *` | Every day at 8 AM |\n| `0 8 * * 1` | Every Monday at 8 AM |\n| `*/30 * * * *` | Every 30 minutes |\n| `0 8,18 * * *` | Twice daily at 8 AM and 6 PM |\n| `0 0 1 * *` | First day of every month |\n\n---\n\n## Supported Ecosystems\n\n\u003cdiv align=\"center\"\u003e\n\n| Ecosystem | Dependency Files | Lock Files |\n|:---------:|:-----------------|:-----------|\n| **Python** | `requirements.txt` `pyproject.toml` | `Pipfile.lock` `poetry.lock` |\n| **Node.js** | `package.json` | `package-lock.json` `yarn.lock` `pnpm-lock.yaml` `bun.lock` |\n| **Java** | `pom.xml` `build.gradle` `build.gradle.kts` | — |\n| **Go** | `go.mod` | — |\n| **Ruby** | `Gemfile` | `Gemfile.lock` |\n| **Rust** | `Cargo.toml` | `Cargo.lock` |\n| **PHP** | `composer.json` | `composer.lock` |\n| **Docker** | `Dockerfile` `Dockerfile.*` | `docker-compose.yml` `compose.yml` |\n\n\u003c/div\u003e\n\n\u003e **All 4 Node.js package managers**: npm, yarn, pnpm, and bun lock files are supported.\n\u003e\n\u003e **Lock files get priority.** When both a manifest and lock file exist, the scanner uses the lock file's exact versions for more accurate vulnerability matching.\n\n---\n\n## Early Warning System\n\n\u003e Official CVE databases lag behind real-world disclosures by **hours to weeks**. The [axios compromise](https://github.com/axios/axios/issues/10604), the [litellm supply chain attack](https://github.com/BerriAI/litellm/issues/24512), the xz-utils backdoor — all surfaced on blogs, Twitter, and GitHub Issues long before any CVE was assigned.\n\n```bash\nrepo-scan . --early-warning # quick scan (~30-60s, capped)\nrepo-scan . --early-warning --scan-depth full # all deps, no caps (~2-5 min)\nrepo-scan . --early-warning --scan-depth deep # maximum thoroughness (~5-10 min)\n```\n\n### Scan Depth\n\nControl how thorough the early warning scan is:\n\n| Depth | HN Deps | GitHub Issues Deps | Registry Deps | Est. Time |\n|-------|---------|-------------------|---------------|-----------|\n| `quick` (default) | 30 | 20 | 40 | ~30-60s |\n| `full` | all | all | all | ~2-5 min |\n| `deep` | all | all | all | ~5-10 min |\n\n\u003e **Note**: On second run, cached results make all depths fast. Cache durations range from 30 min (HN/Issues) to 6 hours (CISA KEV).\n\nThis activates **6 additional free intelligence sources**:\n\n| Source | What It Catches | Signal Type | Auth |\n|--------|----------------|-------------|------|\n| [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) | Government-verified actively exploited vulns | Confirmed | No |\n| **PyPI / npm Registry** | Yanked or deprecated package versions | High Signal | No |\n| [Hacker News](https://news.ycombinator.com) | Community-reported threats (7-day window) | Early Signal | No |\n| [GitHub Issues](https://github.com) | Security issues filed against your deps | Early Signal | Optional |\n| **Security Blog RSS** | Bleeping Computer, Google Security Blog | Early Signal | No |\n| [OpenCVE](https://www.opencve.io) | Curated CVE data (optional) | Confirmed | Yes |\n\n### Noise reduction\n\n- **Generic name blocklist**: Skips \"utils\", \"core\", \"test\", etc.\n- **Word boundary matching**: `axios` won't match \"maxios\"\n- **Security keyword co-occurrence**: Name must appear alongside CVE/vulnerability/exploit terms\n- **Relevance scoring**: 0.0-1.0 scale, only \u003e= 0.5 shown\n\n### Caching\n\n| Source | Cache Duration |\n|--------|---------------|\n| CISA KEV | 6 hours |\n| Security release feeds | 4 hours |\n| RSS feeds | 2 hours |\n| Registry health | 1 hour |\n| Hacker News / GitHub Issues | 30 minutes |\n\n---\n\n## Vulnerability Intelligence Sources\n\nAll sources are **free** and require **no authentication** (tokens are optional for higher