Automatically detect vulnerabilities, hardcoded secrets, and code flaws before they reach production.
Click to expand
- [π Features](#-features) - [π§ How It Works](#-how-it-works) - [π οΈ Tech Stack](#οΈ-tech-stack) - [π Project Structure](#-project-structure) - [π Getting Started](#-getting-started) - [Prerequisites](#prerequisites) - [1. Fork & Clone](#1-fork--clone) - [2. Environment Variables](#2-environment-variables) - [3. GitHub App Setup](#3-github-app-setup) - [4. Database Setup](#4-database-setup) - [5. Run the App](#5-run-the-app) - [Docker Setup](#-docker-setup)SecureFlow integrates directly with GitHub via a GitHub App and webhooks. Every time a Pull Request is opened or updated, it extracts the code diff, runs it through Groq's LLM (Llama 3.1), and generates actionable security findings with AI-written explanations and remediation steps β all visible on a centralized dashboard.
Uses Groq's Llama 3.1 to detect hardcoded secrets, vulnerabilities, and misconfigurations in your code.
Automatically scans every opened or updated Pull Request as soon as it's created.
Generates precise explanations and concrete code fixes for each security finding.
View all your repositories, PRs, findings, and audit logs in one unified interface.
Posts detailed security reports directly on your PRs with collapsible remediation blocks.
Sets Pass/Review Required/Blocked status on PR commits for clear CI/CD integration.
Create, toggle, and manage security policies per user or organization.
Intelligently ignores non-executable files and mock placeholders to reduce noise.
Developer opens or updates a Pull Request
β
GitHub sends a webhook event to SecureFlow
β
Octokit extracts the code diff (added/modified lines only)
β
ArmorIQScanner sends the diff to Groq LLM with active policy context
β
LLM returns structured findings (type, severity, file, snippet)
β
For each finding β AI generates explanation + remediation steps
β
Findings saved to PostgreSQL via Prisma
β
Results posted as a GitHub PR comment + commit check status
β
Everything visible on the SecureFlow Dashboard
| Category | Examples |
|---|---|
| π Hardcoded Secrets | API keys, passwords, tokens committed in code |
| π€ Contextual Leaks | console.log(process.env), logging sensitive objects |
| βοΈ Misconfigurations | Wildcard CORS, disabled auth, insecure headers |
| π§± Code Vulnerabilities | SQL injection patterns, unsafe deserialization |
| βοΈ IaC Issues | Public S3 buckets, root container execution |
| Layer | Technology |
|---|---|
| Framework | Next.js 15 - App Router + Turbopack |
| Database | PostgreSQL + Prisma ORM |
| Authentication | NextAuth.js v5 with GitHub OAuth |
| AI / LLM | Groq SDK (llama-3.1-8b-instant) + Genkit |
| GitHub Integration | Octokit |
| UI | Tailwind CSS + Radix UI + Recharts |
secureflow/
βββ prisma/
β βββ migrations/ # Database migration history
β βββ schema.prisma # Database schema (User, Repo, PR, Finding, etc.)
β βββ seed.ts # Seeds default security policy templates
β
βββ src/
β βββ ai/
β β βββ flows/
β β βββ developer-receives-ai-security-explanations.ts # Genkit AI flow
β β
β βββ app/
β β βββ api/
β β β βββ auth/ # NextAuth route handler
β β β βββ webhooks/
β β β βββ github/
β β β βββ route.ts # Main webhook handler (PR scanning logic)
β β β
β β βββ dashboard/
β β β βββ audit/ # Audit log page
β β β βββ findings/ # Security findings page
β β β βββ policies/ # Policy management page
β β β βββ page.tsx # Main dashboard overview
β β β
β β βββ login/ # Login page
β β βββ setup/ # GitHub App installation setup page
β β
β βββ components/
β β βββ ui/ # Radix UI + shadcn components
β β βββ dashboard-nav.tsx # Sidebar navigation
β β
β βββ lib/
β βββ armor/
β β βββ scanner.ts # ArmorIQScanner β core LLM scanning engine
β β βββ iq.ts # ArmorIQ policy engine + evaluation logic
β βββ prisma.ts # Prisma client singleton
Make sure you have the following installed and ready:
- Node.js v20+
- PostgreSQL (local) or a free cloud DB (Neon / Supabase)
- A Groq API Key (free tier available)
- A GitHub Account to create a GitHub App
# Fork the repo on GitHub first, then:
git clone https://github.com/YOUR_USERNAME/secureflow.git
cd secureflow
npm installcp .env.example .env
β οΈ Important: Fill in your.envfile. See Environment Variables Reference for details on each value.
SecureFlow requires a GitHub App to receive webhook events and post PR comments.
