SafeDev

A suite of developer tools for developers to catch security vulnerabilities early in development.

Comment

Inspiration

We've all been there: you're shipping code fast, and suddenly you realize you've committed an API key to a public repo. Or you're debugging auth issues at 2 AM trying to figure out why a JWT is acting weird. Security tools exist, but they're either too slow, too complex, or just give you a wall of alerts without telling you what actually matters.

We wanted to build something different: a tool that actually helps developers ship secure code without slowing them down or making them security experts overnight.

What it does

SafeDev is a developer-first security platform with three core tools:

🔍 GitHub Scanner scans your repos for hardcoded secrets, API keys, and risky patterns. Results stream in real-time so you're not waiting around. It tells you exactly where the issue is and how to fix it.

🔑 JWT Inspector is a browser extension that decodes JWTs, flags security issues (weak algorithms, missing expiry, sketchy claims), and gives you actionable recommendations. No more copy-pasting tokens into random websites.

🛡️ Security Advisor is powered by GPT-4o and analyzes your codebase to give you a security score (0-100) plus a prioritized list of what to fix first. Think of it as your security copilot.

How we built it

  • Frontend: Next.js 15 with TypeScript, Tailwind CSS for styling, and Framer Motion for smooth animations
  • Auth: NextAuth.js with GitHub OAuth so you can scan private repos
  • AI: OpenAI GPT-4o for the Security Advisor. It reads your code and generates practical security recommendations
  • Scanner Logic: Custom pattern matching for secrets (API keys, tokens, credentials) plus GitHub API integration for repo access
  • Extension: Vanilla JavaScript Chrome extension that scans cookies/localStorage for JWTs and analyzes them client-side

We deployed the whole thing on Vercel and made it work seamlessly with GitHub's API to pull repo contents and stream scan results.

Challenges we ran into

Real-time streaming was trickier than expected. We wanted scan results to appear as files were analyzed (not wait until everything finished), so we implemented SSE-style streaming from the API route to the frontend.

GitHub API rate limits hit us hard during testing. Had to optimize how we fetch files and add smart filtering to skip binaries, node_modules, and other non-essential stuff.

JWT validation logic got complex fast. Tokens can be weird: different algorithms, optional claims, clock skew issues. We had to balance being strict enough to catch real issues without flagging every token as "high risk."

AI prompt engineering for the Security Advisor took iterations. We didn't want generic security advice. We wanted GPT-4o to give specific, actionable fixes tailored to the actual code it was seeing.

Accomplishments that we're proud of

✅ Built a full-stack security platform in ~24 hours that actually works
✅ Real-time streaming scan results: you see issues as they're found
✅ AI analysis that's genuinely useful (not just buzzwords)
✅ A Chrome extension that makes JWT debugging way easier
✅ Clean, polished UI that doesn't look like every other hackathon project
✅ Private repo support so it's actually usable in real workflows

The fact that you can connect your GitHub, scan a repo, and get a prioritized security report in under 30 seconds feels pretty good.

What we learned

Security UX matters. Most security tools overwhelm you with alerts. We learned that ranking issues by impact and giving clear next steps makes a huge difference in whether people actually fix things.

AI is only as good as your prompts. Getting GPT-4o to produce practical security advice (not generic blog post content) took way more iteration than we expected.

Streaming makes everything feel faster. Even if the total scan time is the same, showing results as they come in makes the tool feel way more responsive.

GitHub OAuth + API is powerful. Being able to access private repos and analyze code server-side unlocks a ton of functionality that wouldn't be possible otherwise.

What's next for SafeDev

🚀 Pre-commit hooks so you catch secrets before they even get committed
🚀 CI/CD integration to run scans automatically on every PR
🚀 More secret patterns (cloud provider keys, database credentials, private keys)
🚀 Slack/Discord notifications when risky patterns are detected
🚀 Team dashboards to track security improvements over time
🚀 VS Code extension so you get warnings right in your editor

We built SafeDev because security shouldn't get in the way of shipping. If this resonates with you, give it a try. Your future self (and your security team) will thank you.

Try it: safe-dev-rrw4.vercel.app
GitHub: github.com/dipenvir/SafeDev

Built With

  • nextjs
Share this project:

Updates