Prevent Risks Before Code Is Committed

Overview

The Heeler CLI allows organizations to scan for security risks directly in the development workflow via a pre-commit hook, so before code is pushed, merged, or deployed. Developers can use the pre-commit hook independent of the Heeler Application and without manually downloading and installing the Heeler CLI.

By integrating Heeler into local development and CI pipelines, teams can:

Detect secrets before they are committed
Prevent accidental credential leaks
Enforce security guardrails at commit time
Reduce remediation cost and cycle time
Improve compliance posture (SOC 2, ISO, etc.)

Version 1.0.3 includes support for secret scanning plus dependency vulnerability and SBOM workflows for Go and Java (Maven). Heeler will expand the CLI functionality to include other languages, packages (licenses, sca), SAST, and exports in future releases.

Repository

The Heeler CLI repository is located here https://github.com/Heeler-Security/heelercli with detailed instructions and examples.

Add this code to your .pre-commit-config.yaml for the auto-installing version of the pre-commit hook.

repos:
  - repo: https://github.com/Heeler-Security/heelercli
    rev: 1.0.0 # replace with desired release tag
    hooks:
      - id: heelercli-auto

Secrets Options

The Heeler CLI inspects staged diffs, common formats, and validates where possible to reduce false positives. The CLI has options to customize its use for your environment, specifically:

  --exclude strings   (repeatable) directories to exclude as glob patterns (similar to .gitignore)
  --fail-on strings   comma-separated list of types to fail on
  --only-validated    filter to only show validated items
  --pre-commit        enable pre-commit mode

which support use cases like

Scan the repo but exclude build output and vendor code:

heelercli secrets --exclude "dist/**" --exclude "vendor/**"

Fail the scan only for specific secret types:

heelercli secrets --fail-on aws,github,slack

Show only validated findings:

heelercli secrets --only-validated

Vulnerabilities Options

The CLI has options to customize its use for your environment, specifically:

--fail-on-any: fail if any vulnerability is found.
--fail-on-severity critical,high: fail on selected severities.
--fail-on-id CVE-2024-1234,GHSA-xxxx-yyyy-zzzz: fail on specific IDs.
--exclude-dir path/to/dir: exclude directories from manifest/SBOM detection (repeatable).
--baseline <path> and --new-findings-only: only fail on findings not present in a baseline report.
--format detailed|table|json|sarif and --output <path>: control output format and destination.

which support use cases like

Fail on critical/high only:

heelercli vulnerabilities --fail-on-severity critical,high

Identify new issues:

heelercli vulnerabilities --baseline .heeler-baseline-vulns.json --new-findings-only

Output

The output of the Version 1.0.3 pre-commit hook looks like:

Executing Heeler Secret Scan
x Secret Detected!
  File: secret.py:5
  Rule Id: slack.2
  Status: Active Credential
  Value: <redacted-used-for-testing>

Heeler Completed Secret Scan: Found 1 failing secrets

Executing Heeler Vulnerability Scan
Vulnerability Summary
- total: 10
- critical: 0 high: 2 medium: 8 low: 0 unknown: 0
- policy violations: 0

CVE-2023-37475 [HIGH]
  title: avro vulnerable to denial of service via attacker-controlled parameter
  package: github.com/hamba/[email protected]
  fixed: 2.13.0
  advisory status: fixed
  source files: go.mod
  dependency paths:
    - github.com/hamba/[email protected]
  url: https://www.cve.org/CVERecord?id=CVE-2023-37475

CVE-2024-25621 [HIGH]
  title: github.com/containerd/containerd: containerd local privilege escalation
  package: github.com/containerd/[email protected]
  fixed: 1.7.29
  advisory status: fixed
  source files: go.mod
  dependency paths:
    - github.com/containerd/[email protected]
  url: https://www.cve.org/CVERecord?id=CVE-2024-25621

