tl;dr sec / tools — run any open-source GitHub project, instantly

About

Run any GitHub repo, instantly. We spin up an ephemeral sandbox container, install the tool, and drop you into a terminal in your browser. Bring your own credentials (kept tab-local, never sent to our servers), or grab the Docker one-liner and run it locally.

The catalog below — 3,134 projects sourced from 325 issues of Clint Gibler's tl;dr sec newsletter — is a curated starter set so you have something to try right away. The platform itself works on any public GitHub URL: paste yours →

For each issue, an LLM extracted named tools (GitHub repos, products, scanners, libraries) along with Clint's description of what they do. Each unique tool was then enriched with a controlled category, keyword tags, and a one-liner by reading its README or homepage.

Shortcuts

/ focus search
Esc clear search / close dialog
↑ ↓ navigate results
↵ open selected tool
← → previous / next tool in drawer
g toggle grid / list view
t toggle theme

Credits

All tool descriptions and context come from Clint Gibler's writing — this site is just an index. If you find this useful, subscribe to tl;dr sec.

Run locally

Don't trust our sandbox with your keys? Run the same tool in Docker on your own machine. Your credentials never leave your laptop.

The -e KEY flags pass env vars by reference, not value — they only work after you export them in the same shell. This way your secrets stay out of shell history.

How sandbox credentials are handled

When you click try with creds on a tool, here is exactly what happens to the keys you paste in.

1. In your browser. Keys live in a JavaScript variable in this tab only. Never localStorage, never sessionStorage, never a cookie. Closing the tab, closing the modal, or clicking wipe fields erases them immediately.
2. Over TLS to a Cloudflare Worker. On launch, your browser sends {tool, template, env: {KEY:value, …}} to tldrsec-sandbox.root187.workers.dev over HTTPS. The Worker is a thin proxy — its only job is to receive the request, validate against an allowlist (next step), and hand it to one isolated container.
3. Per-tool allowlist. The Worker only accepts the env keys defined for that tool's template (e.g. AWS_ACCESS_KEY_ID for AWS tools). Anything else is silently dropped. Values are never logged — only the names of the keys passed (so we can debug shape, not content).
4. Into the sandbox container. The Worker calls sandbox.setEnvVars(...) on a fresh, isolated container. Your keys exist as process env vars inside that one container only.
5. Container destroyed in ≤10 minutes. Every session has a hard 10-minute TTL. When the container terminates, its memory (including your env vars) is gone. No persistent volumes, no logs of values, no shared state.

Don't trust this?

Every tool also has a run locally button that gives you a Docker one-liner. Run it on your own laptop — your keys never leave your machine. That's the only way to be 100% sure no third party touches your credentials.

What we recommend regardless

Use a throwaway IAM user / service account / PAT with minimum-privilege read-only roles.
Set a short expiry (STS session token, fine-grained PAT, etc).
Rotate the key after testing.
Never paste production root credentials into any sandbox — ours, anyone else's, or your own.

Still uneasy? Use the run locally button on any tool — it gives you the same Docker image to run on your own machine, where credentials never leave your laptop.