Open Source · Free Forever

Security scanning
before every commit

Guardian is a fast, local pre-commit hook that catches CVEs, leaked secrets, and code vulnerabilities — in milliseconds, before they hit your repo.

Get Started View on GitHub

$ git commit -m "add payment integration"

Running Guardian pre-commit checks...

✓ Secrets scan — 23 files checked, 0 secrets found

✓ OSV CVE scan — go.mod scanned, 0 vulnerabilities

⚠ AI SAST — Claude Haiku analysing diff...

✗ CRITICAL: SQL injection risk in payment.go:47

Raw user input passed to db.Query() without parameterisation

Commit blocked. Fix the issue above and try again.

Why Guardian

Catch issues at the source

Not after a PR review. Not in CI. Before the commit is even made.

📦

OSV Dependency Scanning

Checks go.mod, package.json, requirements.txt, and Gemfile.lock against the Google OSV database in real-time.

🔑

Secret Detection

15+ regex patterns covering AWS keys, GitHub tokens, Stripe secrets, JWTs, connection strings, and more. Blocks the commit instantly.

🧠

AI-Powered SAST

Sends your staged diff to Claude Haiku for code-level analysis — SQL injection, XSS, path traversal, hardcoded creds. Real intelligence, not just patterns.

⚡

Millisecond Performance

Written in Go. Runs in the background of your git workflow. No Docker, no JVM, no waiting. Just fast.

🔓

Fully Local

No code leaves your machine except the staged diff to Claude (opt-in). No SaaS platform, no account needed, no monthly fee.

🎛️

Granular Control

Run all checks or skip individual ones. CI-friendly with --no-color. Exit codes compatible with any pipeline.

Installation

Up in 30 seconds

Go Install Pre-commit Hook Manual

# Install Guardian
go install github.com/bobbydeveaux/guardian/app/cmd/guardian@latest

# Set your Anthropic API key (for AI SAST — optional)
export ANTHROPIC_API_KEY=sk-ant-...

# Install as a pre-commit hook in your repo
guardian install

# That's it. Every commit is now scanned automatically.

CI / CD

GitHub Action

Run Guardian on every push and pull request. Two lines in your workflow — that's it.

Basic With AI SAST All Options

# .github/workflows/security.yml
name: Security Scan
on: [push, pull_request]

jobs:
  guardian:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: bobbydeveaux/guardian@main

# Enable Claude AI code analysis by adding your API key
# Add ANTHROPIC_API_KEY to your repo's Settings → Secrets

      - uses: bobbydeveaux/guardian@main
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

# All available inputs with their defaults

      - uses: bobbydeveaux/guardian@main
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          scan_osv: "true"        # Dependency CVE scanning
          scan_secrets: "true"    # Secrets detection
          scan_sast: "true"       # Claude AI analysis
          fail_on_findings: "true" # Block on CRITICAL/secrets

Input	Default	Description
`anthropic_api_key`	""	Anthropic API key for Claude AI analysis. If omitted, SAST is skipped.
`scan_osv`	true	Enable OSV dependency vulnerability scanning
`scan_secrets`	true	Enable secrets detection
`scan_sast`	true	Enable Claude AI SAST analysis
`fail_on_findings`	true	Fail the workflow if CRITICAL issues or secrets are found

What it checks

Comprehensive coverage

Check	What it finds	Data sources	Type
📦 OSV CVE Scan	Known vulnerabilities in Go, npm, PyPI, RubyGems dependencies	Google OSV API	Local + API
🔑 Secrets Detection	AWS keys, GitHub tokens, Stripe, Twilio, JWT, connection strings, generic passwords, 15+ patterns	Regex patterns	100% Local
🧠 AI SAST	SQL injection, XSS, path traversal, command injection, auth bypass, hardcoded secrets in logic	Claude Haiku	Diff sent to API

Security scanningbefore every commit