CVE-2024-40635 [MEDIUM]
  title: containerd: containerd has an integer overflow in User ID handling
  package: github.com/containerd/[email protected]
  fixed: 1.7.27, 1.6.38
  advisory status: fixed
  source files: go.mod
  dependency paths:
    - github.com/containerd/[email protected]
  url: https://www.cve.org/CVERecord?id=CVE-2024-40635

CVE-2024-44905 [MEDIUM]
  title: go-pg pg v10.13.0 was discovered to contain a SQL injection vulnerabil ...
  package: github.com/go-pg/pg/[email protected]
  fixed: 10.15.0
  advisory status: fixed
  source files: go.mod
  dependency paths:
    - github.com/go-pg/pg/[email protected]
  url: https://www.cve.org/CVERecord?id=CVE-2024-44905

CVE-2025-0495 [MEDIUM]
  title: Buildx is a Docker CLI plugin that extends build capabilities using Bu ...
  package: github.com/docker/[email protected]
  fixed: 0.21.3
  advisory status: fixed
  source files: go.mod
  dependency paths:
    - github.com/docker/[email protected]
  url: https://www.cve.org/CVERecord?id=CVE-2025-0495

CVE-2025-27144 [MEDIUM]
  title: go-jose: Go JOSE's Parsing Vulnerable to Denial of Service
  package: github.com/go-jose/go-jose/[email protected]
  fixed: 3.0.4
  advisory status: fixed
  source files: go.mod
  dependency paths:
    - github.com/go-jose/go-jose/[email protected]
  url: https://www.cve.org/CVERecord?id=CVE-2025-27144

CVE-2025-64329 [MEDIUM]
  title: github.com/containerd/containerd: containerd: Memory exhaustion via CRI Attach implementation goroutine leaks
  package: github.com/containerd/[email protected]
  fixed: 1.7.29
  advisory status: fixed
  source files: go.mod
  dependency paths:
    - github.com/containerd/[email protected]
  url: https://www.cve.org/CVERecord?id=CVE-2025-64329

CVE-2026-25882 [MEDIUM]
  title: Fiber has a Denial of Service Vulnerability via Route Parameter Overflow
  package: github.com/gofiber/fiber/[email protected]
  fixed: 2.52.12
  advisory status: fixed
  source files: go.mod
  dependency paths:
    - github.com/gofiber/fiber/[email protected]
  url: https://www.cve.org/CVERecord?id=CVE-2026-25882

CVE-2026-25934 [MEDIUM]
  title: go-git/go-git: go-git: Data integrity issue due to improper verification of pack and index files
  package: github.com/go-git/go-git/[email protected]
  fixed: 5.16.5
  advisory status: fixed
  source files: go.mod
  dependency paths:
    - github.com/go-git/go-git/[email protected]
  url: https://www.cve.org/CVERecord?id=CVE-2026-25934

CVE-2026-27571 [MEDIUM]
  title: nats-server: WebSockets pre-auth memory DoS
  package: github.com/nats-io/nats-server/[email protected]
  fixed: 2.11.12, 2.12.3
  advisory status: fixed
  source files: go.mod
  dependency paths:
    - github.com/nats-io/nats-server/[email protected]
  url: https://www.cve.org/CVERecord?id=CVE-2026-27571

Heeler Completed Vulnerability Scan: No failing vulnerabilities found

When a secret is detected, the check will block the commit while showing the its value, type, and file location for validation. In case of a false positive or other requirement, developers can still force the commit using git's --no-verify flag.

When one or more vulnerabilities are detected, it will show a summary of findings including title, package, advisory status, and URL. The check will not block the commit unless the CLI is configured to do so, e.g., by setting the CLI to fail for critical/high vulnerabilities (see example). Even so, developers can still force the commit using git's --no-verify flag.

# fail on critical/high only
heelercli vulnerabilities --fail-on-severity critical,high

PreviousUse Cases NextRecommended Guardrails

Last updated 23 days ago

Was this helpful?

hashtagOverview

hashtagRepository

hashtagSecrets Options

hashtagVulnerabilities Options

hashtagOutput

Overview

Repository

Secrets Options

Vulnerabilities Options

Output