Risky code, exposed keys, outdated packages — one shareable grade.
codescan-demo.mp4
▶ Try it yourself at codescan.dev — paste any public repo URL, no sign-up.
| Category | Description | Powered by |
|---|---|---|
| Static Analysis (SAST) | Finds patterns that can lead to security bugs, including unsafe input handling and other common mistakes | Semgrep |
| Secret Detection | Checks whether API keys, tokens, private keys, or credentials were accidentally committed | Gitleaks |
| Dependency Vulnerabilities | Looks for packages with known security problems so you can update the risky ones first | Trivy |
- Paste a GitHub URL — Drop the URL of any public repository into the scan box, or sign in with GitHub to scan your private repos.
- Run the checks — codescan.dev looks for risky code, exposed keys, and packages that should be updated.
- Read the report card — See a letter grade, a severity breakdown, and per-finding file, line, and rule details you can share.
No installation. No GitHub app. Public repos need no sign-up.
Show your latest security grade. Scan your repo, then hit Copy README Badge on the report card — or use:
[](https://codescan.dev)The badge reflects the most recent public scan and refreshes automatically when you re-scan. Repos that haven't been scanned yet show a neutral badge instead of a broken image.
- Maintainers — Get a quick security baseline before publishing a release or accepting a large pull request.
- Developers evaluating dependencies — Check a third-party repository for exposed credentials and risky packages before adopting it.
- Engineering teams — Share a letter-grade report card alongside a PR or audit instead of pasting raw tool output.
Is codescan.dev free?
Yes. Public repository scans are free and require no sign-up. Sign in with GitHub to scan private repositories — also free.
Which repositories can I scan?
Any public GitHub repository — just paste the repo URL (
https://github.com/owner/name) into the scan box. Sign in with GitHub to scan private repositories you have access to.
What does the letter grade mean?
The grade summarizes how many issues were found and how serious they are, so you can compare repositories at a glance.
Do you store my code?
No. codescan.dev clones the repository to run the scanners and only persists the resulting findings needed to render the report card.
Most people don't need to — just use the hosted version at codescan.dev (free, no sign-up for public repos). But codescan is fully open source — both the web frontend and the scan engine that runs Semgrep, Gitleaks, and Trivy — so you can run the whole stack yourself with Docker:
git clone https://github.com/ludo-technologies/codescan.git
cd codescan
BACKEND_API_KEY=dev-secret docker compose up --buildThen open http://localhost:3000 and scan any public repository. Set GITHUB_PUBLIC_TOKEN to lift GitHub's API rate limit from 60/hr to 5000/hr.
| Component | Path | Stack |
|---|---|---|
| Web frontend | repository root | Next.js (App Router), deployed on Vercel |
| Scan engine | engine/ |
Go module — orchestrates Semgrep/Gitleaks/Trivy, scores results, exposes the /api/scan API |
The engine is an importable Go module (github.com/ludo-technologies/codescan/engine): run it standalone via engine/cmd/server, or embed it in your own service by calling engine.New(...) and mounting it onto a chi router.
See CONTRIBUTING.md for development setup and guidelines.