GitHub Security Scanner by Former CISO

Analyze any GitHub repository's security posture in 30 seconds

Powered by TopFlow - Secure AI Workflow Platform

🎯 Scan facebook/react • 📖 How It Works • ⭐ Star on GitHub

🔍 Live Example: facebook/react

Score: 95/100 (Grade: A+) ⭐

✅ Security Excellence

Active security policy & code scanning
Dependabot monitoring enabled
Branch protection rules enforced
Secret scanning active

📊 Vulnerability Status

0 critical, 1 high, 3 medium, 7 low

🎯 OWASP Compliance

8 of 10 controls passing
Code coverage: 87%
Documentation: 92%

🔐 Best Practices

GPG commit signing recommended
SAST scanning suggested

Try it yourself → Scan any repo in 30 seconds

No signup. No API keys required (demo mode active).

🚀 What You Get in 30 Seconds

📊 Comprehensive Security Analysis

Automated Checks:

✅ OWASP Top 10 compliance
✅ Vulnerability detection (all severities)
✅ Dependency audit & license risks
✅ Security best practices scorecard
✅ Code quality metrics
✅ Branch protection analysis

AI-Powered Insights:

Contextualized recommendations
Priority-ranked action items
Effort estimates for fixes
Impact analysis

🎯 Shareable Reports

Export Options:

📄 Markdown report
📋 JSON data (CI/CD ready)
🏆 Security badges
🔗 Deep links (pre-filled scanner)

Social Sharing:

🐦 Twitter (pre-formatted)
💼 LinkedIn (rich text)
📎 One-click copy

Example Badge:

👉 Scan Your Repository Now

🔒 Built by Former CISO - Security You Can Trust

This isn't just another GitHub scanner. It's built with enterprise-grade security architecture by someone who understands the stakes.

Why Trust This Scanner?

✅ Privacy-First All analysis runs client-side (zero data sent to servers)	✅ BYOK Model Use your own API keys (or try demo mode)
✅ No Tracking Zero analytics, zero data collection	✅ Open Source Audit the code yourself on GitHub
✅ Production Code Export TypeScript for your own tools	✅ 5-Layer Security Defense-in-depth architecture

Built by: Charlie Su, Former CISO

💡 This is a TopFlow Template

GitHub Security Scanner is 1 of 8 pre-built security workflows running on the TopFlow platform.

Explore More Security Templates

🔍 GitHub Security Scanner _{Repository security analysis} _{✅ You just tried this!}	🛡️ GDPR Compliance _{Automate data access requests} _{Article 15 workflow}	🔐 PII Detection _{Scan for sensitive data} _{Privacy-preserving pipeline}
🚨 Incident Response _{SOC automation workflow} _{Threat analysis with AI}	📋 SOC 2 Evidence _{Compliance automation} _{Audit trail generation}	🐛 Security Templates _{+3 more workflows} _{View all in builder}

All templates include:

✅ Instant demo mode (no API keys needed)
✅ Export to production TypeScript
✅ Visual workflow editor
✅ Security-first architecture

Want to build your own? → Launch TopFlow Builder

⚡ Why TopFlow is Different

The Problem: Current AI workflow builders store your data, require subscriptions, and lock you into their platforms.

TopFlow's Solution: Built by a former CISO with security as the #1 priority:

✅ Zero Data Storage Your workflows never touch our servers	✅ BYOK Model Use your own API keys
✅ Export to Code Generate production TypeScript	✅ Security First SSRF protection, sandboxing, rate limiting

Who Uses TopFlow?

🏢 Security Teams: Automate compliance checks and incident response
👨‍💻 Indie Hackers: Add AI features without vendor lock-in
🏭 Enterprises: Build secure internal AI tools
🎓 Educators: Teach secure AI architecture patterns
🔬 Researchers: Experiment with AI workflows safely

🎨 Build Custom Security Workflows

TopFlow is a visual workflow platform designed for security professionals.

