GitShield โ The Developer Guardian That Watches Your Code. Real-time secret detection, intelligent pre-commit checks, repo health scoring, and developer behavior intelligence.
Project description
๐ก๏ธ GitShield
The Developer Guardian That Watches Your Code โ So You Don't Have To
Prevents mistakes BEFORE they happen ยท Guides you DURING actions ยท Fixes issues AFTER mistakes ยท Learns your behavior
๐ Quick Start ยท โจ Features ยท ๐ป CLI Reference ยท ๐ฅ๏ธ VS Code Extension ยท ๐๏ธ Architecture ยท ๐งช Testing
๐ฏ What is GitShield?
GitShield is a production-ready, end-to-end developer protection system that integrates seamlessly with your Git workflow. It combines real-time security scanning, intelligent rules enforcement, smart mentoring, and behavioral analysis into a single tool.
Think of it as a security-first pair programmer that sits between your code and your repository โ catching secrets before they leak, enforcing quality standards, and continuously learning how you work to give better advice.
๐ Why GitShield?
| Problem | GitShield Solution |
|---|---|
| ๐ Accidentally committed API keys | 30+ secret detection patterns catch them before commit |
| ๐ฌ Vague commit messages like "fix stuff" | Smart Mentor scores messages and suggests improvements |
| ๐ฆ Monster commits with 80+ files | Rule Engine warns about oversized commits |
๐ฟ Pushing directly to main |
Branch protection blocks direct commits to protected branches |
| ๐ฐ "How do I undo my last commit?" | Recovery Engine provides step-by-step guided fixes |
| ๐ Repository entropy building up | Health Analyzer scores repo quality with actionable insights |
โจ Core Features
๐ Security Scanner โ 30+ Secret Detection Patterns
Detects leaked credentials from AWS, Google Cloud, GitHub, Stripe, Slack, Twilio, SendGrid, Firebase, Discord, Shopify, Heroku, and more. Includes Shannon entropy analysis for catching unknown token formats.
$ gitshield scan
GitShield v1.0.0
Developer Guardian & Git Intelligence
๐ Security Scan Findings
โโโโโโโโโโโโฌโโโโโโโโโโโโโโฌโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโ
โ Severity โ File โ Line โ Pattern โ Description โ
โโโโโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโค
โ ๐ด CRIT โ config.py โ 12 โ AWS Key โ AWS Access Key ID โ
โ ๐ HIGH โ .env โ 3 โ Generic Key โ API key assignment โ
โโโโโโโโโโโโดโโโโโโโโโโโโโโดโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโ
โ COMMIT BLOCKED โ Fix issues before proceeding.
๐ Full List of Detected Secret Types (30+)
| Provider | Patterns Detected |
|---|---|
| AWS | Access Key ID, Secret Access Key, MWS Token |
| API Key, OAuth Client ID, Service Account Key | |
| GitHub | Personal Access Token, OAuth Token, App Token, Fine-Grained PAT |
| Stripe | Secret Key, Publishable Key, Restricted Key |
| Slack | Bot Token, User Token, Webhook URL |
| Firebase | Database URL, Web API Key |
| Twilio | API Key, Auth Token |
| SendGrid | API Key |
| Discord | Bot Token, Webhook |
| NPM | Access Token |
| Shopify | Access Token, Shared Secret |
| Square | Access Token, OAuth Secret |
| Mailgun | API Key |
| Heroku | API Key |
| Generic | API keys, passwords, tokens, JWTs, private keys, DB connection strings |
๐ Pre-Commit Rule Engine โ SAFE โ / WARNING โ ๏ธ / BLOCK โ
$ gitshield check -m "feat(auth): add JWT validation"
๐ Pre-Commit Rules
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
Protected Branch: Working on branch 'feature/auth' (not protected)
โ
Staged File Count: 3 file(s) staged for commit
โ
File Size: All staged files are within size limits
โ ๏ธ Debug Markers: Found 2 TODO/FIXME markers in staged files
โ Conflict Markers: Unresolved merge conflict in utils.py
โ๏ธ Commit Message Analysis
Score: ๐ข 92/100
๐ง Mentor Suggestions
๐ฟ Branch follows conventions โ good job!