rate limits):\n\n### Always Active (every scan)\n\n| Source | What It Provides |\n|--------|-----------------|\n| [Google OSV](https://osv.dev/) | Primary vuln database — batch query, 30+ ecosystems, full hydration via `/v1/vulns/{id}` |\n| [GitHub Advisory](https://github.com/advisories) | Cross-reference with version range matching |\n| **Docker EOL Database** | Hardcoded EOL detection for 12 popular base images |\n| **Official Security Feeds** | Node.js, Python, Django, Rails, Go, Spring release monitoring |\n\n### Early Warning (`--early-warning` flag)\n\nCISA KEV, Hacker News, GitHub Issues, RSS feeds, PyPI/npm registry health, OpenCVE\n\n### AI Analysis (`--llm` flag)\n\nClaude (Anthropic) or GPT (OpenAI) — priority ranking, mitigation steps, posture assessment\n\n---\n\n## CLI Reference\n\nRun `repo-scan --help` for the full built-in reference.\n\n```\nUsage: repo-scan [DIRECTORY] [OPTIONS]\n\nArguments:\n DIRECTORY Path to the project to scan (default: .)\n\nOutput Options:\n -f, --format FORMAT Output format: table, json, html (default: table)\n -o, --output FILE Write report to file instead of stdout\n -s, --severity LEVEL Minimum severity: critical, high, medium, low (default: low)\n --no-color Disable colored terminal output\n\nScan Options:\n --github-token TOKEN GitHub token for higher rate limits (or GITHUB_TOKEN env var)\n --skip-crossref Skip GitHub Advisory cross-reference (faster, OSV only)\n --early-warning Enable early warning intelligence sources\n --scan-depth LEVEL Scan thoroughness: quick (default), full, deep\n --llm Enable AI-powered security analysis (requires API key)\n --llm-provider LLM provider: anthropic (default) or openai\n --clear-cache Clear cached early warning data\n\nSchedule Commands:\n repo-scan schedule add PATH --cron EXPR --name NAME\n repo-scan schedule list\n repo-scan schedule remove NAME\n repo-scan schedule run Start the cron daemon\n\nHelp:\n -h, --help Show detailed help with examples\n```\n\n### Environment Variables (all optional)\n\n\u003e None of these are required. Everything works out of the box with zero configuration.\n\n| Variable | Purpose | Without it |\n|----------|---------|------------|\n| `GITHUB_TOKEN` | Higher API rate limits (60/hr -\u003e 5,000/hr) | Works fine at 60 req/hr |\n| `ANTHROPIC_API_KEY` | AI analysis via Claude (`--llm`) | LLM features skipped |\n| `OPENAI_API_KEY` | AI analysis via GPT (`--llm --llm-provider openai`) | LLM features skipped |\n| `OPENCVE_USER` / `OPENCVE_PASS` | OpenCVE source for `--early-warning` | OpenCVE silently skipped |\n\n### Exit Codes\n\n| Code | Meaning | CI Behavior |\n|:----:|---------|-------------|\n| `0` | No critical/high vulnerabilities | Pipeline **passes** |\n| `1` | Critical or high vulnerabilities found | Pipeline **fails** |\n| `2` | Runtime error | Pipeline **errors** |\n\n---\n\n## Use in CI/CD\n\n### GitHub Actions\n\n```yaml\n- name: Security scan\n run: |\n pip install git+https://github.com/yashbarot/security-scanner.git\n repo-scan . -s high\n```\n\n### GitLab CI\n\n```yaml\nsecurity-scan:\n script:\n - pip install git+https://github.com/yashbarot/security-scanner.git\n - repo-scan . -s high\n```\n\n### Bitbucket Pipelines\n\n```yaml\n- step:\n name: Security scan\n script:\n - pip install git+https://github.com/yashbarot/security-scanner.git\n - repo-scan . -s high\n```\n\n\u003e The exit code `1` on critical/high findings automatically fails the pipeline step.