GitHubMate Security Scanner

AI-powered security scanning for your GitHub repositories — right inside VSCode.

Scan any public or private GitHub repo for vulnerabilities, exposed secrets, IaC misconfigurations, and compliance gaps. Results appear instantly in a rich dashboard panel and in the VSCode Problems panel with inline file diagnostics.

Features

🔍 AI-Powered Security Scanning

Send your codebase to an AI model that thinks like a security engineer — not just a regex matcher. Finds real vulnerabilities in context, not just pattern matches.

🔑 Secret Detection

Catches exposed API keys, tokens, passwords, and credentials across all file types before they hit production.

• AWS Access Keys, Secret Keys
• GitHub, Stripe, Twilio, SendGrid tokens
• Private keys (RSA, SSH, PEM)
• Generic high-entropy strings

⚠️ OWASP Top 10 & LLM Top 10

Detects the most critical web application and AI/LLM security risks:

• SQL Injection, XSS, Command Injection
• Insecure Deserialization, Path Traversal
• Prompt Injection, Insecure Output Handling
• LLM Model Denial of Service, Training Data Poisoning

🏗️ IaC & Dockerfile Scanning

Finds misconfigurations in your infrastructure-as-code before they reach production:

• Dockerfile — root user, :latest tags, --cap-add=ALL, remote ADD URLs
• docker-compose — privileged: true, network_mode: host, open port bindings
• Kubernetes — privileged pods, runAsUser: 0, hostNetwork, allowPrivilegeEscalation
• Terraform — open security groups (0.0.0.0/0), public S3 ACLs, unencrypted storage, public RDS

📋 Compliance Readiness

AI-powered gap analysis for:

• SOC 2 Type II
• GDPR Article compliance
• HIPAA Security Rule
• PCI DSS v4.0

Each framework shows readiness status, top gaps, quick fixes, and estimated remediation timeline.

📄 SBOM Export

Generate a Software Bill of Materials in JSON (CycloneDX-inspired) or CSV — ready for your security audits and vendor questionnaires.

📌 Inline Diagnostics

Every finding appears as a VSCode diagnostic — hover over the squiggle in your editor to see the issue title, severity, and OWASP category. All findings also show up in the Problems panel (Ctrl+Shift+M).

Getting Started

1. Sign in to GitHub

When you run a scan for the first time, VSCode will prompt you to sign in with GitHub — no token setup needed.

2. Scan a repository

Ctrl+Shift+P → GitHubMate: Scan Repository

Open a GitHub repository in VSCode and run the scan. Results appear in the dashboard panel and the Problems panel.

Commands

Settings

Security Risk Score

Every scan produces an overall security score (0–100) displayed prominently in the dashboard:

Severity breakdown, top 5 issues, ASVS level, and compliance status are all visible at a glance.

Privacy

• Your code is never stored. Files are streamed from GitHub → analyzed → discarded.
• GitHub authentication uses VSCode's built-in OAuth — no tokens to copy or manage.
• OpenRouter API key is stored in VSCode's encrypted SecretStorage (OS keychain), never in settings.json.
• AI analysis calls are made to OpenRouter using the stepfun/step-3.5-flash:free model.

Requirements

• VSCode 1.85.0 or later
• A GitHub account (sign in via VSCode when prompted)
• An OpenRouter API key (free tier available) — for AI-powered analysis

Feedback & Issues

Found a bug or want a feature? Open an issue at github.com/manojalwisnz/githubmate-vscode

Also available as a web app at githubmate.ai