_____ _ ____________________ __
/ ___// | / / _/_ __/ ____/ / / /
\__ \/ |/ // / / / / / / /_/ /
___/ / /| // / / / / /___/ __ /
/____/_/ |_/___/ /_/ \____/_/ /_/
Evidence-based security auditing for AI coding assistants. Zero false positives.
Compatible with Claude Code · Gemini CLI · Codex CLI · OpenCode · Antigravity · Cursor
Traditional scanners flood you with hundreds of findings — half of them are YOUR_API_KEY_HERE in a comment. Snitch is different: every finding must be backed by real code evidence. No file read? No finding. Can't quote the exact line? No finding. Didn't check for a fix nearby? No finding.
Findings are tagged with CWE, OWASP Top 10:2025, and CVSS 4.0 references for direct GRC ingestion.
/plugin marketplace add JF10R/Snitch
/plugin install snitch@JF10R-Snitch
gemini extensions install https://github.com/JF10R/Snitch.gitgit clone https://github.com/JF10R/Snitch.git
cp -r Snitch/agents/skills/snitch ~/.codex/skills/snitchPer-project: use .agents/skills/snitch instead.
git clone https://github.com/JF10R/Snitch.git
cp -r Snitch/skills/snitch ~/.config/opencode/skills/snitchPer-project: .opencode/skills/snitch
git clone https://github.com/JF10R/Snitch.git
cp -r Snitch/skills/snitch ~/.gemini/antigravity/skills/snitchPer-project: .agent/skills/snitch
git clone https://github.com/JF10R/Snitch.git
cp -r Snitch/skills/snitch .cursor/skills/snitchUpdating / Uninstalling
| Platform | Update | Uninstall |
|---|---|---|
| Claude Code | /plugin marketplace update JF10R-Snitch |
/plugin uninstall snitch@JF10R-Snitch |
| Gemini CLI | gemini extensions update snitch |
gemini extensions uninstall snitch |
| Codex CLI | Re-clone and copy | rm -rf ~/.codex/skills/snitch |
| OpenCode | Re-clone and copy | rm -rf ~/.config/opencode/skills/snitch |
| Antigravity | Re-clone and copy | rm -rf ~/.gemini/antigravity/skills/snitch |
| Cursor | Re-clone and copy | rm -rf .cursor/skills/snitch |
/snitch
Select categories from the interactive menu, or run directly:
/snitch --categories=1,2,3,13
/snitch --diff
Quick Scan detects your stack automatically (package.json, imports, config files) and only audits relevant categories.
--diff scans only staged/unstaged changes — ideal as a pre-commit check.
- Fix one by one — walk through each finding individually
- Fix all — auto-patch everything at once
- Run another scan — check additional categories
- Done — exit
40 audit categories organized by domain:
| # | Category | Description |
|---|---|---|
| 01 | SQL Injection | Parameterized queries, ORM misuse |
| 02 | XSS | Output encoding, DOM injection |
| 03 | Hardcoded Secrets | API keys, passwords, tokens in source |
| 04 | Authentication | Login flows, password handling, MFA |
| 05 | SSRF | Server-side request forgery |
| 07 | Rate Limiting | Brute-force protection, throttling |
| 08 | CORS | Cross-origin misconfiguration |
| 09 | Cryptography | Weak algorithms, key management |
| 10 | Dangerous Patterns | eval(), dynamic code execution |
| 28 | Authorization | Broken access control, IDOR |
| 29 | File Uploads | Validation, path traversal |
| 30 | Input Validation | ReDoS, injection vectors |
| 32 | Security Headers | CSP, HSTS, X-Frame-Options |
| 39 | Token Lifetimes | Session expiry, logout effectiveness |
| # | Category | Description |
|---|---|---|
| 06 | Supabase | Row-level security, exposed service keys |
| 13 | Stripe | API keys, webhook verification |
| 14 | Auth Providers | Clerk, Auth0, NextAuth configuration |
| 15 | AI APIs | Claude, OpenAI, Gemini key exposure |
| 16 | SMTP credentials, spam abuse vectors | |
| 17 | Database | Connection strings, query security |
| 18 | Redis | Authentication, exposed instances |
| 19 | SMS | Twilio tokens, message injection |
| # | Category | Description |
|---|---|---|
| 11 | Cloud Providers | AWS, GCP, Azure, Vercel, Cloudflare |
| 12 | Data Leaks | Logs, error messages, debug output |
| 31 | CI/CD | Pipeline secrets, deployment security |
| 40 | Tunnels & DNS | ngrok, cloudflared, DNS configuration |
| # | Category | Description |
|---|---|---|
| 20 | HIPAA | Protected health information |
| 21 | SOC 2 | Audit trails, access controls |
| 22 | PCI-DSS | Payment card data handling |
| 23 | GDPR | Data deletion, consent, EU requirements |
| 34 | FIPS 140-3 | Cryptographic module compliance |
| 35 | Governance | ISO 27001, FedRAMP, CMMC |
| 38 | Data Classification | Sensitivity labeling, handling policies |
| # | Category | Description |
|---|---|---|
| 24 | Memory Leaks | Event listeners, uncleaned resources |
| 25 | N+1 Queries | ORM batching, query optimization |
| 26 | Performance | Blocking I/O, CPU-bound operations |
| 27 | Dependencies | Known CVEs, outdated packages |
| 33 | Unused Dependencies | Dead code, bundle bloat |
| 36 | BCDR | Backup, disaster recovery |
| 37 | Monitoring | Observability, alerting gaps |
Snitch is a skill file (SKILL.md) — no runtime, no build step, no dependencies. It guides AI assistants through structured security analysis with built-in anti-hallucination rules:
- Read the actual source files before reporting
- Verify each finding with exact file path and line number
- Check context — is there a fix nearby? Is this test code? Server or client?
- Prove it — no evidence, no finding
See CONTRIBUTING.md for guidelines.