Developer-first AI safety checks: prompt-policy lint + secret scanning. Zero-dep CLI + GitHub Action + Claude Skill + Cursor Rule.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for WRG from gravatar.com WRG

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Yakuphan Yucel
  • Tags security , secret-scanning , policy-lint , ai-safety , prompt-security , devsecops , pre-commit , github-action , claude-skill , cursor-rule
  • Requires: Python >=3.11
  • Provides-Extra: yaml , dev
Classifiers
Report project as malware

Project description

wrg-devguard

PyPI version CI License: MIT

Developer-first AI safety checks: prompt-policy lint + secret scanning.

Zero-dependency Python CLI that scans a repository for two classes of issues before your PR lands:

  1. Leaked secrets — API keys, private keys, tokens, common credential formats in tracked files.
  2. Prompt-policy violations — deny-listed patterns in prompts, system messages, and AI-facing text assets (configurable via JSON policy).

Ships as:

  • A Python package (pip install wrg-devguard)
  • A GitHub Action (drop-in composite action for any repo)
  • A Claude Code skill (.claude/skills/wrg-devguard/)
  • A Cursor rule (.cursor/rules/wrg-devguard.mdc)

No external dependencies in the core scanner (stdlib only). Optional [yaml] extra for YAML policy files. Optional bandit subcommand for Python security scanning.

Install

pip install wrg-devguard

For YAML policy support:

pip install "wrg-devguard[yaml]"

Quick start

# Run both checks and fail on any high-severity finding
wrg-devguard check --path . --fail-on error

# Scan only for leaked secrets
wrg-devguard scan-secrets --path .

# Lint AI-facing text assets against a policy
wrg-devguard lint-policy --path . --profile strict

# Emit a JSON report for CI
wrg-devguard check --path . --json-out wrg-devguard-report.json

GitHub Action

# .github/workflows/security.yml
name: security
on: [pull_request, push]

jobs:
  wrg-devguard:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: yakuphanycl/wrg-devguard@v1
        with:
          profile: strict
          fail-on: error

See action.yml for all inputs.

Claude Code skill

Drop the skill into your workspace:

mkdir -p .claude/skills/wrg-devguard
curl -L https://raw.githubusercontent.com/yakuphanycl/wrg-devguard/main/.claude/skills/wrg-devguard/SKILL.md \
  -o .claude/skills/wrg-devguard/SKILL.md

Claude Code will surface the skill automatically when you ask things like "scan for secrets", "is this safe to commit", or "check for leaks".

Cursor rule

Drop the rule into your workspace:

mkdir -p .cursor/rules
curl -L https://raw.githubusercontent.com/yakuphanycl/wrg-devguard/main/.cursor/rules/wrg-devguard.mdc \
  -o .cursor/rules/wrg-devguard.mdc

Cursor will apply the rule before suggesting any git commit command.

Policy file

Default lookup order:

  1. --policy <path> argument if provided
  2. .wrg/policy.json at the repo root
  3. Built-in defaults

Profiles:

  • baseline → PR-friendly baseline (recommended for CI, default)
  • strict → stricter local/release audits (use --profile strict)

Place custom policies in .wrg/policy.json (JSON) or .wrg/policy.yaml (requires [yaml] extra).

Commands

wrg-devguard profiles                           # list available profiles
wrg-devguard lint-policy --path .               # policy lint only
wrg-devguard scan-secrets --path .              # secret scan only
wrg-devguard check --path .                     # both, single JSON report
wrg-devguard check --path . --profile strict
wrg-devguard check --path . --json-out report.json
wrg-devguard check --path . --fail-on warning
wrg-devguard check --path . --allowlist .wrg/allowlist.json
wrg-devguard bandit --path src/                 # optional: bandit wrapper

Exit codes

  • 0 — no findings above threshold
  • 1 — findings at or above --fail-on threshold
  • 2 — configuration or input error

Why another secret scanner?

  • Zero runtime deps — the core scanner is stdlib only, so pip install is instant and works in any sandbox.
  • Policy lint in the same tool — most scanners only do secrets. We also catch prompt-policy violations (deny-listed patterns, hardcoded system prompts, PII in AI-facing text).
  • AI-native UX — ships with a Claude skill and a Cursor rule so the scanner runs automatically inside your AI coding assistant, not just in CI.
  • Stable JSON schemacheck --json-out emits a versioned schema that never breaks.

Development

git clone https://github.com/yakuphanycl/wrg-devguard.git
cd wrg-devguard
pip install -e ".[dev]"
pytest -q

License

MIT. See LICENSE.

Contributing

Issues and PRs welcome. For substantial changes, open an issue first to discuss scope.

Part of the WinstonRedGuard ecosystem. The monorepo at apps/wrg_devguard/ is the canonical source; this repo is a distribution mirror kept in sync on every release.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for WRG from gravatar.com WRG

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Yakuphan Yucel
  • Tags security , secret-scanning , policy-lint , ai-safety , prompt-security , devsecops , pre-commit , github-action , claude-skill , cursor-rule
  • Requires: Python >=3.11
  • Provides-Extra: yaml , dev
Classifiers

Release history Release notifications | RSS feed

0.2.3

0.2.2

0.2.1

0.2.0

This version

0.1.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

wrg_devguard-0.1.1.tar.gz (18.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

wrg_devguard-0.1.1-py3-none-any.whl (13.4 kB view details)

Uploaded Python 3

File details

Details for the file wrg_devguard-0.1.1.tar.gz.

File metadata

  • Download URL: wrg_devguard-0.1.1.tar.gz
  • Upload date:
  • Size: 18.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for wrg_devguard-0.1.1.tar.gz
Algorithm Hash digest
SHA256 2806ee025efd42aeaece4ab12687a981f8136c1174a649d47780d3dbadaf589b
MD5 abc546f272b66a853ae644b8437a603b
BLAKE2b-256 f34911e62cd1aac0313eb4223f004e609264867cdfb78092ed3d41a788ac057b

See more details on using hashes here.

Provenance

The following attestation bundles were made for wrg_devguard-0.1.1.tar.gz:

Publisher: publish.yml on yakuphanycl/wrg-devguard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file wrg_devguard-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: wrg_devguard-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 13.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for wrg_devguard-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 5709f49e4118a917227992858f962f8968332e2e7e78759cb235e33a3baaf5e0
MD5 9dedcd5bcee01398dd7823f843fbaf11
BLAKE2b-256 28878e50eb46c67b42c1ed3cada69976d2f3f1a73d16e827f773b8afdf12a810

See more details on using hashes here.

Provenance

The following attestation bundles were made for wrg_devguard-0.1.1-py3-none-any.whl:

Publisher: publish.yml on yakuphanycl/wrg-devguard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page