Get a security scan on your repo in 60 seconds.
Your code never leaves GitHub. The scanner runs in your own GitHub Actions runner. You don't supply an LLM key — we resell tokens at a flat margin.
npx sekura@latest initNode 18+ required. Works on macOS, Linux, Windows. Free tier covers public repos with 2M LLM tokens / month.
What happens after you run it
- t≈0sYou run npx sekura@latest init
- t≈2sWe detect Claude Code, Cursor, VS Code, Windsurf — and register Sekura as an MCP server in each.
- t≈4sBrowser opens to sign in via OAuth (single click; most devs are already signed in to GitHub).
- t≈15sToken is stored in your OS keychain (keytar). Fallback: AES-256-GCM-encrypted JSON in ~/.config/sekura/.
- t≈16sPick a repo from the list (Sekura GitHub App reads what you can already see).
- t≈22s.github/workflows/sekura.yml is committed to that repo. SEKURA_TOKEN is set as a repo secret.
- t≈25sFirst scan dispatched on your runner — you get the GitHub Actions URL.
- t≈27sCLI exits. You can close the terminal. We notify you (email + inline in your IDE) when it completes.
From then on, every push and every PR auto-scans.
- PR review comments inline on the lines we found issues on.
- SARIF uploaded to your repo's Security → Code Scanning tab.
- Pro tier: auto-fix-PRs follow up the review with proposed code changes.