codescan.dev

Scan any GitHub repo for security issues — get one shareable grade.

Paste a GitHub repo URL

Public scans need no sign-up. Sign in with GitHub for private repos.

Search

Sign in with GitHub to scan private repos.

What codescan.dev checks

Every scan checks for common security risks and rolls the findings into a single report.

Risky code

Finds patterns that can lead to security bugs, including unsafe input handling and other common mistakes.

Exposed keys

Checks whether API keys, tokens, private keys, or credentials were accidentally committed.

Outdated packages

Looks for packages with known security problems so you can update the risky ones first.

Who it's for

codescan.dev is built for anyone who needs a quick, shareable security read on a GitHub repository.

  • Maintainers of open source repos

    Get a quick security baseline before publishing a release or accepting a large pull request.

  • Developers evaluating dependencies

    Check a third-party repository for exposed credentials and risky packages before adopting it.

  • Engineering teams and reviewers

    Share a letter-grade report card alongside a PR or audit instead of pasting raw tool output.

How it works

No installation or GitHub app. Public scans need no sign-up.

  1. Step 1

    Paste a GitHub URL

    Drop the URL of any public repository into the scan box at the top of the page, or sign in with GitHub to scan a private repo.

  2. Step 2

    Run the checks

    codescan.dev looks for risky code, exposed keys, and packages that should be updated.

  3. Step 3

    Read the report card

    See a letter grade, a severity breakdown, and per-finding file, line, and rule details you can share.

What a result looks like

Each scan produces a single page with a letter grade, severity breakdown, and a list of findings linked back to the source.

B
Risky code4
Exposed keys0
Outdated packages7
Example output — your scan may differ.
View example reportRead methodology

Frequently asked questions

Q.Is codescan.dev free?

Yes. Public repository scans are free and require no sign-up. Sign in with GitHub to scan private repositories — also free.

Q.Which repositories can I scan?

Any public GitHub repository. Sign in with GitHub to scan private repositories too.

Q.What does the letter grade mean?

The grade summarizes how many issues were found and how serious they are, so you can compare repositories at a glance.

Q.What does codescan.dev look for?

It checks for risky code patterns, exposed keys, and packages with known security problems. Each finding links back to the affected file and line.

Q.Do you store my code?

No. codescan.dev clones the repository to run the scanners and only persists the resulting findings needed to render the report card.

Ready to scan a repository?

Paste a GitHub URL into the scan box to get a shareable grade.

Start a scan