v0.1.0 — Now on npm

Security scanning for every pull request

Guardrails automatically detects leaked secrets, known vulnerabilities, dangerous code patterns, and missing authentication — before code gets merged.

Install GitHub AppTry the CLI
terminal
$ npx @guardrails-ai-sec/scanner scan

============================================================
Scan complete: 2 blocking, 1 warning, 14 files scanned
============================================================

BLOCK [secrets] AWS Access Key detected
       src/config.ts:12
BLOCK [dependencies] CVE-2024-1234 in lodash@4.17.20
       package.json:8
WARN  [auth] Unauthenticated /admin route
       src/routes/admin.ts:5

What Guardrails detects

Four categories of security issues, all running automatically on every PR.

🔑

Leaked Secrets

AWS keys, GitHub tokens, Stripe keys, private keys, passwords, and 20+ patterns. Regex-based with low false positives.

🛡️

Known Vulnerabilities

Checks npm, pip, Go dependencies against the OSV database for known CVEs. Blocks PRs that introduce vulnerable packages.

⚠️

Dangerous Patterns

SQL injection via string concatenation, eval(), command injection, insecure deserialization, and custom regex patterns.

🔒

Missing Authentication

Detects unprotected admin and sensitive routes in Express, Next.js. Ensures auth middleware is applied where needed.

How it works

1

Install the App

One-click install from GitHub Marketplace. Select which repos to protect.

2

Open a Pull Request

Guardrails automatically scans changed files and posts results as Check annotations.

3

Customize with Policy

Add .guardrails.yaml to configure rules, severity levels, allowlists and actions.

Run locally with the CLI

Scan your code before pushing. Same engine as the GitHub App, running directly on your machine.

Scan current directory

npx @guardrails-ai-sec/scanner scan

Scan specific path

npx @guardrails-ai-sec/scanner scan ./src

SARIF output for CI

npx @guardrails-ai-sec/scanner scan -o sarif

Generate policy file

npx @guardrails-ai-sec/scanner init-policy

.guardrails.yaml

version: "1"
default_action: warn

rules:
  secrets:
    enabled: true
    action: block
    allowlist:
      paths: ["**/*.test.*"]

  dangerous_patterns:
    enabled: true
    action: warn

  dependencies_osv:
    enabled: true
    action: block

  auth_heuristics:
    enabled: true
    action: warn
    frameworks: [express, nextjs]

Simple pricing

Free for open source. Affordable for teams.

Free

0 Kč/month
  • Up to 3 private repos
  • Unlimited public repos
  • All 4 detection categories
  • GitHub Check annotations
  • CLI scanner
Install Free

Pro

199 Kč/month
  • Unlimited private repos
  • Priority support
  • Advanced custom rules
  • SARIF export
  • Slack notifications
Subscribe via PayPal

Team

649 Kč/month
  • Organization-wide policies
  • Centralized audit logs
  • Role-based access
  • SSO integration
  • Dedicated support
Subscribe via PayPal

After payment, send your GitHub username or organization name to ondys.dev@gmail.com and we'll activate your plan within 24 hours.