\n\n---\n\n## Comparison with Existing Tools\n\n| Feature | security-scanner | npm audit | pip-audit | Snyk | Dependabot | osv-scanner |\n|---------|:----:|:---------:|:---------:|:----:|:----------:|:-----------:|\n| Multi-ecosystem | **8** | 1 | 1 | Many | Many | 11+ |\n| Dockerfile scanning | **Yes** | No | No | No | No | Yes |\n| Free \u0026 open source | **Yes** | Yes | Yes | Freemium | Free | Yes |\n| No account required | **Yes** | Yes | Yes | No | No | Yes |\n| AI-powered analysis | **Yes** | No | No | No | No | No |\n| Configurable scan depth | **Yes** | No | No | No | No | No |\n| Scheduled scanning | **Yes** | No | No | No | No | No |\n| Early warning (web intel) | **Yes** | No | No | No | No | No |\n| Security release feeds | **Yes** | No | No | No | No | No |\n| Registry health checks | **Yes** | No | No | No | No | No |\n| Cross-references sources | **Yes** | No | No | Yes | No | No |\n| Version range matching | **Yes** | Yes | Yes | Yes | Yes | Yes |\n| CVSS v3.1 parsing | **Yes** | No | No | Yes | No | Yes |\n| JSON/HTML reports | **Yes** | JSON | JSON | Yes | No | Yes |\n\n---\n\n## How It Works\n\n```\n Your Project Directory\n │\n v\n ┌───────────────────┐\n │ File Discovery │ Walk tree, match 20+ dependency filenames\n │ │ + Dockerfiles + docker-compose\n └────────┬──────────┘\n │\n v\n ┌───────────────────┐\n │ Parsing │ 8 ecosystem parsers + Docker parser\n │ │ Lock file versions override manifests\n └────────┬──────────┘\n │\n v\n ┌───────────────────┐\n │ OSV Batch Query │ Batch API → Parallel hydration via\n │ + Hydration │ /v1/vulns/{id} (10 concurrent workers)\n └────────┬──────────┘\n │\n v\n ┌───────────────────┐\n │ Cross-Reference │ GitHub Advisory (version range matching)\n │ + Docker EOL │ + Docker image EOL/unpinned detection\n │ + Security Feeds │ + Official runtime security releases\n └────────┬──────────┘\n │\n v\n ┌───────────────────┐\n │ AI Analysis │ Optional: Claude/GPT priority ranking\n │ (--llm) │ + mitigation steps + posture assessment\n └────────┬──────────┘\n │\n v\n ┌───────────────────┐\n │ Report │ Table, JSON, or HTML output\n │ Generation │ with fix recommendations\n └───────────────────┘\n```\n\n---\n\n## Development\n\n```bash\ngit clone https://github.com/yashbarot/security-scanner.git\ncd security-scanner\npip install -e \".[dev]\"\npytest # 129 tests\npytest -v # verbose\n```\n\n### Project Structure\n\n```\nsrc/repo_security_scanner/\n├── models.py # Core data models (Dependency, Vulnerability, ScanReport)\n├── scanner.py # Orchestrator — walks dirs, parses, queries, reports\n├── cli.py # CLI with rich output + schedule subcommand\n├── llm.py # AI analysis (Claude + GPT)\n├── scheduler.py # Cron-based scheduled scanning daemon\n├── cache.py # File-based cache for early warning sources\n├── filters.py # Noise reduction for web-based sources\n├── version_utils.py # Semver + PEP 440 version comparison\n├── parsers/ # Dependency file parsers\n│ ├── python.py # requirements.txt, pyproject.toml, Pipfile.lock, poetry.lock\n│ ├── node.py # package.json, package-lock.json, yarn.lock, pnpm-lock.yaml, bun.lock\n│ ├── java.py # pom.xml, build.gradle\n│ ├── go.py # go.mod\n│ ├── ruby.py # Gemfile, Gemfile.lock\n│ ├── rust.py # Cargo.toml, Cargo.lock\n│ ├── php.py # composer.json, composer.lock\n│ └── docker.py # Dockerfile, docker-compose.yml\n├── vulndb/ # Vulnerability database clients\n│ ├── osv.py # Google OSV (primary, with parallel hydration)\n│ ├── github_advisory.py # GitHub Advisory (with version range matching)\n│ ├── docker_images.py # Docker EOL/unpinned detection\n│ ├── security_releases.py # Official runtime security release feeds\n│ ├── cisa_kev.py # CISA Known Exploited Vulnerabilities\n│ ├── registry_health.py # PyPI yanked / npm deprecated detection\n│ ├── hackernews.py # Hacker News security mentions\n│ ├── github_issues.py # GitHub Issues security search\n│ ├── rss_feeds.py # Security blog RSS feeds\n│ └── opencve.py # OpenCVE (optional)\n└── reports/ # Report generators\n ├── json_report.py # JSON export (with optional LLM analysis)\n └── html_report.py # HTML export (with optional LLM analysis)\n```\n\n### Adding a New Ecosystem Parser\n\n```python\nfrom repo_security_scanner.parsers.base import DependencyParser, register_parser\nfrom repo_security_scanner.models import Dependency, Ecosystem\n\n@register_parser\nclass YourParser(DependencyParser):\n filenames = [\"your-lockfile.lock\"]\n ecosystem = Ecosystem.YOUR_ECOSYSTEM\n\n def parse(self, content: str, filename: str) -\u003e list[Dependency]:\n ...