โ๏ธ Consider adding a body to explain the implementation approach
Rules checked on every commit:
- โ Protected branch detection (main, master, production)
- โ Staged file count limits (configurable, default 50)
- โ File size limits (configurable, default 5MB)
- โ Binary file detection (.exe, .dll, .so, .sqlite)
- โ TODO/FIXME/HACK marker warnings
- โ Merge conflict marker blocking
- โ Conventional commit message format validation
- โ Commit message length enforcement
๐ Repository Health Score
$ gitshield health
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ ๐ Repository Health Report โ
โ โ
โ Grade: B โ 74/100 โ
โ โโโโโโโโโโโโโโโโโโโโ 74% โ
โ โ
โ ๐ Structure: 90/100 โ
โ ๐ Essentials: 85/100 โ
โ ๐ File Quality: 70/100 โ
โ ๐ Git Hygiene: 55/100 โ
โ ๐ฆ Dependencies: 80/100 โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
โ ๏ธ Issues Found
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ก 5/10 recent commits have poor messages
๐ก Write descriptive commit messages using conventional format
๐ต No lock file for requirements.txt
๐ก Consider generating a lock file for reproducible builds
๐ง Mistake Recovery Assistant
10+ guided recovery plans for common Git mistakes โ each with step-by-step instructions, risk levels, and destructive operation warnings.
$ gitshield fix
๐ง Available Recovery Operations
โโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโ
โ # โ ID โ Description โ Risk โ
โโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโค
โ 1 โ undo_last_commit โ Undo the most recent commit โ LOW โ
โ 2 โ remove_file_from_history โ Remove a file from all git history โ CRITICAL โ
โ 3 โ unstage_all โ Remove all files from staging โ LOW โ
โ 4 โ recover_deleted_branch โ Recover a recently deleted branch โ LOW โ
โ 5 โ abort_merge โ Abort a failed merge operation โ MEDIUM โ
โ 6 โ reset_to_remote โ Reset local branch to match remote โ HIGH โ
โ 7 โ fix_detached_head โ Fix a detached HEAD state โ LOW โ
โ 8 โ squash_commits โ Squash recent commits together โ MEDIUM โ
โ 9 โ cherry_pick_commit โ Apply a specific commit to this branch โ LOW โ
โ10 โ clean_untracked โ Remove all untracked files โ HIGH โ
โโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโ
$ gitshield fix --plan remove_file_from_history --file .env
Step 1: Backup Repository โ cp -r .git .git-backup
Step 2: Add to .gitignore โ echo ".env" >> .gitignore
Step 3: Remove from History โ git filter-branch ...
Step 4: Force Push โ git push origin --force --all โ ๏ธ (DESTRUCTIVE)
Step 5: ROTATE SECRETS โ Revoke and regenerate any exposed keys
๐ง Behavior Intelligence & Smart Mentoring
Tracks your development patterns locally using SQLite and provides personalized insights:
$ gitshield learn
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ ๐ง Behavior Intelligence โ
โ โ
โ ๐ Total Commits: 127 โ
โ ๐ Total Scans: 89 โ
โ ๐ Secrets Found: 3 โ
โ ๐ก๏ธ Secrets Prevented: 3 โ
โ ๐ฆ Avg Files/Commit: 4.2 โ
โ ๐ฅ Current Streak: 12 days โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
๐ก Insights
โจ Great Commit Discipline โ avg 4 files/commit
๐ Security Awareness โ 100% prevention rate
๐ฅ Hot Streak! โ 12 days of continuous coding
๐ Quick Start
1. Install via pip
pip install gitshield
2. Or install from source
git clone https://github.com/kamrankausher/Git_Shield.git
cd GitShield
pip install -e .
3. Start protecting your repository
cd your-project
# Scan for secrets
gitshield scan
# Run pre-commit checks
gitshield check
# Analyze repo health
gitshield health
# Install automatic git hooks
gitshield init
Windows Installation
cd GitShield
.\scripts\install.ps1
macOS / Linux
cd GitShield
chmod +x scripts/install.sh
./scripts/install.sh
๐ป CLI Reference
| Command | Description |
|---|---|
gitshield |
Show status dashboard and quick start guide |
gitshield scan |
๐ Scan entire repository for secrets |
gitshield scan --staged |
๐ Scan only staged files |
gitshield scan --strict |
๐ Enable Shannon entropy analysis |
gitshield check |
๐ Run all pre-commit validation rules |
gitshield check -m "message" |
๐ Also validate commit message |
gitshield health |
๐ Generate repository health report |
gitshield fix |
๐ง List all recovery operations |
gitshield fix --plan <id> |
๐ง Show detailed recovery plan |
gitshield fix --execute <id> |
๐ง Execute a safe recovery operation |
gitshield learn |
๐ง View behavior insights and suggestions |
gitshield init |
๐ Install pre-commit & pre-push git hooks |
gitshield server |
๐ฅ๏ธ Start Flask backend for VS Code extension |
gitshield status |
๐ Show git context and active risks |
๐ฅ๏ธ VS Code Extension
GitShield includes a premium VS Code extension with a glassmorphic dashboard sidebar.
Features
| Feature | Description |
|---|---|
| Sidebar Dashboard | Real-time scan results, health gauges, and suggestions |
| Status Bar | Always-visible protection status indicator |
| Command Palette | Access all features via Ctrl+Shift+P โ "GitShield" |
| Auto-Start Server | Automatically starts the Python backend on activation |
| Scan on Save | Optionally scan for secrets every time you save a file |
Installation
Option 1 โ From VSIX (local):
cd vscode-extension
npm install
npm run compile
npx vsce package
# Then install the .vsix file via VS Code Extensions panel
Option 2 โ Development mode:
- Open the
vscode-extension/folder in VS Code - Press
F5to launch the Extension Development Host - The extension will activate in the new window
Setup
- Install the Python CLI:
pip install gitshield - Install the VS Code extension
- Start the backend server:
gitshield server(or let auto-start handle it)
๐๏ธ System Architecture
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ VS Code Extension (TS) โ
โ โโโโโโโโโโโ โโโโโโโโ โโโโโโโโโโโโ โ
โ โSidebar โ โStatusโ โ Commands โ โ
โ โDashboardโ โ Bar โ โ Palette โ โ
โ โโโโโโฌโโโโโ โโโโฌโโโโ โโโโโโฌโโโโโโ โ
โ โโโโโโโโโโโดโโโโโโโโโโโ โ
โ โ โ
โ HTTP REST API โ
โโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโ
โ
โโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโ
โ Flask Backend Server โ
โ /api/scan /api/check /api/healthโ
โ /api/risks /api/behavior /api/fix โ
โโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโ
โ
โโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโ
โ Core Engine (Orchestrator) โ
โ โ
โ โโโโโโโโโโโโ โโโโโโโโโโโโ โ
โ โ Security โ โ Rule โ โ
โ โ Scanner โ โ Engine โ โ
โ โโโโโโโโโโโโ โโโโโโโโโโโโ โ
โ โโโโโโโโโโโโ โโโโโโโโโโโโ โ
โ โ Smart โ โ Behavior โ โ
โ โ Mentor โ โ Tracker โ โ
โ โโโโโโโโโโโโ โโโโโโโโโโโโ โ
โ โโโโโโโโโโโโ โโโโโโโโโโโโ โ
โ โ Health โ โ Recovery โ โ
โ โ Analyzer โ โ Engine โ โ
โ โโโโโโโโโโโโ โโโโโโโโโโโโ โ
โ โโโโโโโโโโโโ โโโโโโโโโโโโ โ
โ โ Git โ โ Pattern โ โ
โ โ Intel โ โ DB โ โ
โ โโโโโโโโโโโโ โโโโโโโโโโโโ โ
โโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโ
