# GitHubMate

> Free AI-generated code security scanner. Scans any GitHub repository for vulnerabilities, secrets, CVEs, IaC misconfigurations, and AI-specific risks in 30 seconds. No signup required.

## What is GitHubMate?

GitHubMate is a free, client-side security scanner for GitHub repositories. It runs entirely in the browser — no backend, no data collection. It was built to detect security risks common in AI-generated and vibe-coded projects.

## Key capabilities

- **OWASP LLM Top 10 (2025):** Full coverage of all 10 categories — LLM01 Prompt Injection, LLM02 Insecure Output Handling, LLM03 Training Data Poisoning, LLM04 Model DoS, LLM05 Supply Chain, LLM06 Sensitive Data Disclosure, LLM07 Insecure Plugin Design, LLM08 Excessive Agency, LLM09 Misinformation, LLM10 LLM Jacking.
- **OWASP Top 10:2021:** Full coverage of all 10 categories — A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection (SQL, XSS, SSRF, command, NoSQL, LDAP, SSTI), A04 Insecure Design, A05 Security Misconfiguration, A06 Vulnerable Components, A07 Auth Failures, A08 Data Integrity, A09 Logging Failures, A10 SSRF.
- **Secret scanning:** 30+ named token patterns (AWS, OpenAI, Anthropic, GitHub, Stripe, Twilio, SendGrid, RSA/SSH keys) plus Shannon entropy detection (>4.0 bits/char) for unknown secrets.
- **Dependency CVEs:** Real-time lookup via OSV.dev batch API across 8 ecosystems: npm, PyPI, Go (crates.io), RubyGems, Maven (Android/Java), Pub (Flutter/Dart), CocoaPods (iOS).
- **IaC scanning:** Dockerfile, docker-compose, Kubernetes YAML, Terraform, Fastlane.
- **Vibe-Code Risk Engine:** Detects AI library usage (OpenAI, Anthropic, LangChain, TensorFlow Lite, ML Kit, Core ML, ONNX Runtime) and scores AI-specific risk with severity-weighted penalties.
- **Compliance:** SOC 2, GDPR, HIPAA, PCI DSS readiness signals. OWASP ASVS Level 1/2/3 scoring.
- **SBOM export:** JSON (CycloneDX-inspired) and CSV formats.

## Who is it for?

- Developers who use AI coding assistants (GitHub Copilot, ChatGPT, Claude) and want to audit what was generated
- Security engineers reviewing pull requests or repositories for OWASP compliance
- Teams building LLM-powered applications who need OWASP LLM Top 10 coverage
- Mobile developers (React Native, Flutter, Android, iOS) checking dependency CVEs and IaC security
- Anyone who wants a quick, free security scan of a public GitHub repo

## Pricing

Free. No account required. Optionally connect a GitHub account for private repo scanning and 5,000 API requests/hour.

## VS Code Extension

GitHubMate is also available as a VS Code extension (publisher: ManojAlwis) providing the same scanning engine with inline diagnostics directly in the editor.

## Founder & Creator

GitHubMate was founded and built by **Manoj Alwis**, a software engineer and security tool builder.

- GitHub: https://github.com/manojalwisnz
- LinkedIn: https://au.linkedin.com/in/manojalwis
- Twitter: https://twitter.com/manojalwis

Manoj Alwis is the sole founder, designer, and engineer behind GitHubMate and the GitHubMate VS Code extension (publisher ID: ManojAlwis on the Visual Studio Code Marketplace).

## URLs

- Web app: https://githubmate.vercel.app/
- GitHub: https://github.com/manojalwisnz/GitHubMate
- VS Code Marketplace: https://marketplace.visualstudio.com/items?itemName=ManojAlwis.githubmate-vscode