Skip to main content

AI-powered security scanner for repositories and APIs.

Project description

ZenVeil

AI-powered security scanner for repositories and APIs.

ZenVeil scans your GitHub repositories and API endpoints for secrets, supply chain risks, CI/CD misconfigurations, and vulnerable dependencies — then uses AI to explain every finding and generate a fix, all from the terminal.


What is ZenVeil?

ZenVeil is a developer-first security tool that catches the vulnerabilities that slip through code review:

  • Leaked secrets — AWS keys, GitHub tokens, Slack tokens, JWT secrets, hardcoded passwords, .env files committed by accident
  • Supply chain risks — unpinned dependencies, missing lockfiles, dependency confusion attacks, known CVEs via OSV.dev
  • CI/CD misconfigurations — unpinned GitHub Actions, pull_request_target privilege escalation, script injection, overly broad token scopes
  • API security gaps — missing security headers, exposed admin/debug endpoints, insecure CORS, sensitive data leakage

Every finding is tagged with its OWASP Top 10 2021 category and includes a severity rating (CRITICAL / HIGH / MEDIUM / LOW). When you want to dig deeper, AI-powered explain, fix, and triage commands stream a Claude-generated analysis right to your terminal.


Features

Capability Details
Secrets scanning AWS, GitHub, Slack, JWT, private keys, .env commits, frontend-exposed vars
Supply chain Lockfile checks, unpinned npm/pip deps, dep confusion, OSV CVE lookup
CI/CD GitHub Actions, GitLab CI, CircleCI, Azure Pipelines, Jenkinsfile
API scanning Security headers, exposed endpoints, CORS, data leakage
AI explain Stream a Claude explanation: what it is, how it's exploited, business impact
AI fix Stream a Claude-generated patch or config change
AI triage Prioritized remediation plan across all findings at once
PR automation --auto-pr opens a GitHub PR with the fix automatically
Reports Export to JSON or styled HTML
OWASP tagging Every finding mapped to OWASP Top 10 2021

Installation

pip install zenveil

Requires Python 3.8+.


Quick start

# 1. Save your API key (get one at https://zenveil.dev)
zenveil login <your-api-key>

# 2. Scan a GitHub repository
zenveil scan github owner/repo

# 3. List the findings
zenveil list

# 4. Explain a finding with AI
zenveil explain ZV-ABC123

# 5. Generate a fix
zenveil fix ZV-ABC123

Example scan

$ zenveil scan github acme/backend

Scanning acme/backend…

  CRITICAL  ZV-001  AWS access key exposed in source code
            secrets · src/config.py : line 12

  HIGH      ZV-002  .env file committed to repository
            secrets · .env

  HIGH      ZV-003  Unpinned GitHub Action (actions/checkout@v3)
            cicd · .github/workflows/deploy.yml : line 8

  MEDIUM    ZV-004  Missing Content-Security-Policy header
            headers · https://api.acme.com

4 findings  (2 critical/high · 1 high · 1 medium)
$ zenveil explain ZV-001

Finding ZV-001: AWS access key exposed in source code

The string 'AKIA...' matches the AWS access key format and is hardcoded
in src/config.py. Any developer with read access to this repository —
or anyone who ever cloned it — has permanent access to this key until
it is rotated in the AWS console.

Attack scenario: An attacker discovers the key via GitHub search or a
leaked repo archive, authenticates to AWS, and exfiltrates data from S3
or spins up resources for cryptomining. AWS bills accrue to your account.

Remediation: Rotate the key immediately in the AWS IAM console, then
store it as a GitHub Actions secret or in a secrets manager. Never
hardcode credentials in source code.

All commands

ACCOUNT
  zenveil login <api-key>                   Save your API key

SCANNING
  zenveil scan github <owner/repo>          Scan a GitHub repository
  zenveil scan github <owner/repo> --token  Use a GitHub token for private repos
  zenveil scan github <owner/repo> --ref    Scan a specific branch or commit
  zenveil scan github <owner/repo> --check-cves  Include CVE lookup via OSV.dev
  zenveil scan api <url>                    Scan an API endpoint

FINDINGS
  zenveil list                              List findings from the last scan
  zenveil list --severity high,critical     Filter by severity
  zenveil list --scanner secrets            Filter by scanner
  zenveil stats                             Findings breakdown by severity and scanner

AI ANALYSIS
  zenveil explain <id>                      AI explanation of a finding (streams)
  zenveil fix <id>                          AI-generated fix (streams)
  zenveil fix <id> --auto-pr --repo <o/r>  Open a GitHub PR with the fix automatically
  zenveil triage                            Prioritized remediation plan for all findings

REPORTING
  zenveil report json <file>                Export last scan to JSON
  zenveil report html <file>                Export last scan to styled HTML

MANAGEMENT
  zenveil ignore <id>                       Suppress a finding
  zenveil ignore <id> --reason "text"       Suppress with a reason
  zenveil help                              Show all commands

Environment variables

Variable Purpose
ZENVEIL_API_KEY Your ZenVeil API key (alternative to zenveil login)
ZENVEIL_API_URL Override the API base URL
GITHUB_TOKEN GitHub token for private repo scans and PR automation

Exit codes

Code Meaning
0 Scan completed — no HIGH or CRITICAL findings
1 Scan completed — at least one HIGH or CRITICAL finding
2 Command or scan error

Roadmap

  • Dashboard — browser-based view of findings, trends, and team activity (coming soon)
  • Slack / webhook alerts — notify your team when a scan finds CRITICAL or HIGH issues
  • Local repo scanningzenveil scan repo <path> for air-gapped or pre-push workflows
  • GitLab & Bitbucket — native integrations beyond GitHub
  • SARIF output — upload results to GitHub Advanced Security or any SARIF-compatible tool
  • Policy as code — define fail conditions in a zenveil.yml config file
  • IDE extension — surface findings inline in VS Code as you code

License

MIT — see LICENSE for details.


Get your API key and view your dashboard at zenveil.dev

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

zenveil-1.0.2.tar.gz (12.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

zenveil-1.0.2-py3-none-any.whl (11.6 kB view details)

Uploaded Python 3

File details

Details for the file zenveil-1.0.2.tar.gz.

File metadata

  • Download URL: zenveil-1.0.2.tar.gz
  • Upload date:
  • Size: 12.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.8.10

File hashes

Hashes for zenveil-1.0.2.tar.gz
Algorithm Hash digest
SHA256 c4fb3757b0b9c7ab2be8d6de320821160ebb62427191d0ef5b2bc879be0968cd
MD5 cc377934afb726eb2f778d06485fc492
BLAKE2b-256 264d28b79812fbb810d48ee26ab7192cb197592bbb4f2702e7542cfdecb2906b

See more details on using hashes here.

File details

Details for the file zenveil-1.0.2-py3-none-any.whl.

File metadata

  • Download URL: zenveil-1.0.2-py3-none-any.whl
  • Upload date:
  • Size: 11.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.8.10

File hashes

Hashes for zenveil-1.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 86c94383498e2c6b90fc1264e8cb24baf266d7e827b6133bc3cff2609c518205
MD5 e788a0796ad19586a3557d6ca76395eb
BLAKE2b-256 02511543c94cfd48cb6ab8e7fdafb5e5aac588b6521d712af6b6f32a68962a61

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page