What Makes TopFlow Different:

🔒 Security-First Architecture

5-Layer Defense Model:

Client-Side: XSS prevention, input sanitization
Transport: TLS 1.3, HSTS headers
API Gateway: Rate limiting, DDoS protection
Execution: SSRF prevention, sandboxed JS
External APIs: BYOK model, no shared secrets

Built by Former CISO:

OWASP Top 10 coverage built-in
Threat modeling at design time
Defense-in-depth patterns
Compliance-conscious (GDPR, SOC 2, HIPAA)

🛡️ Privacy-Preserving Design

Zero Data Storage:

All workflows stored in browser localStorage
No backend database
No server-side data processing
Zero data breach risk

BYOK Model:

Use your own AI provider keys
Keys never sent to our servers
No ongoing API costs for platform

GDPR Compliant:

Data sovereignty (you own 100%)
No tracking or analytics
Right to be forgotten (clear browser data)

How TopFlow Compares

Feature	TopFlow	Other Platforms
Data Storage	🟢 None (localStorage only)	🔴 Cloud databases
Privacy	🟢 100% client-side	🔴 Server-side processing
API Keys	🟢 Your own (BYOK)	🔴 Platform-managed
Code Export	🟢 Production TypeScript	🔴 JSON/Config only
Vendor Lock-in	🟢 None	🔴 Proprietary formats
Cost	🟢 Free (MIT License)	🔴 Monthly subscriptions
Security	🟢 5-layer defense	🔴 Basic protection
Built By	🟢 Former CISO	🔴 SaaS companies

🎥 See It In Action

Build → Validate → Execute → Export Code

✨ Features That Make Us Different

🔒 Privacy-First Architecture

Your Data: Stored in your browser (localStorage)
Our Servers: Never see your data or API keys
Result: Zero data breach risk

🛡️ 5-Layer Security Model

Every request passes through comprehensive security controls:

Client-Side: Input sanitization, XSS prevention
Transport: TLS 1.3, HSTS headers
API Gateway: Rate limiting, DDoS protection
Execution: SSRF prevention, sandboxed JavaScript
External APIs: BYOK model, no shared secrets

🤖 Production-Ready Code Export

// Your workflow becomes real code:
export async function runWorkflow(input: string) {
  const client = new OpenAI({ apiKey: process.env.OPENAI_API_KEY })

  const prompt = `Analyze: ${input}`
  const result = await client.chat.completions.create({
    model: "gpt-4-turbo",
    messages: [{ role: "user", content: prompt }]
  })

  return result.choices[0].message.content
}

🏆 What's Included

Pre-Built Security & Compliance Workflows

📋 GDPR Compliance Suite

✅ Article 15: Data Access Requests
✅ Article 17: Right to Erasure
✅ Article 20: Data Portability
✅ Article 33: Breach Notification
✅ Article 35: Privacy Impact Assessment
✅ Automated compliance reporting

🚨 Security Automation

✅ Incident Response Workflows
✅ Threat Intelligence Analysis
✅ Security Log Analysis with AI
✅ Vulnerability Assessment
✅ SOC 2 Evidence Collection
✅ PII Detection & Redaction

Enterprise-Ready Features

🔒 5-Layer Security Model: Defense-in-depth architecture
🛡️ SSRF Protection: Comprehensive URL validation
⚡ Rate Limiting: 10 req/min protection
🔐 Sandboxed Execution: Safe JavaScript runtime
📊 Audit Trails: Complete execution logging
🎯 OWASP Top 10: Full coverage built-in

🚀 Quick Start

Option 1: Try the GitHub Scanner (30 Seconds)

# No installation needed - just click:
https://topflow.dev/builder?template=github-security-scanner&repo=facebook/react

# Or scan your own repo:
https://topflow.dev/builder?template=github-security-scanner&repo=YOUR_USERNAME/YOUR_REPO

Demo mode active - No API keys required for initial testing.

