Sweep every repo in a GitHub org for a specific vulnerability pattern found in a bug bounty report.
Find every repo still using a vulnerable version of a library after a zero-day disclosure.
Use AI triage to filter Semgrep findings down to likely true positives.
| salecharohit/semhound | captaingrock/krea2trainer | codenamekt/hexus | |
|---|---|---|---|
| Stars | 7 | 7 | 7 |
| Language | Python | Python | Python |
| Setup difficulty | moderate | hard | moderate |
| Complexity | 3/5 | 4/5 | 3/5 |
| Audience | ops devops | designer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires GitHub CLI, git, Semgrep, and OpenSSH installed, plus an SSH key registered with GitHub.
Semhound is a command line tool that runs Semgrep code scans across every repository in one or more GitHub organizations or user accounts at once. Semgrep is a static analysis tool, meaning it reads source code to spot patterns without running the program, and its rules are written in simple YAML files. Semhound automates what would otherwise be a manual, one repo at a time process, turning it into a single command that sweeps an entire org. The workflow has four steps. Discover uses the GitHub command line tool to list every repository under a target org or user. Clone shallow clones each repo in parallel over SSH, skipping large files to save bandwidth. Scan runs your Semgrep rules against every cloned repo. Report writes a combined CSV file for each target, with direct links back to GitHub for every match found, plus an optional SARIF report for tools that expect that format. An optional AI triage step sends each finding to a language model, choosing between Claude, OpenAI, Gemini, or AWS Bedrock, and gets back a confidence score from 0 to 100 along with a true positive or false positive verdict. You can supply a custom system prompt so the model's judgment fits your specific situation. The tool is meant for targeted, on demand scanning rather than continuous monitoring. A typical use is writing one precise rule, for example a SQL injection pattern flagged in a bug bounty report or a vulnerable library version named in a new security disclosure, then sweeping every repo you own to find every other place the same problem exists. Before running it you need the GitHub CLI, git, Semgrep, and OpenSSH installed and an SSH key registered with GitHub. It is written in Python, released under the MIT license, and installable through pip or pipx.
A command-line tool that runs Semgrep security scans across every repo in a GitHub org or account, with optional AI triage of findings.
Mainly Python. The stack also includes Python, Semgrep, GitHub CLI.
Use freely for any purpose, including commercial use, as long as you keep the copyright notice (MIT license).
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.