Guardrails – Policy-as-Code Security Scanner
Guardrails is an automated security scanner for GitHub and local environments (CLI) built on the "Policy-as-Code" principle. The tool automatically analyzes every Pull Request (PR) to detect leaked secrets, known vulnerabilities in dependencies, dangerous code patterns, and missing authentication before the code is merged. As the sole developer of this project, I engineered the custom scanning engine, published the CLI tool on npm, and built the native GitHub App integration.
01 Details
Key Features:
Leaked Secrets Detection: Identifies hardcoded AWS keys, GitHub tokens, Stripe keys, and 20+ other patterns using regex with a low false-positive rate.
Known Vulnerabilities Scanning: Checks npm, pip, and Go dependencies against the OSV database, blocking PRs that introduce vulnerable packages (CVEs).
Dangerous Patterns (Static Analysis): Detects vulnerabilities such as SQL injection, command injection, insecure use of eval(), and insecure deserialization.
Missing Authentication Checks: Analyzes web frameworks (Express, Next.js) to detect unprotected admin or sensitive routes lacking proper authentication middleware.
Policy-as-Code Configuration: Fully customizable behavior (warn vs. block actions, allowlists) via a .guardrails.yaml configuration file.
Comprehensive Ecosystem: Available as a GitHub App for seamless CI/CD integration (reporting via Check annotations) and as a CLI utility (with SARIF export support) for pre-commit local scanning.
Value Proposition & Architecture: Guardrails champions the "Shift-Left Security" approach within DevSecOps. It automates security-focused code reviews, empowering developers to catch and fix critical vulnerabilities early in the development lifecycle before they reach production.