Skip to content

esuen/secmon

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
src/secmon
src/secmon
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 
uv.lock
uv.lock
 
 

Repository files navigation

secmon

Personal security monitor that continuously audits security posture across all your projects.

Orchestrates existing tools (pip-audit, npm audit, gitleaks, semgrep) into a single scored report. Doesn't reinvent scanners -- coordinates them.

What it checks

Check What it finds Tools used
Dependencies Known CVEs in your packages pip-audit, npm audit, cargo audit, govulncheck
Secrets Exposed API keys, tokens, tracked sensitive files gitleaks, git ls-files
Code Security anti-patterns (SQLi, XSS, shell injection) semgrep
Machine Open ports, disk encryption, firewall, SSH config lsof, fdesetup, socketfilterfw
Git hygiene Large/binary files in git, .gitignore gaps git ls-files

Install

# Install secmon
uv tool install git+https://github.com/esuen/secmon

# Install external tools (optional -- secmon skips checks for missing tools)
brew install gitleaks semgrep
uv tool install pip-audit

Usage

# Scan all repos in ~/Development
secmon scan

# Scan a specific project
secmon scan --path ./my-project

# Only show high/critical findings
secmon scan -s high

# Export JSON report
secmon scan -j report.json

# Desktop notification with results
secmon scan --notify

Example output

╭──────────────────────────────────╮
│ secmon — Security Posture Report │
╰──────────────────────────────────╯

  Tools: ✓ gitleaks  ✓ npm  ✓ pip-audit  ✓ semgrep

┏━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Repository           ┃ Status ┃ Findings                      ┃
┡━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ my-app               │  FAIL  │ 2 high, 3 medium              │
│ dotfiles             │  PASS  │ clean                         │
│ website              │  WARN  │ 1 medium                      │
└──────────────────────┴────────┴───────────────────────────────┘

  Overall: FAIL (2 high, 4 medium across 3 repositories)

Automated weekly scans

# Install weekly scan (Monday 9am) with desktop notifications
secmon schedule install

# Auto-create GitHub Issues for new findings
secmon triage

# Preview what issues would be created
secmon triage --dry-run

# Check schedule status
secmon schedule status

Claude Code integration

secmon includes an MCP server that gives Claude Code agents two tools:

  • check_dependency -- query the OSV database before adding a package
  • audit_project -- run a full security scan on the current project

Add to ~/.claude/settings.json:

{
  "mcpServers": {
    "secmon": {
      "command": "secmon",
      "args": ["mcp"]
    }
  }
}

Configuration

Optional. Create ~/.config/secmon/config.toml:

scan_dirs = ["~/Development", "~/work"]
exclude = ["node_modules", ".venv", "vendor"]
severity_threshold = "medium"
max_depth = 3

Scoring

  • PASS -- no high or critical findings
  • WARN -- medium findings only
  • FAIL -- any high or critical finding

License

MIT

About

Personal security monitor — continuous security posture auditing across all your projects

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages