Vet repos before they touch your machine. Just add git.vet/ to any clone URL. No install. No signup.
Scan before code touches your machine
Every scan generates a shareable web report with code snippets, severity breakdown, and remediation guidance.
No CLI to install. No browser extension. No account. If your machine has git, it works.
Findings appear in your terminal via git's sideband protocol. No waiting for a web page to load.
LGPL-licensed static analysis. Same rule format as semgrep, fully open source. View rules →
Files are scanned in-transit before git writes anything to your filesystem.
Scanned in memory, immediately discarded. Nothing persisted.
Private repo support is coming soon. Currently, git.vet only scans public repositories to protect people cloning random software.
Audit it yourself: github.com/baocin/gitscan
For the paranoid: self-host it. Same code, your infrastructure.
| Trigger | When it executes |
|---|---|
| postinstall scripts | npm install (often automatic) |
| .envrc | Immediately if using direnv |
| Git hooks | On checkout |
| IDE indexing | The moment you open the folder |
| Shell completion | Tab in the directory |
By the time you think to scan, it's already running.
Every scan generates a shareable web report with detailed findings, code snippets, and remediation tips.
Paste any GitHub/GitLab/Bitbucket repo URL:
Or just run: