Building an Open-Source Snyk Alternative: Secret Detection, SAST, and SBOM in One Tool

1 / 2

Building an Open-Source Snyk Alternative: Secret Detection, SAST, and SBOM in One Tool

DEV Community·Paulo Fox·about 1 month ago

#9pRsjhsq

#lesson #security #python #opensource #fullscreen #foxshield

Reading 0:00

15s threshold

Snyk is $98/month per developer for private repos. Semgrep OSS is free but has no secret detection. GitGuardian has a free tier but no SBOM. I wanted one tool that does all three — so I built FoxShield , an open-source security auditor for GitHub repositories. What FoxShield Does git push └─► GitHub Action: foxshield@v2 ├─ Secret scan (50+ patterns: API keys, tokens, certificates) ├─ SAST (OWASP Top 10 per language) ├─ Dependency audit (CVE lookup via OSV.dev) └─ SBOM (CycloneDX JSON) Enter fullscreen mode Exit fullscreen mode Available as: GitHub Action — uses: PauloFox0105/foxshield@v2 CLI — npx foxshield audit . API — REST endpoint for CI/CD integration Lesson 1: Secret Detection Must Be Pattern + Context Naive regex finds too many false positives. API_KEY=test123 is not a secret. sk-ant-api03-... is always a secret, regardless of context.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

Building an Open-Source Snyk Alternative: Secret Detection, SAST, and SBOM in One Tool