/ cli
Scan any repo from your terminal
Run npx shieldrepo on any GitHub repo — no account, no install. Exit code tells you whether to trust it. Perfect for CI/CD gates and pre-install auditing.
Quick start
terminal
$ npx shieldrepo https://github.com/sindresorhus/slugify
The shieldrepo package is a thin wrapper around our hosted API — it streams scan progress to your terminal and returns a verdict. Want higher rate limits or private-repo scans? Generate an API key →
Usage
Short form (owner/repo)
$ npx shieldrepo expressjs/express
Machine-readable JSON for CI
$ npx shieldrepo vercel/next.js --json > report.json
With a Pro API key (higher rate limits + private repos)
$ npx shieldrepo my-org/my-private-repo --key $REPOSHIELD_API_KEY
Help
$ npx shieldrepo --help
Exit codes
0trustSafe to install.
1cautionReview findings before install.
2dangerDo not install without review.
3errorScan did not complete (network / auth / repo not found).
CI/CD integration
Block merges when a dependency lands a malicious version. Here's a GitHub Actions recipe:
name: repo-audit
on: [pull_request]
jobs:
shieldrepo:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Scan this PR's full tree via RepoShield
run: npx shieldrepo ${{ github.repository }} --json > report.json
continue-on-error: true
- name: Fail if danger verdict
run: |
verdict=$(jq -r .verdict report.json)
if [ "$verdict" = "danger" ]; then
echo "::error::RepoShield flagged this PR as DANGER. See report.json."
exit 1
fiRate limits
anon3 scans/day per IP
free (signed in)10 scans/day
prounlimited + /v1/scan REST API + private repos
Need more? Upgrade to Pro.
What it checks
38 checks across 7 layers — repo surface signals, install scripts, dangerous code patterns, network indicators, dependencies (OSV + npm registry + typosquat DB), CI/CD hardening, and exposed secrets. See the full list.