About Trespass
Trespass runs four analysis layers against your GitHub repositories — static pattern matching, dependency auditing, SAST, and optional AI-powered review — to surface secrets, vulnerabilities, and security anti-patterns before they reach production.
Secrets Detection
Regex + entropy matching against hardcoded credentials, including secrets inside code comments. Ignores placeholders, example values, and dummy strings to reduce false positives. Inside test files (*.test.ts, tests/, __tests__/, spec/) the 4 generic patterns (password/secret assignment, database connection string, JWT secret) are skipped entirely, while vendor-specific patterns (AWS, GitHub, Stripe, …) are reported at reduced low severity instead of being hidden.
- · AWS Access Key
- · OpenAI / Anthropic / Google API Keys
- · GitHub PAT, OAuth & Actions tokens
- · Stripe secret & publishable keys
- · Twilio & Slack tokens
- · Cloudinary URLs
- · PEM private keys (RSA, EC, DSA, OpenSSH)
- · Database connection strings (Postgres, MySQL, MongoDB, Redis)
- · JWT secrets & generic password/API key assignments
SAST Patterns
Static analysis across TypeScript, JavaScript, Python, Go, Ruby, PHP, and Java — organized by attack category.
Injection
- · SQL injection via string concatenation
- · Dangerous
eval()usage - · Command injection (exec, spawn, subprocess)
XSS
- ·
dangerouslySetInnerHTML - ·
.innerHTMLdirect assignment
Cryptography
- · MD5 & SHA-1 usage
- ·
Math.random()in security contexts
Authentication
- · JWT algorithm
'none'accepted - · CORS wildcard on credentialed routes
- · TLS/SSL verification disabled
LLM-specific (OWASP LLM01)
- · User input interpolated into system prompts (prompt injection)
- · Dynamic tool/function names derived from user input
Dependency Auditing
Queries the OSV.dev database in batches for known CVEs across npm and PyPI ecosystems. Returns installed version, fixed-in version, CVE ID, and an upgrade recommendation for each finding.
Ecosystems
- · npm — via
package.json - · PyPI — via
requirements.txt
CVSS v3 severity mapping
- · Critical — score ≥ 9.0
- · High — score ≥ 7.0
- · Medium — score ≥ 4.0
- · Low — score < 4.0
LLM Code Review
Context-aware security review using your own API key — never stored in plaintext. Opt-in per scan. Files flagged by static analysis are prioritized and sent to the model for enriched findings and remediation advice.
Providers
- · OpenAI
- · Anthropic
- · Google Gemini
Limits & behavior
- · Up to 30 files per scan, 5 concurrent
- · 3-minute hard timeout
- · Confidence threshold >80% to report
- · Prioritizes
auth,secret,token,apifiles
File coverage
Scanned extensions
.ts .tsx .js .jsx .mjs .cjs · .py · .go .rb .php .java · .env .yaml .yml .json .toml .sh .bash
Ignored paths
node_modules/ .git/ dist/ build/ .next/ .nuxt/ coverage/ .cache/ vendor/ __pycache__/ .venv/ venv/