Scan your entire GitHub or Azure DevOps organisation in minutes. Uncover data loss exposure, AI agent risks, compliance gaps, and permission holes — all in a single, shareable report.
Enter your work email to get the free tool — takes under 60 seconds to set up.
Your download should start automatically. If not, click below.
↓ Download Risk Assessment ToolGit repositories hold years of institutional knowledge, infrastructure-as-code, CI/CD pipelines, API contracts, and secrets. Yet most organisations treat GitHub like a commodity tool with no recovery plan.
A single force-push, a disgruntled insider, a ransomware event, or even accidental deletion can wipe out assets that took years to build — and can't be recovered from local clones.
Every check runs with a read-only token. Nothing is written to your organisation. Results are rated LOW / MEDIUM / HIGH / CRITICAL.
Quantifies exactly what you'd lose if your org vanished today — years of commit history, contributor knowledge, IaC, API contracts, and build definitions that can never be recovered from a local clone.
Detects every AI coding agent writing to your codebase — by config files, bot account patterns, commit velocity spikes, and AI co-author commit trailers. Identifies which agents are active and in how many repos.
Audits your entire permission surface: org admin counts, outside collaborators, 2FA enforcement, branch protection rules, required reviews, admin bypass settings, and writable deploy keys or service connections.
Maps your current configuration against 14 regulatory frameworks and produces a gap analysis table with specific control references and remediation guidance. Perfect for board-level reporting or audit prep.
Maps your full dependency ecosystem — counting every package manifest and CI/CD pipeline definition across all repos. Shows exactly how broad the blast radius is if any pipeline or dependency is compromised.
Tests your organisation against 7 real-world failure modes — from force-pushes to ransomware — and rates your current ability to recover. Shows exactly what's unrecoverable without an independent backup.
GitHub Copilot, Cursor, Claude, Devin, and a dozen other AI agents are committing code to production repos right now. Most organisations have no visibility into which agents are active, what they're changing, or what happens if those changes need to be rolled back.
Our scanner detects AI agent activity through three independent signals — config file presence, bot account commit history, and co-author commit trailers — and identifies exactly which agents are operating in which repos.
AI Agents We Detect
What We Look For
The report maps your current GitHub configuration against every major regulatory framework that touches source code integrity and availability — with specific control references and the exact gap your organisation has today.
Every excess admin, ungoverned outside collaborator, missing 2FA requirement, or unprotected branch is a vector for insider threat, account takeover, or accidental data loss.
More than 2 org owners is rated MEDIUM; more than 5 is HIGH; more than 10 is CRITICAL. Most orgs have far too many.
External users with direct repo access who are outside your SSO and 2FA policies. Even one is MEDIUM risk.
Not enforced org-wide? That's an instant CRITICAL. One compromised account without 2FA can wipe your org.
Repos with no branch protection rules on their default branch are flagged CRITICAL. Required reviewers, force-push prevention, and admin bypass settings all checked.
Writable deploy keys on repos allow pushes that bypass your entire PR and review workflow. Each one is audited and rated.
Azure DevOps writable service connections (AzureRM, Kubernetes, Docker, AWS, GCP) are enumerated and risk-rated.
No agents to install. No elevated access required. A single read-only token is all you need.
Available as a PowerShell script (Windows) or a macOS desktop app. No dependencies, no install scripts.
Generate a GitHub fine-grained or classic PAT with read-only org & repo access. Azure DevOps supports the same pattern.
The tool scans every repo in parallel and produces a self-contained HTML + PDF report with your full risk profile.
Free, read-only, and runs entirely on your machine. No data leaves your network.
Your download should start automatically. If not, click below.
↓ Download Risk Assessment Tool