OSS Security Auditor
Perform comprehensive security audits of open source repositories for enterprise adoption decisions.
When to Use
- •Evaluating an OSS library before adoption
- •Security review of dependencies
- •Compliance assessment (GDPR, HIPAA, SOC2)
- •Identifying data privacy risks
Analysis Categories
- •Dependency Security (20%) - CVEs, outdated packages, supply chain
- •Code Security (25%) - OWASP Top 10, secrets, injection flaws
- •Data Privacy (30%) - Telemetry, credential access, data exfiltration
- •Compliance (15%) - GDPR, HIPAA, SOC2 readiness
- •Maintenance (10%) - Activity, contributors, abandonment risk
Critical Red Flags (Auto Grade Cap to D)
- •Cryptocurrency/wallet access patterns
- •Telemetry/phone-home without consent
- •Credential harvesting patterns
Process
1. Repository Access
bash
# For GitHub URLs gh repo view <owner>/<repo> --json name,description,licenseInfo,pushedAt,issues gh repo clone <owner>/<repo> -- --depth=1 # For local paths # Analyze directly
2. Discovery
- •Identify languages (file extensions, config files)
- •Find dependency manifests (package.json, requirements.txt, go.mod, etc.)
- •Map codebase structure
3. Dependency Analysis
Search for manifests and check versions:
bash
# Find all manifests find . -name "package.json" -o -name "requirements*.txt" -o -name "go.mod" -o -name "Cargo.toml" -o -name "pom.xml" -o -name "Gemfile"
4. Code Security Scan
Search patterns for common vulnerabilities:
Secrets:
- •
api[_-]?key,secret,password,token,credential - •
AKIA(AWS),BEGIN.*PRIVATE KEY
Injection:
- •SQL: String concatenation with
SELECT,INSERT,UPDATE - •Command:
exec(,system(,spawn(, backticks - •XSS: Unsafe HTML output patterns
Crypto:
- •Weak:
md5,sha1,des,rc4
5. Privacy Analysis
Critical patterns to detect:
- •
ethers,web3,bitcoin- crypto libs - •
analytics,segment,mixpanel,ga(- telemetry - •
localStorage,sessionStorage,document.cookie- browser storage - •
~/.ssh,.env,credentials- file access
Network calls:
- •
fetch(,axios,http.get,requests.with external domains
6. Compliance Check
GDPR: Consent flows, deletion APIs, data minimization HIPAA: Encryption, audit logs, access control SOC2: Security controls, availability, integrity
7. Maintenance Assessment
bash
# GitHub metrics gh repo view <owner>/<repo> --json pushedAt,issues,pullRequests,stargazerCount gh api repos/<owner>/<repo>/contributors --jq 'length' gh api repos/<owner>/<repo>/commits --jq '.[0].commit.author.date'
Scoring
| Severity | Deduction |
|---|---|
| CRITICAL | -30 |
| HIGH | -15 |
| MEDIUM | -8 |
| LOW | -3 |
Grade caps:
- •Any CRITICAL → Max C
- •Red flag (crypto/telemetry/credentials) → Max D
- •3+ CRITICAL → F
Output
Generate three outputs:
- •Executive Summary - Quick verdict table, top 5 findings, risk summary
- •Detailed Report - Full findings by category with remediation
- •JSON Summary - Machine-readable for automation
See /home/vinayak/analyse-git-repos/analysis-template.md for format.
See /home/vinayak/analyse-git-repos/scoring-guide.md for criteria.
Example Usage
code
Analyze: https://github.com/example/library Context: Evaluating for healthcare application (HIPAA required)