I'm building Valkyrie, an open-source (AGPLv3) security scanner that acts as a gatekeeper for your pull requests. It scans code for secrets (API keys, tokens), vulnerable dependencies (SBOM), and risky IAM configs before they get merged. The key difference? It's built on crowd-sourced rules. The community can create and share detection patterns for any cloud provider (AWS, GCP, Azure), SaaS tool, or obscure framework. The value is in the collective rulebook.
Tech Stack: Strongly-typed Python, async, clean architecture, with native GitHub Actions/GitLab CI integrations. It's designed to be fast, flexible, and built for developers.
Why I'm building this: I was tired of expensive, generic, and slow scanners. I wanted something open, specialized, and that could leverage the knowledge of the community to protect everyone.
The core is open-source, and we'll offer a commercial license for enterprises that need it ($1/user/month).
It's still in active development, but the core scanner engine and plugin system are taking shape. I'd love for you to:
- Star the repo if you like the concept. - Contribute a rule for your favorite service. - Tell me what's wrong with the architecture or idea.
Looking forward to your brutal and honest feedback.