GitSprites

"Die ich rief, die Geister, Werd' ich nun nicht los"
-- Der Zauberlehrling by Johann Wolfgang von Goethe

"The spirits that I summoned, I now cannot rid myself of again"
-- The Sorcerer's Apprentice by Johann Wolfgang von Goethe

About

GitSprites deploys an automated GitHub Organization scanner powered by Claude (via Amazon Bedrock). A spot EC2 instance clones every repository in a target GitHub org, then uses Claude Code CLI with custom skills to analyze the codebases at scale. Results and repository data are stored on an S3-backed filesystem (S3Files), keeping storage costs minimal while providing full POSIX access from the instance.

Included skills:

• github-actions-security-review — audits GitHub Actions workflow files across repositories for supply chain risks, secret exposure, GITHUB_TOKEN misuse, and more; produces a Security-Report.md per repo.
• skill-creator — Anthropic's default skill - it iteratively creates, evaluates, and improves Claude Code skills.

Installation

Prerequisites

• AWS account with Bedrock model access granted for Claude Sonnet 4.6, Haiku 4.5, and Opus 4.7
• An EC2 key pair in the target region
• cft-deploy installed (pip install cftdeploy)
• A fine-grained GitHub PAT scoped to the target org (Contents: Read, Metadata: Read)

Deploy the stack

1. Copy and edit a manifest for your environment:

   cp sandbox-Manifest.yaml my-Manifest.yaml
   # Edit stack name, bucket name, VPC/subnet IDs, key pair, allowed CIDR

2. Deploy:

   cft-deploy -m my-Manifest.yaml

3. Update the GitHub secret created by the stack with your fine-grained PAT:

   AWS Console → Secrets Manager → <StackName>-GithubSecret → Set secret value
   

4. Upload skills and scripts to the bucket:

   bash scripts/upload-assets.sh <stack-name>

Launch an instance

bash scripts/launch-scanner.sh <stack-name>

The instance installs AWS CLI v2, GitHub CLI, Claude Code CLI, TruffleHog, and EFS utils, mounts the S3Files filesystem at /scanner-bucket, and writes instance configuration to /etc/GithubSprites.conf.

To terminate (this will cancel the persistent spot request first):

bash scripts/terminate-scanner.sh <instance-id>

Usage

All scripts are available at /scanner-bucket/scripts/ on the instance.

Clone a GitHub org

bash /scanner-bucket/scripts/clone-org.sh <github-org>

Clones all repositories into /scanner-bucket/repos/<repo-name>. Safe to re-run — skips repos already present. Pass --shallow to clone only the default branch at depth 1 (faster, less storage):

bash /scanner-bucket/scripts/clone-org.sh --shallow <github-org>

Run a skill

Skills are available under /scanner-bucket/skills/ and symlinked into ~/.claude/skills/ at instance launch.

Scanning a full org can take a long time. Run Claude under screen so the session survives disconnects:

screen -S scan
cd /scanner-bucket/repos
claude --dangerously-skip-permissions

Then invoke a skill, for example:

/github-actions-security-review

To detach from screen without stopping the scan: Ctrl-A D. To reattach later: screen -r scan.

Test Bedrock connectivity

bash /scanner-bucket/scripts/test-bedrock.sh

Credits

• skill-creator skill by Anthropic.