CodeSentry

Local-first, developer-first code security scanner for your own repositories. CodeSentry runs on your machine, audits source code and dependencies, and presents findings in a fast TUI with remediation detail and diff view — without sending code to the cloud.

Why CodeSentry

• Local-first by default. Your code never leaves your machine unless you opt in.
• Actionable results with clear remediation guidance and diff previews.
• CI-ready with SARIF support for GitHub code scanning.
• Extensible via rule packs and a Python enrichment plugin.

Highlights

• TUI-first UX: findings list, details, remediation diff, warnings panel
• OWASP-aligned rules (SQLi, XSS, SSRF, command injection, weak crypto, etc.)
• Secrets engine with confidence scoring (AWS/GitHub/Stripe/Slack/Google/private keys)
• Dependency inventory + optional OSV scan
• Markdown, JSON, SARIF reports
• Diff-aware scanning for PRs (--changed)
• Rule marketplace support (drop YAML packs into rules/)

Live TUI scan with findings, details, and remediation diff.

CodeSentry TUI showing findings, details, and remediation diff panel.

Keywords

local-first security scanner, open-source SAST, code security audit, AI code review, OWASP Top 10 scanner, GitHub Actions security, SARIF code scanning, dependency vulnerability scan, CLI security tool, TUI security dashboard, static analysis for developers

GitHub Topics (copy-paste)

codesentry, appsec, sast, owasp, owasp-top-10, security, secure-coding, code-security, static-analysis, devsecops, github-actions, sarif, dependency-scanning, cli, tui, local-first

Quick Start

1) Clone and build (one-time)

git clone https://github.com/Ritiksuman07/codesentry
cd codesentry

go build ./cmd/codesentry

Or install via Go:

go install github.com/Ritiksuman07/codesentry/cmd/codesentry@latest

2) Scan any folder (non-technical friendly)

CodeSentry opens a beautiful TUI by default:

codesentry --path C:\Users\YourName\Projects\my-app

Shorthand alias:

codesentry -sc C:\Users\YourName\Projects\my-app

3) Generate a report file (optional)

codesentry scan --path C:\Users\YourName\Projects\my-app --format markdown

Outputs codesentry-report.md by default.

4) Open the TUI from any repo

codesentry --path .

Install (Recommended)

Homebrew:

brew install ritiksuman07/tap/codesentry

Prebuilt binaries:

• Download from GitHub Releases and put the binary on your PATH.

One-command install:

macOS / Linux:

curl -fsSL https://raw.githubusercontent.com/Ritiksuman07/codesentry/main/scripts/install.sh | sh

Windows (PowerShell):

iwr https://raw.githubusercontent.com/Ritiksuman07/codesentry/main/scripts/install.ps1 -UseBasicParsing | iex

Configuration

Create a codesentry.yml in your repo root (a starter file is included):

scan:
  ignore_paths:
    - .git
    - node_modules
    - vendor
    - dist
    - build
    - .github
    - docs
  exclude_extensions:
    - .md
    - .yml
    - .yaml
  max_findings: 200

rules:
  dir: rules
  enabled:
    SEC-001: true
    SEC-002: true
    SEC-003: true
    SEC-004: true
    SEC-005: true
    SEC-006: true
    SEC-007: true
    SEC-008: true
    SEC-009: true
    SEC-010: true
  severity:
    SEC-003: MEDIUM

threshold:
  severity: HIGH

dependencies:
  enable: true
  osv:
    enable: false
    timeout_seconds: 10

analysis:
  python:
    enable: false
    command: "python plugins/python_analysis/runner.py"

secrets:
  min_confidence: 0.6

CLI flags override config:

codesentry scan --path . --format sarif --out codesentry-report.sarif --fail-on HIGH --osv

Diff-aware scan (PR-friendly):

codesentry --changed --base origin/main

Rule Marketplace

Drop YAML rule packs into rules/ to extend CodeSentry without code changes. A sample pack is provided at rules/marketplace.yml.

GitHub Actions

• .github/workflows/codesentry.yml runs scans and uploads SARIF on push.
• .github/workflows/codesentry-pr-comment.yml posts a PR summary comment.

Reports

• Markdown for humans
• JSON for automation
• SARIF for GitHub code scanning

Python Analysis Plugin (Scaffolded)

The optional plugin lives in plugins/python_analysis/. It enriches findings and emits a python_analysis payload when enabled.

Roadmap

• AST-backed analysis (tree-sitter) beyond secrets
• Richer taint tracking
• Full OWASP Top 10 coverage
• PR comment bot enhancements (diff-aware comments)
• Python analysis plugin execution + enrichment UI
• Rule pack registry + community marketplace
• Baseline/ignore workflow (accept-risk with justification)
• SBOM export (CycloneDX) + dependency policy gates
• Multi-repo scanning + caching for monorepos
• IDE integrations (VS Code, JetBrains)

Contributing

PRs are welcome. Please open an issue or start a discussion if you want to add rules or language support.

License

MIT

---

Hashtags: #CodeSentry #AppSec #SAST #OWASP #Security #SecureCoding #OpenSource #DevSecOps #GitHubActions #CLI #TUI

Note: Tree-sitter string extraction for secrets is enabled when CGO is available. Without CGO, CodeSentry falls back to regex-only detection.