GITHUB REPOSITORY SECURITY
Find Leaked Secrets, CVEs, and Exposed Config Before They Leave Your Repo
UNPWNED connects to GitHub via read-only OAuth and runs scheduled scans against your selected repositories. Findings auto-create GitHub Issues with copy-paste fix prompts for Cursor, Claude, and Copilot.
What it Catches
34+ secret patterns
AWS keys, GCP service accounts, Stripe keys, Slack webhooks, OpenAI/Anthropic API keys, Supabase service-role keys, Firebase config blocks, GitHub PATs, JWTs, generic API key shapes, and more.
Vulnerable dependencies
Cross-references your package.json / requirements.txt / Gemfile / go.mod against OSV.dev, GitHub Advisory Database, and NVD. CVE severity ratings included.
Exposed config files
Detects committed .env, .env.local, .env.production, credentials.json, firebase.json with secrets, .git/config dumps, id_rsa private keys, wp-config.php, database.yml, Terraform state.
Source map exposure
Source maps in production reveal your full unminified source. Scanner flags accidentally published source maps and identifies which secrets they expose.
Suspicious package usage
Flags abandoned packages, packages with known supply-chain issues, and unusual dependency patterns that often indicate AI-generated code with hallucinated imports.
Workflow file gaps
Detects missing GitHub Actions hardening: pinned action versions, restricted token permissions, branch protection enforcement.
How it Works
Connect via OAuth (read-only)
One click. UNPWNED requests read-only access. You pick which repos to expose - public or private. Revoke anytime from your GitHub settings.
Scheduled scans run automatically
Pro plans include continuous monitoring. Repos are re-scanned on a schedule, and we re-check every time you push to a monitored branch.
Issues created in your repo
Findings can auto-create GitHub Issues with severity, location, and a copy-paste fix prompt for Cursor / Claude / Copilot. No context-switching.
Email + webhook alerts
Get notified when a new critical finding lands. Webhooks let you wire alerts into Slack, Discord, or your own incident system.
Common Questions
Does UNPWNED scan private GitHub repositories?
Yes. UNPWNED uses GitHub OAuth with read-only scopes you grant explicitly per repository. Private repos are scanned the same way as public ones, with the same secret patterns and CVE checks. Tokens are encrypted at rest and you can revoke access at any time from your GitHub account settings.
How is this different from GitHub's built-in secret scanning?
GitHub's built-in scanner only flags partner-pattern secrets (mostly verified token formats from major providers). UNPWNED detects 34+ patterns including framework-specific keys (Supabase service-role, Firebase config blocks, OpenAI/Anthropic), generic high-entropy strings, and exposed config files like .env. UNPWNED also adds CVE scanning for dependencies and exposed config-file detection - features GitHub does not bundle together. For paid plans, UNPWNED auto-creates GitHub Issues with AI fix prompts that paste directly into Cursor or Copilot.
Does UNPWNED execute or modify my code?
No. UNPWNED uses the GitHub Contents API to read file contents and metadata. Nothing is cloned to disk, nothing is executed, no commits or pushes are made on your behalf. The only write operation UNPWNED ever performs is creating GitHub Issues, and only if you enable that feature.
How often are repos scanned?
Scans run automatically on a schedule depending on your plan. Pro 5: weekly. Pro 20 and Pro 100: daily. All Pro plans also re-scan when GitHub notifies us of a push to a monitored branch (via webhook).
Can I scan my GitHub repo without signing up?
For one-off scans, yes - install the UNPWNED CLI (npm install -g unpwned) and run it locally against any repository you have access to. Continuous monitoring with auto-issue creation requires a Pro plan.
Will UNPWNED detect secrets in commit history?
Yes. UNPWNED scans the latest version of files plus a configurable history window. If a secret was once committed and then "removed" without rotating it, UNPWNED flags it as still exposed (because it is - the secret lives forever in git history).
Connect Your First Repo
Read-only OAuth. Pick the repos. Get findings as GitHub Issues. Cancel anytime.