- Go to GitHub β Settings β Developer Settings β GitHub Apps β New GitHub App
- Fill in the following:
- Homepage URL:
http://localhost:9002 - Webhook URL: Your public URL +
/api/webhooks/github(use ngrok for local dev:ngrok http 9002) - Webhook Secret: Any random string β copy it to
GITHUB_WEBHOOK_SECRETin.env
- Homepage URL:
- Set these Repository Permissions:
- Contents:
Read - Pull Requests:
Read & Write - Checks:
Read & Write
- Contents:
- Subscribe to these Webhook Events:
Pull requestInstallationInstallation repositories
- After creating the app:
- Copy the App ID β
GITHUB_APP_ID - Generate a Private Key β download the
.pemfile, copy its contents βGITHUB_PRIVATE_KEY - Create a Client ID & Secret under OAuth β
GITHUB_CLIENT_ID/GITHUB_CLIENT_SECRET
- Copy the App ID β
Option A β Local PostgreSQL:
-- In psql or pgAdmin:
CREATE DATABASE secureflow;Then set DATABASE_URL="postgresql://postgres:yourpassword@localhost:5432/secureflow" in .env
Option B β Free Cloud DB (easier):
- Sign up at neon.tech or supabase.com
- Create a new project and copy the connection string directly into
DATABASE_URL
Then run:
# Generate Prisma Client
npm run db:gen
# Apply migrations (creates all tables)
npm run db:migrate
# Seed default security policy templates
npm run db:seednpm run devOpen http://localhost:9002 in your browser.
- Sign in with GitHub
- Install the GitHub App on your repositories via the Setup page
- Open a Pull Request on any linked repo to trigger a scan
Optional β Genkit AI dev environment (for working on AI explanation flows):
npm run genkit:dev- Copy
.env.exampleto.envand fill in values (note:DATABASE_URLis auto-set by compose) docker compose up --build- App runs at http://localhost:9002
| Variable | Required | Description |
|---|---|---|
DATABASE_URL |
β | PostgreSQL connection string |
GROQ_API_KEY |
β | API key from console.groq.com |
GITHUB_APP_ID |
β | Numeric ID of your GitHub App |
GITHUB_WEBHOOK_SECRET |
β | Secret used to verify webhook payloads |
GITHUB_PRIVATE_KEY |
β | RSA private key from your GitHub App (.pem contents) |
GITHUB_APP_URL |
β | Public URL of your GitHub App (e.g. https://github.com/apps/your-app) |
GITHUB_CLIENT_ID |
β | OAuth Client ID for GitHub login |
GITHUB_CLIENT_SECRET |
β | OAuth Client Secret for GitHub login |
AUTH_SECRET |
β | Random secret for NextAuth session encryption β generate with openssl rand -base64 32 |
ARMORIQ_API_KEY |
β¬ | Optional β ArmorIQ SDK key for advanced policy features |
USER_ID |
β¬ | Optional β ArmorIQ user ID |
AGENT_ID |
β¬ | Optional β ArmorIQ agent ID |
| Script | Description |
|---|---|
npm run dev |
Start dev server on port 9002 with Turbopack |
npm run build |
Build for production |
npm run start |
Start production server |
npm run lint |
Run ESLint |
npm run typecheck |
Run TypeScript compiler checks |
npm run db:gen |
Generate Prisma Client |
npm run db:migrate |
Run Prisma migrations |
npm run db:push |
Push schema to DB without migrations |
npm run db:seed |
Seed default policy templates |
npm run genkit:dev |
Start Genkit AI development environment |
SecureFlow ships with pre-built policy templates that are seeded into the database. Users can toggle them on/off from the dashboard.
| Policy | Severity | Default |
|---|---|---|
| Enforce Parameterized Queries | HIGH | β On |
| Prevent PII Logging | CRITICAL | Off |
| Block Internal Network Requests (SSRF) | HIGH | Off |
| Enforce Strict CORS Policies | MEDIUM | Off |
| Prevent Unsafe Deserialization | CRITICAL | Off |
| Deprecate Weak Hashing Algorithms | HIGH | Off |
| Deny Public Cloud Storage | CRITICAL | Off |
| Prevent Root Execution in Containers | MEDIUM | Off |
| Enforce Smart Contract Reentrancy Guards | CRITICAL | Off |
The architecture follows a modern Next.js full-stack approach with real-time GitHub integration:
- Frontend: Next.js App Router with Tailwind CSS for the dashboard
- Backend: API routes handle authentication, webhooks, and business logic
- AI Layer: Groq SDK processes code diffs through Llama 3.1 model
- Database: PostgreSQL with Prisma ORM for data persistence
- GitHub Integration: Octokit manages webhooks, PR comments, and checks
Contributions are welcome! Please read CONTRIBUTING.md for guidelines on branching, commit messages, and the PR process.
# Create a branch following the naming convention
git checkout -b fix/your-issue-name # bug fix
git checkout -b feat/your-feature # new feature
git checkout -b docs/update-readme # documentationUse Conventional Commits for commit messages:
git commit -m "fix: description of what you fixed"
git commit -m "feat: description of new feature"
git commit -m "docs: description of documentation change"How does SecureFlow protect my secrets?
SecureFlow uses AI to detect hardcoded secrets and sensitive data in your code. It's designed to catch API keys, passwords, tokens, and other credentials that might accidentally be committed to your repository.
Can I customize the scanning rules?
Yes! You can create, toggle, and manage custom policies through the dashboard. This allows you to enforce organization-specific security rules.
Is my data sent to external services?
Your code diffs are sent to Groq's LLM service for analysis. We do not store your code or share it with third parties. The service is compliant with data protection standards.
How much does it cost to use SecureFlow?
SecureFlow is open-source and free to self-host. You'll need a Groq API key (free tier available) and your own PostgreSQL database.
Built with β€οΈ to make every Pull Request safer.
β Star us on GitHub β it helps!