free CLI scanner by SolidDark

Security scanning for
repos in seconds

Shinobi is a free local-first CLI security scanner for repositories. It detects exposed secrets, dangerous defaults, vulnerable dependencies, missing security basics, and AI-specific risks before they ship.

Install from PyPI → View Source
100% LOCAL-FIRST | SECRETS | DEPENDENCIES | AI RISK PATTERNS
shinobi v1.0.1 - local scan session
pip install shinobi-scan
shinobi .
SCAN SUMMARY
repo: payments-api
files scanned: 342
threat level: HIGH
SECRETS
OpenAI key in .env
DEPENDENCIES
3 vulnerable packages detected
DEFAULTS
debug mode enabled in production config
AI RISKS
prompt injection string found in test fixture

What Shinobi does

Point it at a repo. Get a fast, local security pass with actionable findings.

🔍

SCAN THE CODEBASE

Shinobi inspects the working tree for secrets, unsafe settings, vulnerable packages, and missing security guardrails.

🔒

STAY LOCAL

The scan runs on your machine. No code upload. No hosted dashboard. No telemetry pipeline between your repo and your result.

SHIP WITH CONTEXT

Findings are grouped into clear threat categories so you can triage by severity instead of reading a wall of noise.

Threat categories it detects

Built for modern repos, not just static secret matching.

SECRETS

API keys, tokens, private keys, passwords, leaked env files, and high-risk credentials embedded in source.

DANGEROUS DEFAULTS

Debug mode, wildcard CORS, weak secret keys, public binds, and unsafe starter settings left on in real deployments.

DEPENDENCIES

Known vulnerable packages and weak version pinning patterns that quietly turn supply chain risk into production risk.

MISSING SECURITY BASICS

No rate limiting, no CSRF protection, missing auth checks, missing headers, and absent input validation where it should exist.

AI-SPECIFIC RISKS

Prompt injection markers, exposed system prompts, model artifacts in repos, and LLM credentials shipped into client-side code.

GIT HISTORY

Optional deep scans catch secrets that were committed before and later removed from the working tree.

Install and run

No service signup. No hosted agent. Just a CLI.

INSTALL
pip
pip install shinobi-scan
Open PyPI →

PyPI is the install source. GitHub stays the source code reference.

RUN
scan current repo
shinobi
scan a specific path
shinobi /path/to/project
deep history scan
shinobi --deep
save JSON output
shinobi --output report.json

Example output

Fast enough for local use. Clear enough for triage.

shinobi-report.json 
{
  "tool": "shinobi",
  "version": "1.0.1",
  "repo": "payments-api",
  "threat_level": "HIGH",
  "categories": ["secrets", "dependencies", "defaults"],
  "findings": 6,
  "critical": 2,
  "high": 2,
  "medium": 2,
  "local_only": true,
  "duration_ms": 2137
}

Built by SolidDark for people who
need signal, not ceremony.

Shinobi is part of the SolidDark security stack: local-first tooling, clear audit surfaces, and direct operator control.

Install GitHub Back to SolidDark
SHINOBI by SolidDark
SolidDark PyPI GitHub

Free repo security scanning.

Built by Akrij — Digital Architect, Founder of SolidDark