Shinobi – 10-second security scanner for developers

Name: Shinobi – 10-second security scanner for developers
Availability: InStock
Author: SolidDark

by SolidDark·Mar 5, 2026·2 points·0 comments

Visit Project View on HN

AI Analysis

●●SolidShip ItSolve My Problem

Regex-based secret scanner with AI risk checks; competes directly with Trufflehogg, git-secrets, Snyk.

Strengths

•Runs 100% local with zero network calls, addressing offline-first security workflows
•Detects AI-specific risks (LLM keys in client code, exposed system prompts) that generic scanners miss
•Fast 10-second scan on real projects with clear JSON and plaintext output formats

Weaknesses

•Regex pattern matching is brittle; high false positive rate on non-secret text resembling key formats
•No Windows native support documented, and dependency auditing delegates to pip-audit/npm-audit without custom CVE logic

Post Description

(Built entirely in Python, installable via pip. Uses argparse for the CLI, regex pattern matching for secret detection, gitpython for history scanning, and subprocess calls for dependency auditing.)

I built a CLI tool with ClaudeCode called shinobi that runs a 10-second security scan on any project directory or GitHub repo. It checks for exposed API keys, dangerous defaults, vulnerable dependencies, missing security basics, and AI-specific risks. I pointed it at 22 popular open-source projects including FastAPI, Flask, Dify, Flowise, LiteLLM, and Lobe-Chat. The results were rough - 86% came back as high or critical threat level. The most common issue was exposed secret patterns (API key formats in source code), followed by dangerous defaults like debug mode and wildcard CORS. It's free, open source, runs 100% locally, zero data leaves your machine. pip install shinobi-scan or check it out on GitHub: