v1.1.0 — Now on GitHub Marketplace

AI-Powered
Security Auditor
for Every PR

A GitHub Action that finds SQL injection, hardcoded secrets, and vulnerable dependencies — with strict CI fail mode and optional safe auto-fixes powered by DeepSeek AI.

Get Started Free View Source
3Threat types detected
4Workflow modes
0Config to get started
security-auditor — scan results
secauditor scan --repo . --output report.json Loading configuration... Scanning Python files... (14 files) Scanning JavaScript files... (8 files) Checking dependencies... (31 packages) [CRITICAL] SQL injection in db/queries.py:47 [CRITICAL] Hardcoded secret in config.js:12 [HIGH] Vulnerable dep: requests==2.6.0 [HIGH] Vulnerable dep: lodash@4.17.4 ✓ Report written: report.json ✗ 4 findings (2 critical, 2 high) → AI generating fixes... ✓ 3 safe patches applied ✓ PR created: security/automated-fixes
What it detects

Three critical threat
categories covered

Security Auditor targets the most common and dangerous vulnerabilities found in Python and JavaScript codebases.

💉

SQL Injection

Detects unsafe string formatting in database queries — both raw SQL and ORM misuse — across Python and JavaScript code.

OWASP A03 · Critical
🔑

Hardcoded Secrets

Scans for passwords, API keys, tokens, and credentials committed directly in source files using pattern matching.

OWASP A02 · High
📦

Vulnerable Dependencies

Checks requirements.txt and package.json against known CVEs and reports risky package versions.

OWASP A06 · High
How It Works

Three-phase automated pipeline

From a single Action step, Security Auditor scans, fixes, and submits a pull request — with no manual intervention required.

🔍
SCAN
Phase 1
  • Analyze Python source files
  • Analyze JavaScript source files
  • Check dependency manifests
  • Apply 3 security rule sets
  • Write findings to report.json
🤖
AI FIX
Phase 2 (optional)
  • DeepSeek generates patch diffs
  • Patch validator checks safety
  • Risk score calculated per patch
  • Safe patches auto-applied
  • Risky patches blocked
📝
PR
Phase 3 (optional)
  • Create dedicated fix branch
  • Commit applied patches
  • Push branch to origin
  • Open PR for review
  • Add fix summary to PR body
REVIEWED
Developer action
  • Review auto-generated PR
  • Verify AI-suggested fixes
  • Merge to close vulnerabilities
  • Re-scan on next push

Hover over each phase to see details

Component Architecture
Security Auditor component architecture diagram showing CLI, scanners, AI fix generator, and PR manager modules
Execution Sequence
Security Auditor sequence diagram showing runtime flow from user input through scan, fix, and PR creation phases
Live Demo

See a scan in action

Click "Run Scan" to simulate what Security Auditor finds in a vulnerable repository.

🗂️ example-repo scan
0 Critical
0 High
0 Medium
0 Fixed
Usage Modes

Four ready-to-use workflow modes

Copy a mode that matches your team's security maturity — from visibility-only to full auto-remediation.

Basic Scan

Report findings without blocking CI. Perfect for teams rolling out security scanning for the first time — zero disruption, full visibility.

  • Runs on every push and pull request
  • Generates report.json artifact
  • Never fails the build
  • No secrets required
.github/workflows/security.yml 
name: Security Scan
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: taoufikmohamed/securityauditor@v1.1.0
        with:
          repo-path: '.'
          mode: 'scan'
          output-path: 'security-report.json'

      - name: Upload report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: security-reports
          path: security-report.json

Strict CI Fail Mode

Block merges when high or critical vulnerabilities are found. Use this to enforce security gates in your CI pipeline.

  • Exits with code 1 on critical/high findings
  • Blocks PRs until fixed
  • Still uploads report as artifact
  • Works with branch protections
.github/workflows/security-strict.yml 
name: Security Scan (Strict)
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: taoufikmohamed/securityauditor@v1.1.0
        with:
          repo-path: '.'
          mode: 'scan'
          output-path: 'security-report.json'
          fail-on-findings: 'true'  # ← blocks CI

      - name: Upload report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: security-reports
          path: security-report.json

AI Auto-Fix + Pull Request

Let DeepSeek AI generate safe patches and automatically open a PR with fixes. Developers just review and merge.

  • AI-generated fix diffs via DeepSeek
  • Safety validation before applying
  • Requires DEEPSEEK_API_KEY secret
  • Creates branch + PR automatically
.github/workflows/security-autofix.yml 
name: Security Scan & Auto-Fix
on: [push, pull_request]

jobs:
  scan-and-fix:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: taoufikmohamed/securityauditor@v1.1.0
        with:
          mode: 'fix'
          apply-safe-fixes: 'true'  # ← AI auto-applies
        env:
          DEEPSEEK_API_KEY: ${{ secrets.DEEPSEEK_API_KEY }}

      - name: Create PR with fixes
        uses: peter-evans/create-pull-request@v5
        with:
          title: '[Security] Automated fixes'
          branch: 'security/automated-fixes'

PR Comment Report

Post a summary of findings as a PR comment so developers see security results inline during code review.

  • Posts findings count on PR
  • Shows critical count inline
  • No AI key required
  • Works with any base CI setup
.github/workflows/security-comment.yml 
name: Security Scan (PR Comment)
on: [pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: taoufikmohamed/securityauditor@v1.1.0
        with:
          mode: 'scan'
          output-path: '${{ github.workspace }}/report.json'

      - name: Comment findings on PR
        if: github.event_name == 'pull_request'
        uses: actions/github-script@v7
        with:
          script: |
            const fs = require('fs');
            const r = JSON.parse(
              fs.readFileSync('report.json','utf8'));
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: `🔒 Security: ${r.summary.total} findings`
            });

Action Input Reference

All inputs are optional. Sane defaults get you running in under 60 seconds.

Input Default Description
repo-path . Path to the repository to scan
config-path config/secauditor.yml Path to the auditor configuration file
mode scan scan reports findings · fix generates and applies AI diffs
fail-on-findings false Exit with code 1 if high/critical findings exist — use to block merges
apply-safe-fixes false Auto-apply safe AI-generated diffs in fix mode
output-path report.json Path to write the JSON findings report
🛒

Available on GitHub Marketplace

Security Auditor is published to the GitHub Marketplace under the Security category. Add it to any repository with a single step — no installation, no containers, no maintenance overhead.

🛡️ Category: Security
⭐ Verified action
🔖 v1.1.0
🐍 Python + JS support
🤖 DeepSeek AI fixes
View on GitHub Marketplace    Star on GitHub
For Beginners

Up and running in 4 steps

No DevSecOps experience needed. If you have a GitHub repository, you can add security scanning today.

1
📁

Create the workflow file

In your repository, create .github/workflows/security.yml — GitHub will auto-detect it.

2
📋

Paste a mode above

Copy Mode 1 (Basic Scan) to start. No API key or config file required for your first scan.

3
🚀

Push or open a PR

The action triggers automatically. Check the Actions tab to see your first scan results.

4
🔧

Upgrade when ready

Add fail-on-findings: 'true' to enforce security gates, or add your DeepSeek key for AI auto-fixes.

Or run locally (PowerShell / CLI)

PowerShell — one-command workflow 
# Clone and set up
git clone https://github.com/taoufikmohamed/securityauditor
cd securityauditor

# Run interactive workflow (auto-installs deps)
.\run-workflow.ps1

# Or non-interactive scan
.\run-workflow.ps1 -Workflow scan -RepoPath . -NonInteractive

# Full scan + fix + PR
.\run-workflow.ps1 -Workflow full -RepoPath . -BaseBranch main

# Scan a GitHub repo by URL (no clone needed)
.\run-workflow.ps1 -Workflow scan -RepoUrl https://github.com/owner/repo -NonInteractive