Secrover is a free and open-source tool that generates clear, professional security audit reports — without paywalls or proprietary SaaS. Just useful insights you can trust and share.
Secrover
🔍 Features
- 🔒 Security Audits: Scans your dependencies, code, and domains to find vulnerabilities.
- 🧠 Human-readable Reports: Clear, actionable reports — even for non-technical audiences.
- ⚡ Easy Setup & Automation: Configure with a simple YAML file, schedule recurring scans via built-in cron, or run automatically using GitHub Actions.
- 📤 Remote Export: Upload reports to SFTP, WebDAV, SMB, S3, or Google Drive.
- 💻 Cross-platform: Works on Linux, macOS, and Windows.
- 🌟 Actively Maintained: Continuously improved with new features and workflow enhancements.
Audits
| Category | Checks | Supported languages |
|---|---|---|
| Dependencies | Vulnerability check | All languages supported by osv-scanner |
| Code | Static check | All languages supported by opengrep |
| Domains | SSL certificate, HTTP→HTTPS Redirect, HSTS header, TLS versions, Open Ports, Security Headers, Hosting Location | - |
Screenshots
| Dependencies Audit | Code Audit | Domains Audit |
|---|---|---|
 |
 |
 |
Demo
You can see Secrover in action right now:
- 📊 Live generated report: demo.secrover.org
- 📂 Example GitHub repository: secrover-demo
How the demo works
The demo repository uses GitHub Actions to automatically:
- Pull the latest version of Secrover (via Docker).
- Run security scans on Secrover repositories and domains.
- Generate an HTML security report.
- Deploy the report to GitHub Pages, making it publicly accessible.
This setup is ideal for publicly sharing reports, for example on GitHub Pages or a public website.
➡️ You can copy the workflow from the demo repository’s .github/workflows/secrover.yml to get started quickly.
Flexible Deployment Options
Secrover is not limited to GitHub Actions — you can also export reports to any remote destination (SFTP, WebDAV, SMB, S3, Google Drive, etc.) using rclone, making them automatically available on internal servers, intranet sites, cloud storage, or backup locations.
This flexibility ensures that whether you want public reporting or private/internal hosting, Secrover can fit your workflow.
Getting Started
Secrover is designed to be simple: configure what you want to scan, then run it with Docker. Within minutes, you’ll have a professional HTML security report you can share.
Create a new folder/repo with a config.yaml file inside where you will list your repositories and domains to scan.
Example:
project:
name: My project
domains:
- my-domain.com
- subdomain.my-domain.com
repos:
- url: https://github.com/your-org/your-repo
description: "Short description of the project"
branch: "main"
- url: https://github.com/your-org/another-repo
description: "Another awesome project"Accessing Private Repositories
Secrover supports cloning private repositories in two ways:
- HTTPS: Using a GitHub Personal Access Token (PAT).
- SSH: By forwarding your SSH keys to the Docker container.
HTTPS
- Create a GitHub Personal Access Token
- Go to your GitHub account
- Click "Generate new token" (fine-grained)
- Give it a name like
Secrover - Choose "Only select repositories" and select the private repos Secrover needs to clone
- Under Repository permissions, grant:
- Contents: Read-only
- Under Repository permissions, grant:
- Generate and copy the token
- Create a
.envfile
In the same directory as your config.yaml, create a .env file:
GITHUB_TOKEN=yourgeneratedtokenhere⚠️ Do not share this file or commit it to version control. Add
.envto your.gitignorefile to prevent accidental leaks.
SSH
To allow Secrover to access private repositories via SSH, forward your local SSH agent to the container. This avoids permission issues and keeps your private keys off the container filesystem entirely. First, make sure your SSH agent is running and your key is added:
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_rsa
ssh-add ~/.ssh/id_ed25519 # add any other keys as neededThen run Secrover with the agent socket forwarded:
docker run -it --rm \
--env-file .env \
-v "$(pwd)/config.yaml:/config.yaml" \
-v "$(pwd)/output:/output" \
-v "$(SSH_AUTH_SOCK):/ssh-agent" \
-e SSH_AUTH_SOCK=/ssh-agent \
secrover:latest
secrover/secroverInstall & run with Docker
You can run Secrover easily using Docker without installing any local dependencies.
One-Time Scan (on-demand)
From the folder where your config.yaml (and optionally .env) lives, run:
docker run -it --rm \
--env-file .env \
-v "$(pwd)/config.yaml:/config.yaml" \
-v "$(pwd)/output:/output" \
secrover/secrover💡 If you’re only scanning public repositories or do not need to change default settings, the
--env-file .envflag is optional.
What happens:
- Secrover read the list of repositories and domains from your
config.yaml - It clones repositories, scan them, as well as your domains
- It generates a full HTML security report into the
output/folder
Automated Scans (Cron Mode)
Secrover also supports automatic recurring scans using an internal cron scheduler (via Supercronic).
You can schedule scans to run periodically inside the container — ideal for servers, NAS setups,...
Example: Run every day at midnight
docker run -it --rm \
-v "$(pwd)/config.yaml:/config.yaml" \
-v "$(pwd)/output:/output" \
-e CRON_SCHEDULE="0 0 * * *" \
secrover/secroverWhat happens:
- Secrover starts Supercronic in the background
- It executes a new scan based on the chosen schedule
- By default, results are written to
/outputand logs to/output/secrover.log
Exporting Reports (Optional)
Secrover can upload generated reports to remote destinations (SFTP, WebDAV, SMB, S3, etc.) via rclone.
For setup instructions and advanced options, see EXPORT.md.
Environment Variables Reference
| Variable | Required | Default | Description |
|---|---|---|---|
CONFIG_FILE |
✅ | /config.yaml |
Path to your YAML configuration inside the container. |
OUTPUT_DIR |
✅ | /output |
Directory where reports and logs are saved. |
REPOS_DIR |
✅ | repos/ |
Directory where git repos are cloned. |
GITHUB_TOKEN |
❌ | - |
Used to clone private GitHub repositories over HTTPS. |
CRON_SCHEDULE |
❌ | - |
Optional cron expression to schedule recurring scans |
EXPORT_ENABLED |
❌ | false |
Enable exporting reports to remote destinations using rclone. |
RCLONE_REMOTES |
❌ | - |
Comma-separated list of rclone remote names (from rclone.conf) to upload reports to. |
RCLONE_PATH |
❌ | /secrover-reports/ |
Path on the remote(s) where reports should be uploaded. Supports timestamp expansion using $(date +FORMAT) |
IP2LOCATION_DB_PATH |
❌ | data/IP2Location/ |
Path to the IP2Location database file used for resolving country information from IP addresses. |
All variables can be defined in your .env file or passed directly using -e flags when running the container.
For example:
-e CONFIG_FILE=/config.yaml -e OUTPUT_DIR=/outputis equivalent to having them set in your .env file.
Thanks and Acknowledgments
This project benefits from the fantastic work of several open-source projects:
A big thanks to all the maintainers and contributors behind these amazing projects, without whom this project wouldn't be possible!
License
Secrover is released under the GNU General Public License v3.0 (GPL-3.0).
Stargazers over time