\n```\n\nThe registry auto-discovers it. That's it.\n\n---\n\n## Roadmap\n\n### Completed\n- [x] 8 ecosystem support (Python, Node.js, Java, Go, Ruby, Rust, PHP, Docker)\n- [x] Early warning system (CISA KEV, Hacker News, GitHub Issues, RSS, registry health)\n- [x] Official security release feed monitoring (Node.js, Python, Django, Rails, Go, Spring)\n- [x] Dockerfile + docker-compose scanning with EOL detection\n- [x] AI-powered security analysis (Claude + GPT)\n- [x] Scheduled scanning with cron daemon\n- [x] OSV hydration with parallel `/v1/vulns/{id}` calls\n- [x] CVSS v3.1 vector parsing from spec\n- [x] Version range matching for GitHub Advisory\n- [x] All 4 Node.js lockfiles (npm, yarn, pnpm, bun)\n- [x] 129 tests including real-world vulnerability fixtures\n\n### Up Next\n- [ ] SBOM export (CycloneDX 1.5 / SPDX 2.3)\n- [ ] SARIF output for GitHub Code Scanning integration\n- [ ] Config file (`security-scanner.toml`) with vulnerability suppression and expiry dates\n- [ ] NVD enrichment for CVSS scores\n\n### Planned\n- [ ] Offline mode with downloadable OSV database\n- [ ] Guided remediation (interactive fix suggestions)\n- [ ] License scanning with allowlist-based compliance\n- [ ] Monorepo support (scan subdirectories independently)\n- [ ] Pre-commit hook integration\n- [ ] REST API mode (`--serve`) for code review tool integration\n- [ ] EPSS scoring from FIRST.org\n- [ ] Support for `.NET` (NuGet), `Dart` (pub), `Elixir` (mix), `Haskell` (cabal)\n- [ ] GitHub Action published to marketplace\n- [ ] Docker image for CI/CD pipelines\n\n---\n\n## Release History\n\n| Version | Date | Highlights |\n|---------|------|-----------|\n| **v0.3.1** | 2026-03-31 | Severity accuracy fix — MODERATE mapping, 7 data pipeline bugs, feed flooding fix |\n| **v0.3.0** | 2026-03-31 | Dockerfile scanning, AI analysis, scheduled scanning, security release feeds, `--scan-depth` |\n| **v0.2.0** | 2026-03-31 | Critical OSV hydration fix, CVSS v3.1 parsing, version range matching, pnpm + bun |\n| **v0.1.0** | 2026-03-31 | Initial release — 7 ecosystems, early warning system, CLI |\n\nSee [Releases](https://github.com/yashbarot/security-scanner/releases) for full changelogs.\n\n---\n\n## Contributing\n\nContributions are welcome! See [CONTRIBUTING.md](CONTRIBUTING.md) for details.\n\n1. Fork the repository\n2. Create your feature branch (`git checkout -b feature/amazing-feature`)\n3. Run the tests (`pytest`)\n4. Commit and push\n5. Open a Pull Request\n\n---\n\n## Requirements\n\n- **Python** \u003e= 3.9\n- **Internet access** for querying vulnerability databases\n- **No API keys required** (optional for AI analysis and higher rate limits)\n\n## License\n\nMIT License. See [LICENSE](LICENSE) for details.\n\n---\n\n\u003cdiv align=\"center\"\u003e\n\n**Built to solve a real problem — because knowing your vulnerabilities shouldn't cost a fortune.**\n\nIf this tool helped you, consider giving it a star!\n\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyashbarot%2Fsecurity-scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyashbarot%2Fsecurity-scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyashbarot%2Fsecurity-scanner/lists"}