PRISM — Multi-engine security scanner for GitHub Actions and CI/CD pipelines
Project description
PRISM Security Scanner
PRISM is a privacy-first, multi-engine security scanner built for GitHub Actions and CI/CD pipelines. It detects secrets, vulnerable dependencies, insecure code patterns, and taint-flow vulnerabilities — all without sending your source code to any third-party server.
Why PRISM?
| Feature | Snyk | Trivy | SonarQube | PRISM |
|---|---|---|---|---|
| Secrets detection | ✓ | ✓ | — | ✓ |
| SCA (dependency audit) | ✓ | ✓ | ✓ | ✓ |
| AST / SAST rules | — | — | ✓ | ✓ |
| Taint-flow tracking | — | — | ✓ | ✓ |
| AI fix suggestions (BYOK) | — | — | — | ✓ |
Single .docx + HTML report |
— | — | — | ✓ |
| Source code stays on runner | — | — | — | ✓ |
| Free, self-hosted | — | ✓ | — | ✓ |
Engines
| Engine | What it finds |
|---|---|
| Secrets Scanner | Hardcoded API keys, tokens, passwords — 20+ patterns with Shannon entropy validation |
| SCA Scanner | Known CVEs in Python (pip-audit), JavaScript (npm audit), Ruby (bundler-audit), Go (govulncheck) |
| AST Scanner | OWASP Top 10 patterns for Python, JavaScript, and Java via tree-sitter — 44 rules |
| Taint Tracker | Source-to-sink taint flows: Flask/Express/Spring inputs reaching SQL, OS commands, eval, or XSS sinks |
How it works — PR Gate
This is the primary use-case: PRISM blocks a merge to main if security findings are found.
Developer opens PR
│
▼
GitHub spins up a fresh Ubuntu VM (runner)
│
▼
actions/checkout — clones the PR branch onto the VM
│
▼
PRISM is pulled from PyPI and installed (pip install prism-scanner)
│
▼
PRISM scans the code on the VM — nothing leaves the VM
│
├─ Findings found above threshold?
│ │
│ ▼
│ Posts summary comment on the PR ◄── developers see it instantly
│ Uploads HTML/DOCX report as artifact
│ Fails the job → merge is BLOCKED
│
└─ Clean scan?
│
▼
Posts ✅ comment on PR
Merge is ALLOWED
The VM is destroyed after the run. Your source code never leaves it.
Quick Start — GitHub Actions
Add this file to your repository at .github/workflows/prism.yml:
name: PRISM Security Scan
on:
pull_request: # runs on every PR — blocks merge if findings found
push:
branches: [main] # also runs after merge as a safety net
jobs:
prism:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write # needed so PRISM can post a comment on the PR
steps:
- uses: actions/checkout@v4
- uses: prism-security/prism-action@v1
with:
fail-on-severity: HIGH # CRITICAL | HIGH | MEDIUM | LOW
report-format: both # docx | html | both
github-token: ${{ secrets.GITHUB_TOKEN }} # enables PR comments
secrets.GITHUB_TOKEN is automatically provided by GitHub — you do not need to create it. PRISM uses it only to post a comment on the PR.
PRISM will:
- Scan the PR branch on the runner VM
- Post a findings summary table as a comment on the PR
- Upload the full HTML + DOCX report as a downloadable artifact
- Block the merge if findings at or above
fail-on-severityare found
Quick Start — CLI (local / any CI)
pip install prism-scanner
# Scan any project directory
prism scan --target ./my-project --report-format both --fail-on-severity HIGH
The report is saved to prism-output/<project>_prism_security_report_<timestamp>.html (and .docx).
AI-Powered Tier (Premium — BYOK)
PRISM optionally integrates with your own Azure OpenAI deployment to:
- Filter false positives automatically
- Provide AI-generated fix descriptions
- Generate a complete corrected code block ready to paste
- Re-score risk based on context
Your source code is never sent to AI — only the finding metadata (file, line, rule, 500-char snippet) is sent, and only to the endpoint you own.
GitHub Actions
- uses: prism-security/prism-action@v1
with:
fail-on-severity: HIGH
report-format: both
azure-openai-key: ${{ secrets.PRISM_AZURE_OPENAI_KEY }}
azure-openai-endpoint: ${{ secrets.PRISM_AZURE_OPENAI_ENDPOINT }}
azure-openai-deployment: gpt-4o # your deployment name
Store your Azure credentials in Settings → Secrets and variables → Actions in your repository. They are passed only as environment variables to the runner — never logged or transmitted elsewhere.
