AVAILABLE ON PYPI

wrg-devguard

Developer-first AI safety checks. Secret scanning + prompt-policy lint in one zero-dep Python CLI.

PyPI version CI status License MIT
$ pip install wrg-devguard click to copy
GitHub →
119
Tests Passing
3.11-3.13
Python Support
0
Dependencies
4
Distribution Channels
// Features

What It Does

Four capabilities in one lightweight package — catch secrets and policy violations before they reach your main branch.

🔎

Secret Scanning

Detects leaked API keys, tokens, private keys, and common credential formats in tracked files.

📜

Prompt-Policy Lint

Catches deny-listed patterns in AI-facing text assets — system prompts, configs, and instruction files.

Zero Dependencies

stdlib only. pip install is instant, works in any sandbox, no supply chain risk.

AI-Native UX

Ships as CLI, GitHub Action, Claude Code skill, and Cursor rule — fits wherever you already work.

// How It Works

What It Catches

Scans your repo for two classes of issues before a PR lands. Choose baseline (CI-friendly) or strict (release audits) profile.

Secret Patterns

  • OpenAI API keys (sk-...)
  • GitHub tokens (ghp_, gho_, ghs_)
  • AWS access keys (AKIA...)
  • RSA / EC private keys
  • Generic high-entropy strings

Policy Patterns

  • Deny-listed words in prompts
  • Hardcoded system messages
  • PII in AI-facing text
  • Profiles: baseline & strict
  • JSON output for CI integration
// Install

4 Ways to Ship It

Pick the channel that fits your workflow. All four run the same scan engine.

# Install from PyPI
$ pip install wrg-devguard

# Run a scan
$ wrg-devguard check --path . --fail-on error
# .github/workflows/devguard.yml
- uses: yakuphanycl/wrg-devguard@v1
  with:
    profile: strict
    fail-on: error
# Download the skill file
$ mkdir -p .claude/skills/wrg-devguard
$ curl -L https://raw.githubusercontent.com/
  yakuphanycl/wrg-devguard/main/SKILL.md \
  -o .claude/skills/wrg-devguard/SKILL.md
# Download the Cursor rule
$ mkdir -p .cursor/rules
$ curl -L https://raw.githubusercontent.com/
  yakuphanycl/wrg-devguard/main/wrg-devguard.mdc \
  -o .cursor/rules/wrg-devguard.mdc
// Distribution

One Engine, Four Channels

wrg-devguard ships the same scan engine across every distribution surface. Whether you run it locally, in CI, or let your AI agent invoke it — same rules, same output, same exit codes.

Python CLI (pip install)
GitHub Action (yakuphanycl/wrg-devguard@v1)
Claude Code skill (.claude/skills/)
Cursor rule (.cursor/rules/)
JSON output for CI pipelines
# Quick scan with JSON output
$ wrg-devguard check \
  --path . \
  --profile strict \
  --format json

# Exit code 0 = clean
# Exit code 1 = findings

Ship Safer Code

Install from PyPI. Add to CI. Let your agent run it. Zero config, zero deps.

GitHub Repo View on PyPI Follow on X WinstonRedGuard →