Option 2: Run TopFlow Locally (5 Minutes)

# Clone and install
git clone https://github.com/csupenn/topflow.git
cd topflow
pnpm install

# Start development server
pnpm dev

# Open http://localhost:3000

What you get:

✅ Full workflow builder
✅ All 8 security templates
✅ Code export functionality
✅ Local demo mode (no API keys needed)

Option 3: Use in Your Projects (Advanced)

# Install the workflow core package
npm install @charliesu/workflow-core

import { validateWorkflow, executeWorkflow } from '@charliesu/workflow-core'

// Use TopFlow's validation and execution engine
// in your own applications

Use cases:

CI/CD security scanning
Automated compliance checks
Custom security tooling
Internal workflow automation

🛠️ Technology Stack

Supported AI Providers

OpenAI
GPT-4, GPT-3.5

Anthropic
Claude 3

Google
Gemini Pro

Groq
Fast Inference

📊 Why Developers Love TopFlow

⚡

30 Seconds
_{From idea to working workflow}

🎯

Zero Setup
_{Demo mode works instantly}

🔐

100% Private
_{Your data never leaves browser}

💻

Export Code
_{Production TypeScript, not JSON}

📖 Documentation

📚 Architecture Overview - System design & security model
🎓 Quick Start Guide - Get running in 5 minutes
🔧 Node Reference - All 12 node types explained
🛡️ Security Documentation - Threat model & controls
🧪 Testing Guide - 437 tests, 95% coverage

🌟 Community & Support

🆕 Recent Updates & Milestones

🔍 v1.4.0 (Jan 2026) - GitHub Security Scanner with instant demo mode
🎉 v1.3.0 (Jan 2026) - Published @charliesu/workflow-core npm package
📝 v1.2.0 (Jan 2025) - Added GDPR Article 15-35 workflows
🚀 v1.1.0 (Jan 2025) - WebP optimization (97.7% size reduction)
🛡️ v1.0.0 (Dec 2024) - Initial release with 12 node types
📊 8 security templates - Enterprise-ready workflows
⭐ Growing fast - Join 1,000+ security-conscious developers

🤝 Contributing

We welcome contributions! Especially:

🛡️ Security improvements
📋 Compliance workflows
🔧 New node types
📚 Documentation
🧪 Test coverage

See CONTRIBUTING.md for guidelines.

📈 Project Stats

8
_{Security Templates}

12
_{Node Types}

5
_{Security Layers}

1
_{Former CISO}

100%
_{Privacy-First}

📄 License

MIT License with Commons Clause - see the LICENSE file for details.

✅ You CAN:

Use for any purpose (commercial or personal)
Modify and customize
Export and own generated code
Fork and distribute

🎯 Start with the Scanner, Explore the Platform

GitHub Security Scanner is your gateway to secure AI workflows

⭐ Love the scanner? Star us on GitHub!

Your star helps other security teams discover these tools.

_{Built with ❤️ by Charlie Su • Former CISO • AI Security Advocate}
_{🔒 Security-first architecture • 🎯 Privacy by design • 🚀 No vendor lock-in}
_{📧 Contact: charlie@topflow.dev • 💼 LinkedIn}

Name		Name	Last commit message	Last commit date
Latest commit History 108 Commits
.github/workflows		.github/workflows
.husky		.husky
app		app
components		components
docs		docs
e2e		e2e
hooks		hooks
lib		lib
playwright-report		playwright-report
public		public
scripts		scripts
styles		styles
test-results		test-results
test-setup		test-setup
.gitignore		.gitignore
.vercelignore		.vercelignore
CONTRIBUTING.md		CONTRIBUTING.md
E2E_TESTS.md		E2E_TESTS.md
LICENSE		LICENSE
README.md		README.md
TESTING.md		TESTING.md
components.json		components.json
eslint.config.mjs		eslint.config.mjs
jest.config.js		jest.config.js
jest.setup.js		jest.setup.js
next.config.mjs		next.config.mjs
package.json		package.json
playwright.config.ts		playwright.config.ts
pnpm-lock.yaml		pnpm-lock.yaml
postcss.config.mjs		postcss.config.mjs
tsconfig.json		tsconfig.json
tsconfig.test.json		tsconfig.test.json
vercel.json		vercel.json
verify-gitignore.sh		verify-gitignore.sh

✅ Privacy-First All analysis runs client-side (zero data sent to servers)	✅ BYOK Model Use your own API keys (or try demo mode)
✅ No Tracking Zero analytics, zero data collection	✅ Open Source Audit the code yourself on GitHub
✅ Production Code Export TypeScript for your own tools	✅ 5-Layer Security Defense-in-depth architecture

License

csupenn/TopFlow

Folders and files

Latest commit

History

Repository files navigation