- Sign in with GitHub. Identity is established via Supabase Auth’s GitHub provider.
- Connect a GitHub account or organization. A separate GitHub App grants the API read-only access to repo workflows.
- Continuous posture across every repo. One scan per repo, orchestrated client-side with bounded concurrency.
- History and trends. Every scan persists to Postgres with row-level security scoped to the signed-in user.
- Deep links back to GitHub. Each finding links to the exact
file:lineon the default branch.
Pages
| Route | What |
|---|---|
/login | GitHub OAuth login via Supabase Auth. |
/connect | Prompts you to install the GitHub App on accounts/orgs. |
/connect/callback | Receives installation_id from GitHub and links it to the signed-in user. |
/dashboard | Aggregate posture, donut by severity, trend chart, “scan all” button. |
/repositories | All connected repos with per-repo severity counts. Search by name, filter findings by severity (counts narrow to the chosen level), and sort. |
/repositories/:id | Per-repo finding list, an Attacker Mind card with this repo’s toxic combinations, plus a card to override rule settings for this repo. An Export button (enabled once the repo has been scanned) downloads the latest results as JSON (findings + toxic combinations, matching the CLI’s -o json) or CSV (findings only). |
/attacker-mind | Cross-repo toxic combinations. Search by name, filter by criticality, and sort. |
/landscape | Owner-only OSS Posture Survey — upload a survey JSON (from the survey CLI) and explore findings + Attacker Mind for open-source repos. Search by name, filter findings by severity and combinations by criticality, and sort. The file is parsed in your browser; nothing is uploaded. |
/rules | Per-user rule settings — disable rules you don’t care about globally or per repository. |
Data flow
git clone happens server-side — the API pulls workflow YAML via the GitHub Git Trees/Blobs API and scans the bytes in memory. Each per-repo request fits comfortably in a serverless time budget.
Read/write split around RLS
The React app reads from Postgres directly through supabase-js. Every table has row-level security scoped to
auth.uid() = user_id, so users can only see their own data even though they’re hitting Postgres directly with their JWT.Next
GitHub setup
Connect a GitHub account or org so the dashboard can scan its workflows.
Rule settings
Disable rules you don’t care about — globally or per repository.
API reference
The HTTP endpoints under
/api/* if you want to drive scans programmatically.