Security scanner for any codebase. Fast, free, works in Claude Code or standalone Bash.
Your code has secrets. Some of them shouldn't be there.
Your
.envis on GitHub right now. Shield Scan finds it before someone else does.
You pushed to main. There's an AWS key on line 42 of config.js. Shield Scan catches hardcoded secrets, injection flaws, vulnerable dependencies, and bad configs in one command. Every finding comes with a fix you can copy-paste.
- Security reviews are slow, expensive, and usually skipped
- Developers push secrets to repos by accident, every day
npm auditoutput is overwhelming, so dependency vulns pile up- OWASP Top 10 is well-known but rarely checked systematically
- You know your code has issues but don't know where to start
> scan this project for security issuesThat's it. ShieldScan does the rest:
- Recon -- figures out your stack, entry points, and attack surface
- Secret detection -- finds hardcoded API keys, passwords, tokens, private keys (30+ patterns)
- Dependency audit -- checks package manifests for known CVEs and risky packages
- SAST -- static analysis for SQLi, XSS, SSRF, command injection, path traversal, etc.
- Config audit -- debug mode, CORS misconfig, missing security headers, exposed error details
- Report -- severity, file:line, description, impact, and remediation code
flowchart LR
CMD["scan this project"] --> R["Recon"]
R --> S["Secrets"]
S --> D["Deps"]
D --> SAST["SAST"]
SAST --> C["Config"]
C --> RPT["Report"]
One-line install (Claude Code skill + standalone scanner):
curl -fsSL https://raw.githubusercontent.com/Layton2617/shield-scan/main/install.sh | bashOr manually:
# Copy the skill to your Claude Code skills directory
mkdir -p ~/.claude/skills && cp SKILL.md ~/.claude/skills/shield-scan.mdOr clone the repo:
git clone https://github.com/Layton2617/shield-scan.git
cp shield-scan/SKILL.md ~/.claude/skills/shield-scan.mdNavigate to any project and tell Claude:
scan this project for security issues
ShieldScan activates automatically and produces a security report.
| Command | What you get |
|---|---|
scan this project for security issues |
Full security audit |
/shield-scan |
Full security audit |
/shield-scan --focus secrets |
Secret detection only |
/shield-scan --focus deps |
Dependency audit only |
/shield-scan --focus sast |
Static analysis only |
/shield-scan --focus config |
Configuration audit only |
check routes/api.js for vulnerabilities |
Single file scan |
安全扫描 |
Full audit (Chinese output) |
Standalone Scanner & CI Integration
Works without Claude Code. Just Bash and standard Unix tools (grep, find, awk). No external dependencies.
# Scan current directory
./scan.sh .
# Scan specific directory, secrets only
./scan.sh /path/to/project --secrets-only
# Dependency check only
./scan.sh . --deps-only
# Configuration check only
./scan.sh . --config-only
# CI mode (exit code only, no output)
./scan.sh . --quiet
# JSON output (for integration with other tools)
./scan.sh . --jsonWhat it scans:
| Category | Checks |
|---|---|
| Secrets | AWS keys, GitHub tokens, OpenAI/Anthropic keys, Stripe keys, private keys, passwords, DB URLs, Slack/SendGrid/Twilio tokens, generic API keys |
| Dependencies | npm audit, Python CVE checks (15+ packages), Go version check, Rust cargo-audit, unpinned versions |
| Configuration | .env in .gitignore, DEBUG mode, CORS wildcard, Dockerfile USER, CI/CD secrets |
| SAST (lite) | SQL injection, eval(), command injection, innerHTML XSS, pickle deserialization, unsafe YAML, weak hashing |
Exit codes: 0 = clean, 1 = issues found, 2 = error
# .github/workflows/security.yml
name: Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run ShieldScan
run: |
curl -fsSL https://raw.githubusercontent.com/Layton2617/shield-scan/main/scan.sh -o /tmp/shield-scan.sh
chmod +x /tmp/shield-scan.sh
/tmp/shield-scan.sh . --quietSee examples/github-action.yml for a full example with JSON artifact upload.