CLI (local)
# Windows PowerShell
$env:PRISM_AZURE_OPENAI_KEY = "your-key"
$env:PRISM_AZURE_OPENAI_ENDPOINT = "https://your-resource.openai.azure.com/"
$env:PRISM_AZURE_OPENAI_DEPLOYMENT = "gpt-4o"
prism scan --target ./my-project --report-format both
# Linux / macOS
export PRISM_AZURE_OPENAI_KEY="your-key"
export PRISM_AZURE_OPENAI_ENDPOINT="https://your-resource.openai.azure.com/"
export PRISM_AZURE_OPENAI_DEPLOYMENT="gpt-4o"
prism scan --target ./my-project --report-format both
All Inputs
| Input | Default | Description |
|---|---|---|
target |
. |
Path to the directory to scan (relative to repo root) |
fail-on-severity |
HIGH |
Fail if findings at or above this level: LOW MEDIUM HIGH CRITICAL |
report-format |
both |
Report output format: docx html both |
github-token |
(empty) | Pass secrets.GITHUB_TOKEN to enable PR comment summaries |
azure-openai-key |
(empty) | Azure OpenAI key — enables Premium AI features |
azure-openai-endpoint |
(empty) | Azure OpenAI endpoint URL |
azure-openai-deployment |
gpt-4o |
Azure OpenAI deployment name |
custom-rules |
(empty) | Path to a custom YAML rules file |
enable-container-scan |
false |
Enable Trivy container/IaC scanning (requires Trivy on runner) |
dry-run-ai |
false |
Print AI prompt to console without sending — for auditing |
Outputs
| Output | Description |
|---|---|
findings-count |
Total number of findings |
critical-count |
Number of CRITICAL findings |
high-count |
Number of HIGH findings |
report-path |
Path to the generated report file(s) |
CI/CD Integration Examples
GitLab CI
prism-scan:
image: python:3.12-slim
stage: test
script:
- pip install prism-scanner
- prism scan --target . --report-format html --fail-on-severity HIGH
artifacts:
when: always
paths:
- prism-output/
Azure DevOps
- task: UsePythonVersion@0
inputs:
versionSpec: "3.12"
- script: pip install prism-scanner
displayName: Install PRISM
- script: prism scan --target . --report-format both --fail-on-severity HIGH
displayName: Run PRISM Security Scan
env:
PRISM_AZURE_OPENAI_KEY: $(PRISM_AZURE_OPENAI_KEY)
PRISM_AZURE_OPENAI_ENDPOINT: $(PRISM_AZURE_OPENAI_ENDPOINT)
- task: PublishBuildArtifacts@1
condition: always()
inputs:
PathtoPublish: prism-output
ArtifactName: prism-security-report
Jenkins
stage('PRISM Security Scan') {
steps {
sh 'pip install prism-scanner'
sh 'prism scan --target . --report-format html --fail-on-severity HIGH'
}
post {
always {
archiveArtifacts artifacts: 'prism-output/**', allowEmptyArchive: true
}
}
}
Bitbucket Pipelines
- step:
name: PRISM Security Scan
image: python:3.12-slim
script:
- pip install prism-scanner
- prism scan --target . --report-format html --fail-on-severity HIGH
artifacts:
- prism-output/**
Custom Rules
Write your own detection rules in YAML and pass them via --custom-rules:
# my-rules.yml
rules:
- id: no-eval
severity: HIGH
message: "Avoid eval() — execute arbitrary code vulnerability"
pattern: "eval\\s*\\("
cwe: CWE-95
owasp: A03:2021
languages: [python, javascript]
prism scan --target ./my-project --custom-rules ./my-rules.yml
Privacy & Security
- Source code never leaves your runner. All engines execute locally.
- AI tier (optional): Only finding metadata is sent — file path, line number, rule ID, and a 500-character code snippet. No full files, no tokens, no credentials.
- BYOK: You use your own Azure OpenAI subscription. PRISM has no backend.
- Audit mode: Run with
--dry-run-ai trueto print exactly what would be sent to AI before enabling it.
Supported Languages
| Language | Secrets | SCA | AST / OWASP | Taint |
|---|---|---|---|---|
| Python | ✓ | ✓ | ✓ | ✓ |
| JavaScript / TypeScript | ✓ | ✓ | ✓ | ✓ |
| Java | ✓ | — | ✓ | ✓ |
| Ruby | ✓ | ✓ | — | — |
| Go | ✓ | ✓ | — | — |
License
MIT — free to use, modify, and distribute. See LICENSE.
Generated by PRISM Security Scanner — all scan data processed locally on your runner.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file prism_sast_scanner-0.1.3.tar.gz.
File metadata
- Download URL: prism_sast_scanner-0.1.3.tar.gz
- Upload date:
- Size: 30.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
027bb704b1132b78dc68d7c1d0661a544e2ade1d5eb49723c4f37832f09ab493
|
|
| MD5 |
bf2fd6e470f5f1748ee500669de2395a
|
|
| BLAKE2b-256 |
9c99e5f91bc19dcb5c4bb80715a0066e1aaa8d060b5ffbe5cfcb08988ac50955
|
File details
Details for the file prism_sast_scanner-0.1.3-py3-none-any.whl.
File metadata
- Download URL: prism_sast_scanner-0.1.3-py3-none-any.whl
- Upload date:
- Size: 34.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b8c156998eb11f3e7fcbb3016891246699803f960ba246c4dc5bbcbba1e82fee
|
|
| MD5 |
f7f3bbd5eeac261bca2f327fcbe76d7f
|
|
| BLAKE2b-256 |
93d402261aba2d4314923100f85341a65e38abbfbe781125352aac1b3a5185ba
|