Secrover is a free and open-source tool that generates clear, professional security audit reports โ without paywalls or proprietary SaaS. Just useful insights you can trust and share.
- ๐ Security Audits: Scans your dependencies, code, and domains to find vulnerabilities.
- ๐ง Human-readable Reports: Clear, actionable reports โ even for non-technical audiences.
- โก Easy Setup & Automation: Configure with a simple YAML file, schedule recurring scans via built-in cron, or run automatically using GitHub Actions.
- ๐ค Remote Export: Upload reports to SFTP, WebDAV, SMB, S3, or Google Drive.
- ๐ป Cross-platform: Works on Linux, macOS, and Windows.
- ๐ Actively Maintained: Continuously improved with new features and workflow enhancements.
| Category | Checks | Supported languages |
|---|---|---|
| Dependencies | Vulnerability check | All languages supported by osv-scanner |
| Code | Static check | All languages supported by opengrep |
| Domains | SSL certificate, HTTPโHTTPS Redirect, HSTS header, TLS versions, Open Ports, Security Headers, Hosting Location | - |
| Dependencies Audit | Code Audit | Domains Audit |
|---|---|---|
| |
|
|
You can see Secrover in action right now:
- ๐ Live generated report: demo.secrover.org
- ๐ Example GitHub repository: secrover-demo
The demo repository uses GitHub Actions to automatically:
- Pull the latest version of Secrover (via Docker).
- Run security scans on Secrover repositories and domains.
- Generate an HTML security report.
- Deploy the report to GitHub Pages, making it publicly accessible.
This setup is ideal for publicly sharing reports, for example on GitHub Pages or a public website.
โก๏ธ You can copy the workflow from the demo repositoryโs .github/workflows/secrover.yml to get started quickly.
Secrover is not limited to GitHub Actions โ you can also export reports to any remote destination (SFTP, WebDAV, SMB, S3, Google Drive, etc.) using rclone, making them automatically available on internal servers, intranet sites, cloud storage, or backup locations.
This flexibility ensures that whether you want public reporting or private/internal hosting, Secrover can fit your workflow.
Secrover is designed to be simple: configure what you want to scan, then run it with Docker. Within minutes, youโll have a professional HTML security report you can share.
Create a new folder/repo with a config.yaml file inside where you will list your repositories and domains to scan.
project:
name: My project
domains:
- my-domain.com
- subdomain.my-domain.com
repos:
- url: https://github.com/your-org/your-repo
description: "Short description of the project"
branch: "main"
- url: https://github.com/your-org/another-repo
description: "Another awesome project"Secrover supports cloning private repositories via HTTPS using a GitHub Personal Access Token (PAT).
We currently support HTTPS only (SSH is not yet supported).
- Go to your GitHub account
- Click "Generate new token" (fine-grained)
- Give it a name like
Secrover - Choose "Only select repositories" and select the private repos Secrover needs to clone
- Under Repository permissions, grant:
- Contents: Read-only
- Under Repository permissions, grant:
- Generate and copy the token
In the same directory as your config.yaml, create a .env file:
GITHUB_TOKEN=yourgeneratedtokenhere
โ ๏ธ Do not share this file or commit it to version control. Add.envto your.gitignorefile to prevent accidental leaks.
You can run Secrover easily using Docker without installing any local dependencies.
From the folder where your config.yaml (and optionally .env) lives, run:
docker run -it --rm \
--env-file .env \
-v "$(PWD)/config.yaml:/config.yaml" \
-v "$(PWD)/output:/output" \
secrover/secrover๐ก If youโre only scanning public repositories or do not need to change default settings, the
--env-file .envflag is optional.
What happens:
- Secrover read the list of repositories and domains from your
config.yaml - It clones repositories, scan them, as well as your domains
- It generates a full HTML security report into the
output/folder
Secrover also supports automatic recurring scans using an internal cron scheduler (via Supercronic).
You can schedule scans to run periodically inside the container โ ideal for servers, NAS setups, ...
docker run -it --rm \
-v "$(PWD)/config.yaml:/config.yaml" \
-v "$(PWD)/output:/output" \
-e CRON_SCHEDULE="0 0 * * *" \
secrover/secroverWhat happens:
- Secrover starts Supercronic in the background
- It executes a new scan based on the chosen schedule
- By default, results are written to
/outputand logs to/output/secrover.log
Secrover can upload generated reports to remote destinations (SFTP, WebDAV, SMB, S3, etc.) via rclone.
For setup instructions and advanced options, see EXPORT.md.
| Variable | Required | Default | Description |
|---|---|---|---|
CONFIG_FILE |
โ | /config.yaml |
Path to your YAML configuration inside the container. |
OUTPUT_DIR |
โ | /output |
Directory where reports and logs are saved. |
REPOS_DIR |
โ | repos/ |
Directory where git repos are cloned. |
GITHUB_TOKEN |
โ | - |
Used to clone private GitHub repositories over HTTPS. |
CRON_SCHEDULE |
โ | - |
Optional cron expression to schedule recurring scans |
EXPORT_ENABLED |
โ | false |
Enable exporting reports to remote destinations using rclone. |
RCLONE_REMOTES |
โ | - |
Comma-separated list of rclone remote names (from rclone.conf) to upload reports to. |
RCLONE_PATH |
โ | /secrover-reports/ |
Path on the remote(s) where reports should be uploaded. Supports timestamp expansion using $(date +FORMAT) |
IP2LOCATION_DB_PATH |
โ | data/IP2Location/ |
Path to the IP2Location database file used for resolving country information from IP addresses. |
All variables can be defined in your .env file or passed directly using -e flags when running the container.
For example:
-e CONFIG_FILE=/config.yaml -e OUTPUT_DIR=/outputis equivalent to having them set in your .env file.
This project benefits from the fantastic work of several open-source projects:
A big thanks to all the maintainers and contributors behind these amazing projects, without whom this project wouldn't be possible!
Secrover is released under the GNU General Public License v3.0 (GPL-3.0).
๐ Read the full license here
