Automated security scanning for GitHub

Every push,
automatically secured

Connect your GitHub repo in 3 minutes. SecOSS scans every commit for vulnerabilities, supply chain attacks, and compliance issues — then alerts your team instantly.

Connect your repo →How it works Try the manual scanner

⬆️git pushyour repo

→

🔗WebhookHMAC verified

→

🔍6 scannersin parallel

→

📊Reportfull detail

💬AlertSlack · TG

Results delivered in under 15 seconds per push

Six security checks on every push

No configuration needed — all six run automatically from the moment you connect your repo.

🦠

Dependency CVEs

OSV + NVD

Every package in your lockfile checked against the OSV database and GitHub Advisory DB. Finds known vulnerabilities with severity ratings.

🔒

SSL / TLS Grade

Qualys SSL Labs analysis — protocol versions, cipher suites, HSTS, certificate validity. Graded A+ to F with specific improvement steps.

🔗

Supply Chain

Scans your GitHub Actions workflows for 16 attack patterns: curl-to-shell, unpinned actions, pull_request_target, sudo, self-hosted runners.

🛡

Security Headers

Checks HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Scored A+ to F with per-header fix tips.

⚖️

License Compliance

Detects GPL, AGPL, LGPL, MPL, and other copyleft licenses in your npm dependencies. Flags packages that may affect your distribution rights.

🛡️

Guardian Code Analysis

Claude AI

Claude AI reviews every diff for backdoors, secrets, obfuscated code, mass deletions, and suspicious URLs. Gives a risk score per commit.

Up and running in 3 minutes

No agents to install. No CI changes needed. Just a GitHub webhook.

Create your account

Generate your webhook secret

One click on the Automation page gives you a unique Webhook URL and secret.

Add to GitHub

Paste the URL and secret into your repo's Webhook settings. That's it.

Get started free →

You receive in Slack

📦 SecOSS Security Report

Repo: your-org/api-service

Branch: main · Commit: a3f9c12

Pusher: rafraf · Packages: 248

🚨 CVEs — Critical: 0 | High: 2 | Medium: 5

🔒 SSL app.cloudrf.xyz: A+

🔗 Supply chain: CLEAN

View full report →

Delivered in ~12 seconds after push

Alerts on every platform your team uses

Add as many channels as you need — all fire simultaneously on every push.

💬

Slack

Paste an Incoming Webhook URL

🔷

Microsoft Teams

Paste an Incoming Webhook URL

✈️

Enter bot token + chat ID

Also available: on-demand scanners

Run one-off scans — no account required. CVEs, licenses, headers, SSL, supply chain, containers and more.

Open scanner →

Every push, automatically secured