โ
โโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโ
โ Data & Storage Layer โ
โ โโโโโโโโโโ โโโโโโโโ โโโโโโโโโโโโโโ โ
โ โ SQLite โ โ YAML โ โ Git โ โ
โ โ(.devflowโ โConfigโ โ subprocess โ โ
โ โ /db) โ โ โ โ โ โ
โ โโโโโโโโโโ โโโโโโโโ โโโโโโโโโโโโโโ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Technology Stack
| Layer | Technology | Purpose |
|---|---|---|
| CLI | Python 3.8+ ยท Click ยท Rich | Terminal interface with colorized output |
| Server | Flask ยท Flask-CORS | REST API backend for VS Code |
| Core | Python standard library | Security scanning, rules, mentoring, behavior, recovery |
| Storage | SQLite | Local behavior tracking and scan history |
| Git | subprocess | Git operations (branch, diff, log, stash) |
| Config | PyYAML | User-configurable .devflow.yml files |
| Extension | TypeScript ยท VS Code API | Sidebar UI, status bar, file watchers |
| Testing | pytest (46 tests) | Unit tests for scanner, rules, health, CLI |
๐ Project Structure
GitShield/
โโโ pyproject.toml # Package configuration & metadata
โโโ README.md # This documentation
โโโ LICENSE # MIT License
โโโ requirements.txt # Python dependencies
โโโ setup.py # Legacy setup script
โโโ .gitignore # Git ignore rules
โ
โโโ src/devflow/ # Python package (src-layout)
โ โโโ __init__.py # Package version & metadata
โ โโโ cli.py # Click CLI โ 8 commands
โ โโโ server.py # Flask REST API โ 12 endpoints
โ โ
โ โโโ core/ # Core engine modules
โ โ โโโ engine.py # Central orchestrator
โ โ โโโ scanner.py # Security scanner (30+ patterns)
โ โ โโโ patterns.py # Secret regex pattern database
โ โ โโโ rules.py # Rule engine (SAFE/WARN/BLOCK)
โ โ โโโ ai_mentor.py # Smart suggestion engine
โ โ โโโ behavior.py # Developer behavior tracker
โ โ โโโ health.py # Repository health analyzer
โ โ โโโ recovery.py # Mistake recovery assistant
โ โ โโโ git_intel.py # Git context intelligence
โ โ
โ โโโ hooks/ # Git hook integration
โ โ โโโ installer.py # Hook installer (Unix + Windows)
โ โ
โ โโโ db/ # Data persistence
โ โ โโโ store.py # SQLite storage layer
โ โ
โ โโโ utils/ # Shared utilities
โ โโโ git.py # Git operation wrappers
โ โโโ formatters.py # Rich terminal formatters
โ โโโ config.py # YAML config management
โ
โโโ vscode-extension/ # VS Code Extension
โ โโโ package.json # Extension manifest
โ โโโ tsconfig.json # TypeScript config
โ โโโ src/
โ โโโ extension.ts # Activation & command registration
โ โโโ sidebarProvider.ts # Webview dashboard (glassmorphic UI)
โ โโโ devflowClient.ts # HTTP client for Flask backend
โ โโโ statusBar.ts # Status bar indicator
โ
โโโ tests/ # Test suite (46 tests)
โ โโโ test_scanner.py # Scanner & pattern tests
โ โโโ test_rules.py # Rule engine tests
โ โโโ test_health.py # Health analyzer tests
โ โโโ test_cli.py # CLI integration tests
โ
โโโ scripts/ # Installation scripts
โโโ install.sh # Unix installer
โโโ install.ps1 # Windows PowerShell installer
๐ง Configuration
Create a .devflow.yml in your project root to customize behavior:
# GitShield Configuration
# Place this file in your project root as .devflow.yml
security:
scan_on_commit: true # Auto-scan on pre-commit hook
scan_on_push: true # Auto-scan on pre-push hook
block_on_critical: true # Block commits with CRITICAL findings
block_on_high: true # Block commits with HIGH findings
entropy_analysis: false # Shannon entropy for unknown patterns
custom_patterns: [] # Add your own regex patterns
