(Built entirely in Python, installable via pip. Uses argparse for the CLI, regex pattern matching for secret detection, gitpython for history scanning, and subprocess calls for dependency auditing.)

I built a CLI tool with ClaudeCode called shinobi that runs a 10-second security scan on any project directory or GitHub repo. It checks for exposed API keys, dangerous defaults, vulnerable dependencies, missing security basics, and AI-specific risks. I pointed it at 22 popular open-source projects including FastAPI, Flask, Dify, Flowise, LiteLLM, and Lobe-Chat. The results were rough - 86% came back as high or critical threat level. The most common issue was exposed secret patterns (API key formats in source code), followed by dangerous defaults like debug mode and wildcard CORS. It's free, open source, runs 100% locally, zero data leaves your machine. pip install shinobi-scan or check it out on GitHub: