https://github.com/ludo-technologies/codescan
Scan any GitHub repo for security issues — risky code, exposed keys, outdated packages
https://github.com/ludo-technologies/codescan
dependency-scanning devsecops gitleaks golang nextjs sast secrets-detection security security-tools semgrep static-analysis trivy
Last synced: 4 days ago
JSON representation
Scan any GitHub repo for security issues — risky code, exposed keys, outdated packages
- Host: GitHub
- URL: https://github.com/ludo-technologies/codescan
- Owner: ludo-technologies
- License: mit
- Created: 2026-02-10T15:38:34.000Z (5 months ago)
- Default Branch: main
- Last Pushed: 2026-06-25T16:51:56.000Z (11 days ago)
- Last Synced: 2026-06-25T18:20:17.163Z (11 days ago)
- Topics: dependency-scanning, devsecops, gitleaks, golang, nextjs, sast, secrets-detection, security, security-tools, semgrep, static-analysis, trivy
- Language: TypeScript
- Homepage: https://codescan.dev
- Size: 258 KB
- Stars: 3
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
Awesome Lists containing this project
README
# [codescan.dev](https://codescan.dev)
### Scan any GitHub repo for security issues.
Risky code, exposed keys, outdated packages — one shareable grade.
[](https://codescan.dev)
[Example report](https://codescan.dev/examples) · [Methodology](https://codescan.dev/methodology)
---
## Demo
[https://github.com/user-attachments/assets/db41df8e-881e-4303-9634-d3aba7c853e1](https://github.com/user-attachments/assets/206d84be-585a-4f5c-966f-e4a70ef8664f)
▶ **Try it yourself at [codescan.dev](https://codescan.dev)** — paste any public repo URL, no sign-up.
## What it checks
| Category | Description | Powered by |
|---|---|---|
| **Static Analysis (SAST)** | Finds patterns that can lead to security bugs, including unsafe input handling and other common mistakes | [Semgrep](https://semgrep.dev/) |
| **Secret Detection** | Checks whether API keys, tokens, private keys, or credentials were accidentally committed | [Gitleaks](https://gitleaks.io/) |
| **Dependency Vulnerabilities** | Looks for packages with known security problems so you can update the risky ones first | [Trivy](https://trivy.dev/) |
## How it works
1. **Paste a GitHub URL** — Drop the URL of any public repository into the scan box, or sign in with GitHub to scan your private repos.
2. **Run the checks** — codescan.dev looks for risky code, exposed keys, and packages that should be updated.
3. **Read the report card** — See a letter grade, a severity breakdown, and per-finding file, line, and rule details you can share.
No installation. No GitHub app. Public repos need no sign-up.
## Add a badge to your README
Show your latest security grade. Scan your repo, then hit **Copy README Badge** on the report card — or use:
```markdown
[](https://codescan.dev)
```
The badge reflects the most recent public scan and refreshes automatically when you re-scan. Repos that haven't been scanned yet show a neutral badge instead of a broken image.
## Who it's for
- **Maintainers** — Get a quick security baseline before publishing a release or accepting a large pull request.
- **Developers evaluating dependencies** — Check a third-party repository for exposed credentials and risky packages before adopting it.
- **Engineering teams** — Share a letter-grade report card alongside a PR or audit instead of pasting raw tool output.
## FAQ
Is codescan.dev free?
Yes. Public repository scans are free and require no sign-up. Sign in with GitHub to scan private repositories — also free.
Which repositories can I scan?
Any public GitHub repository — just paste the repo URL (https://github.com/owner/name) into the scan box. Sign in with GitHub to scan private repositories you have access to.
What does the letter grade mean?
The grade summarizes how many issues were found and how serious they are, so you can compare repositories at a glance.
Do you store my code?
No. codescan.dev clones the repository to run the scanners and only persists the resulting findings needed to render the report card.
## Run it yourself
Most people don't need to — just use the hosted version at **[codescan.dev](https://codescan.dev)** (free, no sign-up for public repos). But codescan is fully open source — both the web frontend and the scan engine that runs Semgrep, Gitleaks, and Trivy — so you can run the whole stack yourself with Docker:
```bash
git clone https://github.com/ludo-technologies/codescan.git
cd codescan
BACKEND_API_KEY=dev-secret docker compose up --build
```
Then open and scan any public repository. Set `GITHUB_PUBLIC_TOKEN` to lift GitHub's API rate limit from 60/hr to 5000/hr.
## How it's built
| Component | Path | Stack |
|---|---|---|
| **Web frontend** | repository root | Next.js (App Router), deployed on Vercel |
| **Scan engine** | [`engine/`](engine) | Go module — orchestrates Semgrep/Gitleaks/Trivy, scores results, exposes the `/api/scan` API |
The engine is an importable Go module (`github.com/ludo-technologies/codescan/engine`): run it standalone via `engine/cmd/server`, or embed it in your own service by calling `engine.New(...)` and mounting it onto a [chi](https://github.com/go-chi/chi) router.
## Contributing
See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and guidelines.
## License
[MIT](LICENSE)