Skip to content

apnotic/Secrover

BranchesTags
 
 

Repository files navigation

Secrover

Secrover is a free and open-source tool that generates clear, professional security audit reports — without paywalls or proprietary SaaS. Just useful insights you can trust and share.

Secrover

GitHub last commit Docker Pulls Docker Stars

🔍 Features

  • 🔒 Security Audits: Scans your project dependencies and your domains to identify possible vulnerabilities.
  • 📊 Sharable Dashboards: Generate dashboards you can easily share with clients, teams, or stakeholders — ideal for reporting and collaboration.
  • 🧠 Human-readable Reports: Clean, actionable, and easy-to-understand reports — even for non-technical audiences.
  • Easy to Use: Just a simple config file where you list your repositories and your domains to get started quickly.
  • 💻 Cross-platform: Works seamlessly on Linux, macOS, and Windows.
  • 🌟 Actively Maintained: We’re constantly adding new features and improvements to help you stay ahead of threats.

Audits

Category Checks Supported languages
Dependencies Vulnerability check PHP, JavaScript and Python
Code Static check All languages supported by opengrep
Domains SSL certificate, HTTP→HTTPS Redirect, HSTS header, TLS versions, Open Ports, Security Headers -

Screenshots

Dependencies Audit Code Audit Domains Audit
Dependencies Audit Code Audit Domains Audit

Demo

You can see Secrover in action right now:

How the demo works

The demo repository uses GitHub Actions to automatically:

  1. Pull the latest version of Secrover (via Docker).
  2. Run security scans on Secrover repositories and domains.
  3. Generate an HTML security report.
  4. Deploy the report to GitHub Pages, making it publicly accessible.

This setup makes it easy to run Secrover on a schedule (e.g. daily or weekly), so your reports are always up-to-date and shareable with your team or community.

➡️ You can copy the workflow from the demo repository’s .github/workflows/secrover.yml to get started quickly.

Getting Started

Secrover is designed to be simple: configure what you want to scan, then run it with Docker.
Within minutes, you’ll have a professional HTML security report you can share.

Create a new folder/repo with a config.yaml file inside where you will list your repositories and domains to scan.

Example:

project:
  name: My project
domains:
  - my-domain.com
  - subdomain.my-domain.com
repos:
  - url: https://github.com/your-org/your-repo
    description: "Short description of the project"
    branch: "main"

  - url: https://github.com/your-org/another-repo
    description: "Another awesome project"

Accessing Private Repositories

Secrover supports cloning private repositories via HTTPS using a GitHub Personal Access Token (PAT).

We currently support HTTPS only (SSH is not yet supported).

1. Create a GitHub Personal Access Token
  • Go to your GitHub account
  • Click "Generate new token" (fine-grained)
  • Give it a name like Secrover
  • Choose "Only select repositories" and select the private repos Secrover needs to clone
    • Under Repository permissions, grant:
      • Contents: Read-only
  • Generate and copy the token
2. Create a .env file

In the same directory as your config.yaml, create a .env file:

GITHUB_TOKEN=yourgeneratedtokenhere

⚠️ Do not share this file or commit it to version control. Add .env to your .gitignore file to prevent accidental leaks.

Install & run with Docker

You can run Secrover easily using Docker without installing any local dependencies.

From the folder where you created your config.yaml, run:

With private repositories (.env required)

If you're scanning private GitHub repositories, create a .env file containing your GitHub token (see Accessing Private Repositories).

Then run:

docker pull secrover/secrover && docker run --rm \
  --env-file .env \
  -v "$(pwd)/config.yaml:/app/config.yaml" \
  -v "$(pwd)/output:/output" \
  -e CONFIG_FILE=config.yaml \
  secrover/secrover

Without private repositories (.env not needed)

If you're only scanning public repos, you can skip the .env file:

docker pull secrover/secrover && docker run --rm \
  -v "$(pwd)/config.yaml:/app/config.yaml" \
  -v "$(pwd)/output:/output" \
  -e CONFIG_FILE=config.yaml \
  secrover/secrover

This will:

  • Read the list of repositories and domains from your config.yaml
  • Clone repositories, scan them, as well as your domains
  • Generate a full HTML security report into the output/ folder

Thanks and Acknowledgments

This project benefits from the fantastic work of several open-source projects:

  • Python & pip-audit
  • PHP & Composer
  • Node.js & npm
  • uv
  • opengrep

A big thanks to all the maintainers and contributors behind these amazing projects, without whom this project wouldn't be possible!

License

Secrover is released under the GNU General Public License v3.0 (GPL-3.0).

👉 Read the full license here

Stargazers over time

Stargazers over time

About

Open-source security reports — no paywalls, just actionable insights.

secrover.org

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 49.0%
  • HTML 48.4%
  • Dockerfile 2.4%
  • Other 0.2%