Is your code on GitHub safe?

Vibe-coded an app? Cloned a stranger's repo? Run it past 5 trusted scanners first.

We’re polishing the scanner pipeline now: Gitleaks, Trivy, OSV-Scanner, Semgrep, and OpenSSF Scorecard running in parallel. You paste a GitHub repo URL; we surface every finding with its severity and the exact tool that caught it. Plain results. No signup, no audit-bills, no AI-generated “summary” we can’t back up.

We’re polishing the scanner pipeline. Drop your e-mail and we’ll ping you the day gitsafehub goes live.

Free · No spam · One-click unsubscribe

Double opt-in — you’ll receive a confirmation link before we add you. One-click unsubscribe from every e-mail. By submitting your e-mail you agree to the BitVibe Labs Terms and Privacy.

When it’s live: type safe into any github.com URL.

how it will work

5 trusted scanners run in parallel

Gitleaks (secrets), Trivy (CVEs in dependencies), OSV-Scanner (open-source vuln DB), Semgrep (OWASP Top Ten static analysis), and OpenSSF Scorecard (project-health checks). Every one is MIT, Apache, or LGPL — no AGPL strings attached.

One-glance verdict, deterministic rules

Every scan distills to Clean ✅, N warnings, or N critical. Findings sorted by severity. No AI summary, no judgement-call rewriting — the rule that converts scanner output → verdict is published in the docs and won’t change between scans.

Per-finding tool credit

Every flag tells you which scanner caught it — e.g. [via Gitleaks · MIT] — with a link to that scanner’s repo and rule documentation. Verify with the source, don’t take our word for it.

No false confidence

A clean scan is not a security audit. Tools miss things, tools flag things that aren’t real. We say so on every report — in the banner, on every finding, and in the footer. If you need a real audit, hire a real auditor.

No signup, no affiliate, no upsell

Paste URL → get report. Public repos only at launch. No enterprise tier, no “upgrade for advanced analysis”, no affiliate links to security SaaS we don’t run. We’re BitVibe Labs — this is one of several free products in the family.

About these scans

Informational, not an audit. Open-source scanners report what they find against current rule sets and CVE databases. False positives and false negatives are normal — please verify each finding with the scanner that produced it.
Public repos only. We don’t read private code. If you need that, authenticate yourself against your own scanner stack.
Tool credit on every finding. Each flag in the report names the scanner that caught it, plus a link to that scanner’s rule documentation. We’re not the source of truth — the underlying tool is.
No certification. A clean scan ≠ “secure code.” A red scan ≠ “your project is compromised.” This is a fast first pass, not a sign-off.

the open-source tools we use

Gitleaks

Secret detection — AWS keys, API tokens, private keys committed by mistake.

MIT

Trivy

CVE scanning — vulnerable versions of npm, pip, go, cargo, etc. dependencies.

Apache 2.0

OSV-Scanner

OSV.dev cross-ecosystem vulnerability database — lockfile-aware matches.

Apache 2.0

Semgrep

Static analysis against the OWASP Top Ten ruleset — injection, weak crypto, etc.

LGPL 2.1

OpenSSF Scorecard

Project-health checks — signed releases, branch protection, code review.

Apache 2.0