Full Detection List
- AWS Access Keys and Secret Keys
- GitHub Personal Access Tokens
- Stripe, Slack, Twilio, SendGrid API keys
- JWT tokens and signing secrets
- Database connection strings with embedded passwords
- RSA/SSH/PGP private keys
- OpenAI, Google, Azure API keys
- Generic passwords and high-entropy strings in sensitive spots
- SQL Injection -- string concatenation in queries
- XSS -- innerHTML, document.write, unsanitized templates
- Command Injection -- shell=True, exec with concatenation
- Path Traversal -- user-controlled file paths
- SSRF -- unvalidated URLs
- Insecure Deserialization -- pickle, yaml.load, ObjectInputStream
- Crypto failures -- MD5/SHA1 for passwords, DES, weak random
- Missing input validation
- Auth/session issues -- weak hashing, missing rate limits, insecure cookies
- Debug mode in production
- CORS wildcard (
*) - Missing security headers (CSP, HSTS, X-Frame-Options)
- Docker running as root
- Exposed error details / stack traces
- Default credentials
- Secrets in CI/CD configs
- Known CVEs in installed packages
- Unmaintained deps (no updates in 2+ years)
- Unpinned versions
- Suspicious postinstall scripts
Language Support
| Language | Secret Detection | SAST | Dependency Audit |
|---|---|---|---|
| Python | Yes | Yes | Yes |
| JavaScript / TypeScript | Yes | Yes | Yes |
| Go | Yes | Yes | Yes |
| Java / Kotlin | Yes | Yes | Yes |
| Rust | Yes | Yes | Yes |
| Ruby | Yes | Yes | Yes |
| PHP | Yes | Partial | Yes |
| C# / .NET | Yes | Partial | Yes |
| Feature | ShieldScan | Manual Code Review | Snyk | SonarQube |
|---|---|---|---|---|
| Setup time | 0 min | N/A | 10-30 min | 1-2 hours |
| Cost | Free | $150-300/hr | Freemium | Freemium |
| Secret detection | Yes | Depends on reviewer | No (use GitGuardian) | Limited |
| Dependency audit | Yes | Rarely | Yes (core strength) | Yes |
| SAST | Yes | Yes (best quality) | Yes | Yes (core strength) |
| Config audit | Yes | Depends on reviewer | No | Partial |
| Remediation code | Copy-pastable | Natural language advice | Link to docs | Link to docs |
| OWASP coverage | Full checklist | Depends on reviewer | Partial | Full |
| Bilingual (EN/ZH) | Yes | Depends on reviewer | No | No |
| Context-aware | Yes | Yes | No (rule-based) | No (rule-based) |
| False positive rate | Low (context-aware) | Very low | Medium | Medium |
When to use each:
- ShieldScan -- quick check during dev, pre-commit, PR prep
- Manual review -- high-stakes prod code, compliance
- Snyk -- continuous dependency monitoring in CI/CD
- SonarQube -- enterprise code quality + security rules in CI/CD
ShieldScan complements these tools. Run it first for quick feedback, then use the others for continuous monitoring.
Abbreviated scan of a Node.js Express app
# Security Audit Report — my-express-app
> Generated by ShieldScan v0.9.0 | 2026-04-07
> Risk Score: 34/100 | Findings: 1 Critical, 2 High, 3 Medium, 2 Low
## Executive Summary
This application has a critical hardcoded JWT secret and two high-severity
injection risks. The Express server lacks essential security middleware.
Do not deploy to production without addressing the critical and high findings.
## Critical Findings
### [CRITICAL-001] Hardcoded JWT Secret Key
- **File**: `config/auth.js:8`
- **Description**: JWT signing secret hardcoded as a string literal
- **Impact**: Any attacker who reads the source can forge valid JWTs
## High Findings
### [HIGH-001] SQL Injection in User Lookup
- **File**: `routes/users.js:23`
- **Description**: User ID from URL params concatenated into SQL query
### [HIGH-002] No Rate Limiting on Login
- **File**: `routes/auth.js:15`
- **Description**: Login endpoint accepts unlimited attempts
[... see examples/express-app-scan.md for the full report]See examples/express-app-scan.md for a complete, realistic scan report.
Use Cases
- Pre-commit -- catch secrets and vulns before you push
- PR review -- run it as part of code review
- Audit prep -- get a baseline report before a formal audit
- Learning -- scan real codebases to understand common vuln patterns
- Onboarding -- show new team members the security posture of a project
- Dependency triage -- figure out which dep vulns actually matter
Contributions are welcome! See CONTRIBUTING.md for guidelines.
MIT License. See LICENSE.
More tools from this series:
- Code Sensei -- turns any codebase into a structured learning course
- DevPilot TUI -- terminal dashboard for managing AI coding agents (coming soon)
- CloudBridge -- multi-cloud DevOps skill (coming soon)
Limitations & Disclaimer
ShieldScan is not a replacement for professional security audits. It can't detect logic vulnerabilities, race conditions, or business logic flaws. Results may include false positives or miss things. Always verify findings before acting on them. A passing scan does not mean you're SOC2/PCI-DSS/HIPAA compliant.
Note: The table above compares free-tier functionality. Enterprise editions of Snyk and SonarQube do more.