security-auditor logo

security-auditor

by Adnan HossainUpdated May 4, 2026

Scan your codebase for secrets, PII, hardcoded passwords, dependency vulnerabilities, and compliance violations (SOC2, HIPAA, GDPR, ISO27001) — directly from your AI workflow. Get SARIF-format reports with risk scores and grades.

security-audit
vulnerability-scan
compliance
|

Overview

security-auditor brings automated security scanning into any AI workflow via the Model Context Protocol. Point it at a local codebase and get structured findings across secrets, PII, risky dependencies, and compliance frameworks — without leaving your AI assistant or CI pipeline.

What it scans

Secrets & credentials Detects 30+ secret types, including AWS keys (AKIA...), GCP service accounts, Azure connection strings, GitHub tokens (ghp_...), Slack bot tokens, Stripe live/test keys, OpenAI (sk-...), Anthropic (sk-ant-...), HuggingFace, Cohere, JWT tokens, Bearer headers, private key blocks, and database connection URLs (MongoDB, PostgreSQL, MySQL, Redis). Each finding includes the file path, line number, and confidence score, and severity.

PII detection Finds email addresses, credit card numbers, and phone numbers embedded in source files, configs, and data files.

Dependency risk Scans package.json, composer.json, and other manifests for unpinned versions, missing lockfiles, and packages with known CVEs or documented malicious release history.

Compliance audit Checks your codebase against four frameworks simultaneously:

FrameworkControls checked
SOC2CC6.1, CC6.3, CC7.2, CC8.1, CC9.2, A1.2
HIPAA164.312(a), 164.312(b), 164.312(c), 164.312(e)
GDPRArt.25, Art.32, Art.33, Art.17
ISO27001A.9.4.3, A.12.4.1, A.14.2.5, A.18.1.3

Each control reports pass/fail with detail. Output is SARIF 2.1.0, compatible with GitHub Code Scanning.

Output

Every scan returns:

  • 0–100 risk score and letter grade (A–F)
  • Per-finding breakdown with file, line, and confidence score
  • SARIF 2.1.0 format for CI/CD integration

Use cases

  • Pre-commit checks — catch secrets and PII before they reach your repo
  • Pull request gates — block merges when critical issues are found
  • AI-assisted review — let your AI invoke scans mid-conversation and suggest fixes
  • Third-party auditing — clone any repo and immediately understand its security posture

Who this is for

  • Developers who want security feedback without switching tools
  • DevSecOps engineers embedding compliance checks in pipelines
  • Security analysts auditing open source or third-party code
  • Teams subject to SOC2, HIPAA, GDPR, or ISO27001 requirements