rules:
max_file_size_mb: 5 # Max file size allowed (MB)
max_files_per_commit: 50 # Max files per commit
protected_branches: # Branches that trigger warnings
- main
- master
- production
require_conventional_commits: true
min_commit_message_length: 10
max_commit_message_length: 200
block_binary_files: true
allowed_branch_prefixes:
- feature/
- fix/
- bugfix/
- hotfix/
- release/
- chore/
- docs/
- refactor/
- test/
- ci/
behavior:
track_actions: true # Log actions to SQLite
track_secrets: true # Log secret detections
show_insights: true # Display personalized insights
mentor:
enabled: true
show_on_commit: true
max_suggestions: 5
server:
host: 127.0.0.1
port: 9876
auto_start: true
๐งช Testing
# Run all 46 tests
pytest tests/ -v
# Run with coverage
pytest tests/ -v --cov=devflow
# Run specific test modules
pytest tests/test_scanner.py -v # 17 scanner tests
pytest tests/test_rules.py -v # 9 rule engine tests
pytest tests/test_health.py -v # 4 health analyzer tests
pytest tests/test_cli.py -v # 10 CLI integration tests
Current test status: โ 46/46 tests passing
๐งโ๐ป Development
Setup Development Environment
git clone https://github.com/kamrankausher/Git_Shield.git
cd GitShield
# Create virtual environment
python -m venv venv
source venv/bin/activate # Linux/macOS
# venv\Scripts\activate # Windows
# Install in editable mode with dev dependencies
pip install -e ".[dev]"
# Run tests
pytest tests/ -v
Build & Publish to PyPI
pip install build twine
python -m build
twine upload dist/*
Build VS Code Extension
cd vscode-extension
npm install
npm run compile
npx vsce package # Creates .vsix file
npx vsce publish # Publish to Marketplace (requires token)
๐ Privacy & Security
- 100% Local โ All data is stored locally in
.devflow/inside your repository - No Cloud โ No data is ever sent to external servers
- No Telemetry โ Zero tracking, zero analytics, zero network calls
- SQLite Storage โ Behavior data stored in local SQLite database
- Git-Ignored โ
.devflow/is automatically added to.gitignore
๐ค Contributing
- Fork the repository
- Create a feature branch:
git checkout -b feature/amazing-feature - Write tests for your changes
- Ensure all tests pass:
pytest tests/ -v - Commit with conventional format:
git commit -m "feat(scanner): add new pattern" - Push and open a Pull Request
๐ License
MIT License โ see LICENSE for details.
Built with โค๏ธ for developers who take code quality and security seriously.
๐ก๏ธ GitShield โ Your code deserves a guardian.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
gitshield_cli-1.0.0.tar.gz
(62.2 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file gitshield_cli-1.0.0.tar.gz.
File metadata
- Download URL: gitshield_cli-1.0.0.tar.gz
- Upload date:
- Size: 62.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2fa0e228dc424167ee3b09a1473411b0a5ed26bd086b569ba1a7f5aa967fb860
|
|
| MD5 |
ad432b39083c62075678354f6f207c08
|
|
| BLAKE2b-256 |
889807f226c75d5cc24438903435c83045b74103141821fd2f5d617a8b032867
|
File details
Details for the file gitshield_cli-1.0.0-py3-none-any.whl.
File metadata
- Download URL: gitshield_cli-1.0.0-py3-none-any.whl
- Upload date:
- Size: 56.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
94e0de9995840e81df07257dde58c8aa878d93a7e2dacf1f86bd05d7fabed910
|
|
| MD5 |
232045225ab78b86a1f74be39ab62002
|
|
| BLAKE2b-256 |
206250bde4b9295fd924991293383a011163b0212c24fc986a34b472658a53bf
|
