AI-assisted pre-commit security scanner for Git repositories
Project description
RepoShield ๐
AI-assisted pre-commit security scanner for Git repositories.
RepoShield catches secrets, vulnerable dependencies, and hygiene issues before they reach your repository โ with optional AI-powered false-positive reduction via Claude.
The Problem
Developers accidentally commit API keys, passwords, private certificates, and cloud credentials every day. One leaked secret can mean a compromised AWS account, a data breach, or worse. RepoShield sits at the last line of defense โ the pre-commit hook โ and stops secrets before they ever touch your Git history.
Features
- ๐ Secret Detection โ AWS keys, GitHub tokens, OpenAI keys, database URLs, private keys, JWT secrets, Stripe keys, and 15+ other patterns
- ๐ง AI Context Analysis โ Claude distinguishes real secrets from test fixtures and placeholders, eliminating false positives
- ๐ฆ Dependency Scanning โ CVE detection via
pip-auditandnpm audit - ๐งน Git Hygiene โ detects tracked
.envfiles, missing.gitignoreentries, credentials in remote URLs - ๐ Security Health Score โ category scores across Secrets, Dependencies, Git Hygiene, and Configuration
- โก Fast โ non-AI path completes in under 2 seconds for typical repos
- ๐ช Cross-platform โ works on Windows, macOS, and Linux
Installation
pip install reposhield
Or with pipx for an isolated global install:
pipx install reposhield
Quick Start
# Install the pre-commit hook in your repo
cd your-project
reposhield init
# That's it โ every git commit is now scanned automatically
git commit -m "update config" # RepoShield runs before the commit is created
Usage
reposhield scan # scan all tracked files
reposhield scan --staged # scan only staged files
reposhield scan --ai # enable AI false-positive filtering
reposhield scan --json # machine-readable output for CI
reposhield init # install pre-commit hook
reposhield init --ai # install AI-enabled hook
reposhield uninstall # remove the hook
reposhield version # show version
Example Output
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ RepoShield Security Scan ยท BLOCKED โ
โ Scanned 2 files ยท 9 issues found ยท 0.06s โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
Security Health Scores
โญโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโฌโโโโโโโโโโโโโฎ
โ Secrets Management โ 0 โ Critical โ
โ Dependency Safety โ 100 โ Excellent โ
โ Git Hygiene โ 70 โ Good โ
โ Overall โ 68 โ Needs Work โ
โฐโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโดโโโโโโโโโโโโโฏ
CRITICAL Potential AWS Access Key ID โ config.py:1
CRITICAL Potential Database URL โ config.py:3
HIGH Sensitive file tracked by Git: .env
Commit blocked. Resolve critical/high findings above.
To skip (not recommended): git commit --no-verify
AI Mode
Set your Anthropic API key to enable AI-powered context analysis:
export ANTHROPIC_API_KEY=sk-ant-...
reposhield scan --ai
The AI analyzes each finding in context and determines whether it's a real secret or a harmless placeholder โ for example, distinguishing api_key = "your_key_here" (fake) from api_key = "sk-proj-xK9m..." (real). Verdicts are cached locally at ~/.reposhield/ai_cache/ to avoid redundant API calls.
Configuration
Create .reposhield.toml in your repository root to customize behaviour:
[general]
block_on_critical = true
block_on_high = true
exclude_patterns = ["docs/**", "*.md"]
[ai]
enabled = false # override with --ai flag or ANTHROPIC_API_KEY
[ignore]
files = ["tests/fixtures/sample_secrets.py"]
rules = ["HIGH_ENTROPY"]
How It Works
git commit
โ
pre-commit hook
โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Pattern scanner (regex + entropy) โ
โ Dependency auditor (pip/npm) โ
โ Git hygiene checker โ
โ AI context analyzer (optional) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
Risk scorer โ Terminal report
โ
Block or pass
Exit Codes
| Code | Meaning |
|---|---|
| 0 | Clean โ no blocking issues found |
| 1 | Blocked โ critical/high findings require attention |
Contributing
Contributions are welcome. Please open an issue first to discuss major changes.
git clone https://github.com/Rishiprasad17/reposhield.git
cd reposhield
pip install -e ".[dev]"
pytest -v
License
MIT โ see LICENSE for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file reposhield-0.1.0.tar.gz.
File metadata
- Download URL: reposhield-0.1.0.tar.gz
- Upload date:
- Size: 28.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7249f187ba0aa06771f031e6f6252e5de8103ab29584ad7229d52c7fbf1383ba
|
|
| MD5 |
b113eab7364328ecb68344920a9d2c06
|
|
| BLAKE2b-256 |
051da9ca19813041685f8b285f2869c6f29a84e271215f1d5be0bce5d97f93af
|
File details
Details for the file reposhield-0.1.0-py3-none-any.whl.
File metadata
- Download URL: reposhield-0.1.0-py3-none-any.whl
- Upload date:
- Size: 30.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1ad3ce2048cd2f7c050c91a1c272e5b20c87dc88d8cc8f7209edfbd4cbbec1e7
|
|
| MD5 |
3413610284790f74c4768af4e6df469e
|
|
| BLAKE2b-256 |
87d7818f1ff46d89e6c875a6da327bcb4a43c6e3f7e48cdfea1d3c73e1f2dd03
|
