About Trespass

Trespass runs four analysis layers against your GitHub repositories — static pattern matching, dependency auditing, SAST, and optional AI-powered review — to surface secrets, vulnerabilities, and security anti-patterns before they reach production.

Secrets Detection

17 patterns

Regex + entropy matching against hardcoded credentials, including secrets inside code comments. Ignores placeholders, example values, and dummy strings to reduce false positives. Inside test files (*.test.ts, tests/, __tests__/, spec/) the 4 generic patterns (password/secret assignment, database connection string, JWT secret) are skipped entirely, while vendor-specific patterns (AWS, GitHub, Stripe, …) are reported at reduced low severity instead of being hidden.

  • · AWS Access Key
  • · OpenAI / Anthropic / Google API Keys
  • · GitHub PAT, OAuth & Actions tokens
  • · Stripe secret & publishable keys
  • · Twilio & Slack tokens
  • · Cloudinary URLs
  • · PEM private keys (RSA, EC, DSA, OpenSSH)
  • · Database connection strings (Postgres, MySQL, MongoDB, Redis)
  • · JWT secrets & generic password/API key assignments

SAST Patterns

16 patterns

Static analysis across TypeScript, JavaScript, Python, Go, Ruby, PHP, and Java — organized by attack category.

Injection

  • · SQL injection via string concatenation
  • · Dangerous eval() usage
  • · Command injection (exec, spawn, subprocess)

XSS

  • ·dangerouslySetInnerHTML
  • ·.innerHTML direct assignment

Cryptography

  • · MD5 & SHA-1 usage
  • ·Math.random() in security contexts

Authentication

  • · JWT algorithm 'none' accepted
  • · CORS wildcard on credentialed routes
  • · TLS/SSL verification disabled

LLM-specific (OWASP LLM01)

  • · User input interpolated into system prompts (prompt injection)
  • · Dynamic tool/function names derived from user input

Dependency Auditing

Queries the OSV.dev database in batches for known CVEs across npm and PyPI ecosystems. Returns installed version, fixed-in version, CVE ID, and an upgrade recommendation for each finding.

Ecosystems

  • · npm — via package.json
  • · PyPI — via requirements.txt

CVSS v3 severity mapping

  • · Critical — score ≥ 9.0
  • · High — score ≥ 7.0
  • · Medium — score ≥ 4.0
  • · Low — score < 4.0

LLM Code Review

optional

Context-aware security review using your own API key — never stored in plaintext. Opt-in per scan. Files flagged by static analysis are prioritized and sent to the model for enriched findings and remediation advice.

Providers

  • · OpenAI
  • · Anthropic
  • · Google Gemini

Limits & behavior

  • · Up to 30 files per scan, 5 concurrent
  • · 3-minute hard timeout
  • · Confidence threshold >80% to report
  • · Prioritizes auth, secret, token, api files

File coverage

Scanned extensions

.ts .tsx .js .jsx .mjs .cjs · .py · .go .rb .php .java · .env .yaml .yml .json .toml .sh .bash

Ignored paths

node_modules/ .git/ dist/ build/ .next/ .nuxt/ coverage/ .cache/ vendor/ __pycache__/ .venv/ venv/