v0.2.6 · MIT licensed

Contact: contact@vorsken.dev

Stop merging vulnerable API code.

A GitHub Action that gates pull requests on OWASP API Security Top 10 findings — before bad code reaches main.

Setup in 5 minutes View on GitHub
PR #42 — feature/add-user-endpoint
🚨 BLOCK vorsken Policy Gate

A hardcoded API key was detected in the changed files. Merge is blocked.

hardcoded-api-key · CRITICAL · API8:2023
Risk
An attacker with read access can use this credential to authenticate as your service and access protected resources.
Fix
api_key = os.environ["API_KEY"]
How it works

Automated security gates, zero configuration.

vorsken runs on every pull request. No manual review required.

01

PR opened

A pull request is opened or updated against any branch.

02

Semgrep scans

Changed files are scanned with OWASP API Security Top 10 rules.

03

Claude explains

Claude AI translates each finding into plain-English risk and fix.

04

Gate enforced

BLOCK fails the required check. FLAG warns. PASS approves silently.

Why vorsken

More than a linter output.

Semgrep finds it. vorsken makes sure developers understand it.

Semgrep alone vorsken
Finding location
OWASP category
Plain-English risk explanation
Concrete fix suggestion
PR comment (auto-posted)
Merge blocked on BLOCK verdict
Setup

Running in 5 minutes.

One workflow file. One secret. That's it.

1

Add your Anthropic API key

Settings → Secrets → Actions → New repository secret

# Repository secret
Name:  ANTHROPIC_API_KEY
Value: sk-ant-...
2

Create the workflow file

Add .github/workflows/policy-gate.yml to your repo: 

name: Policy Gate

on:
  pull_request:
    types: [opened, synchronize, reopened]

jobs:
  gate:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: zetide/vorsken@v0.2.6
        with:
          anthropic-api-key:
            ${{ secrets.ANTHROPIC_API_KEY }}
Coverage

OWASP API Security Top 10 (2023).

Semgrep rules ship with vorsken. Zero rule configuration required.

API1 Broken Object Level Authorization
API2 Broken Authentication
API3 Broken Object Property Level Authorization
API4 Unrestricted Resource Consumption
API5 Broken Function Level Authorization
API6 Unrestricted Access to Sensitive Business Flows
API7 Server Side Request Forgery (SSRF)
API8 Security Misconfiguration
API9 Improper Inventory Management
API10Unsafe Consumption of APIs

Add it to your repo now.

MIT licensed. Open source. Works with any Python API project out of the box.

View on Marketplace ⭐ Star on GitHub Read the article