RepoGuardian

AI-powered GitHub security copilot that finds leaked secrets, vulnerable dependencies, risky configs, and auth flaws, then delivers prioritized, fix-ready remediation.

Comment

Inspiration

RepoGuardian was inspired by a common problem in student teams, hackathons, startups, and open-source projects: security review is usually the first thing skipped when people are moving fast. Repositories get shipped with leaked tokens, risky configs, weak auth patterns, and vulnerable dependencies not because teams do not care, but because security tooling is often fragmented, noisy, or too heavyweight for small builders.

We wanted to build a tool that makes security review feel as simple as pasting a GitHub URL.

What it does

RepoGuardian is an AI-powered GitHub security copilot for public repositories. A user submits a repository URL, and RepoGuardian scans it for:

  • exposed secrets and hardcoded credentials
  • suspicious .env usage
  • insecure auth and JWT patterns
  • dangerous frontend token storage
  • weak CORS configurations
  • missing security headers
  • outdated or vulnerable dependencies
  • debug and test artifacts in production code
  • suspicious admin surface exposure

It then groups the findings by severity, shows the evidence and surrounding context, generates grounded remediation guidance, and produces the top actions a developer should take first.

How we built it

We built RepoGuardian as a Next.js + TypeScript web app with a clean, security-product-style dashboard and a lightweight deployment path on Vercel.

The scanning pipeline is organized into five clear agents:

  1. Intake Agent maps the repository and selects high-signal files to inspect.
  2. Detection Agent runs rule-based scans for secrets, auth issues, config weaknesses, and dependency risk.
  3. Context Agent pulls surrounding code and configuration context to reduce false positives.
  4. Remediation Agent uses NVIDIA NIM to generate concise, structured, developer-friendly fixes.
  5. Prioritization Agent ranks issues by severity, exploitability, and remediation effort.

We combined deterministic scanning with LLM reasoning very deliberately. The grounded detection layer finds the evidence, and the AI layer explains it without inventing vulnerabilities. We also included a built-in demo repository so judges can test the full experience instantly with minimal setup.

Challenges we ran into

The hardest challenge was trust. Security tools fail quickly if they are noisy or exaggerated, so we spent a lot of time making the scanner more credible: tightening heuristics, adding context-aware review, using advisory-backed dependency checks, and preventing the AI layer from rewriting grounded severity or evidence.

Another challenge was balancing depth with demo clarity. We wanted the project to feel like a serious industry-grade tool, not a toy dashboard, while still making the value obvious within seconds during a live judging demo.

What we learned

We learned that good security UX is not about showing more alerts, but about helping developers take the right action first. We also learned how to structure an AI-assisted security workflow so the LLM adds real value through explanation and prioritization, while deterministic checks remain the source of truth.

Most importantly, we learned that practical security tooling for builders has to be fast, understandable, and usable under real deadlines. RepoGuardian was built around that principle.

Built With

Share this project:

Updates