Secrets & credentials
- AWS, GitHub, GitLab, Slack, Discord
- OpenAI, Anthropic, Stripe, Twilio
- JWTs, basic auth URLs, generic secrets
Security Scanner for Repositories and AI Agents
Sniff out secrets, risky patterns, and agent threats before they bite.
Coyote is a dual-purpose security scanner that hunts secrets in code and audits AI agents for risk. Scan repositories, diff baselines, watch GitHub, and generate SARIF for CI. Analyze OpenClaw/Moltbot agents before you run them and ship runtime guardrails.
Live scan preview
ACTIVE
╭────────────────────── Scan Results (5 findings) ──────────────────────╮
│ Summary: 2 HIGH | 2 MEDIUM | 1 LOW | 50 files scanned │
│ (3 findings suppressed via .coyote-ignore) │
│ │
│ ┏━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━┳━━━━━━━┓ │
│ ┃ Sev ┃ ID ┃ Rule ┃ File ┃ Line ┃ │
│ ┡━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━╇━━━━━━━┩ │
│ │ HIGH │ 666daffe │ AWS Access Key │ src/config.py │ 42 │ │
│ │ HIGH │ 98b2c1a4 │ Private Key │ keys/id_rsa │ 1 │ │
│ │ MED │ 33a911fc │ High Entropy │ api/tokens.py │ 5 │ │
│ │ MED │ 54c1102b │ Debug Mode Enabled │ app/settings.py │ 12 │ │
│ │ LOW │ a9e2b9f1 │ Missing .gitignore │ .gitignore │ 0 │ │
│ └──────┴──────────┴────────────────────┴────────────────────┴───────┘ │
╰───────────────────────────────────────────────────────────────────────╯
Detection Coverage
High-signal patterns and security smells.
Coyote ships with curated rules for secrets, sensitive files, and risky patterns, plus entropy-based detection for custom tokens. Here’s a snapshot of what it finds.
Sensitive files
- .env, .pem, .key, .p12, .pfx
- SSH keys, tfstate, service accounts
- Database dumps and backups
Security smells
- Debug flags, disabled TLS/SSL checks
- Eval usage, dangerous HTML injection
- Hardcoded internal IPs, TODO: security
Git-specific checks
- Missing or incomplete `.gitignore`
- Large binary files & risky assets
- Secrets resurfacing in history
Secrets & credentials
Detect cloud keys, tokens, secrets, and sensitive files with high-fidelity patterns.
AI agent audits
Analyze OpenClaw/Moltbot agents, diff permissions, and generate runtime policies.
CI-ready output
Generate JSON, Markdown, or SARIF reports and fail builds on new findings.
Repository Scanning
Full-spectrum coverage for repo risk.
Coyote scans source, history, and configuration for secrets, risky patterns, and security smells. Store baselines, diff results, and monitor GitHub repos continuously.
Comprehensive detection
Find secrets, credentials, sensitive files, and security anti-patterns fast.
Entropy analysis
Spot high-randomness tokens and custom secrets with adjustable thresholds.
Git history scanning
Detect secrets in past commits even if they were later removed.
Finding suppression
Silence false positives with `.coyote-ignore` rules and IDs.
Scan diffing
Track NEW vs FIXED findings and fail CI only on regressions.
Watcher + webhooks
Monitor GitHub repos and push Slack/Discord alerts in real time.
How To Use
Scan locally, watch remote repos, or integrate CI.
Quick start
# Scan a repository
python3 -m coyote scan --repo /path/to/your/repo
# Save reports
python3 -m coyote scan --repo /path/to/your/repo --report
# Interactive TUI
python3 -m coyote scan --repo /path/to/your/repo --interactiveWatch a GitHub repo
# Monitor a repo for new commits
./coyote.sh scan --repo-url https://github.com/user/repo --interval 60
# Run once and exit
./coyote.sh scan --repo-url https://github.com/user/repo --onceDiff scans in CI
# Create a baseline
python3 -m coyote --repo . --save-baseline
# Fail only on new findings
python3 -m coyote --repo . --diff --fail-on-newAI Agent Security (NEW)
Know what an agent can do before it runs.
Coyote analyzes agent configs, prompts, and tools to build a capability manifest, assess risk (LOW → CRITICAL), and generate machine-readable policies for runtime.
Agent intake analysis
Static analysis of configs, prompts, and tools with structured manifests.
Permission diffing
Track capability changes when agents update and highlight escalations.
Risk assessment
Automatic LOW–CRITICAL classification for faster reviews.
Runtime guardrails
Lightweight monitoring with first-use prompting and policy enforcement.
OpenClaw hardening
Detect CVE-2026-25253 risk, token exposure, and unsafe gateway settings.
Policy generation
Create strict, machine-readable policies for runtime enforcement.
Agent analysis
# Analyze agent config
python3 -m coyote agent analyze ./my-agent.json
# Track permission changes
python3 -m coyote agent analyze ./my-agent.json --register
python3 -m coyote agent diff my-agent-id
# Generate policy
python3 -m coyote agent policy my-agent-id --strict --output policy.jsonReports & Integrations
Structured output for security teams and CI pipelines.
Multiple report formats
Generate JSON, Markdown, and SARIF outputs for audits or automation.
GitHub Code Scanning
Upload SARIF reports for security insights directly in GitHub.
Slack & Discord alerts
Notify teams when findings appear or when diffs detect new issues.
Configurable policies
Define exclusions, thresholds, and formats via `config.yaml`.
Webhook notifications
# Slack alerts
python3 -m coyote --repo /path/to/repo \
--diff --slack-webhook "https://hooks.slack.com/services/..."
# Discord alerts
python3 -m coyote --repo /path/to/repo \
--discord-webhook "https://discord.com/api/webhooks/..."Press Kit
Brand assets for press and partners.
Writing an article about what we're doing at Coyote? Here's our press kit and logos to make your life easier.
Install & Run
Setup in minutes.
Requirements
- Python 3.9+
- Git
- Access to the repo you want to scan
Setup
git clone https://github.com/your-org/coyote-repo-scanner.git
cd coyote-repo-scanner
pip install -r requirements.txt
chmod +x coyote.sh