I am aware of existing tools doing the same thing at the PR level. I wanted to create a tool for commits since it is when the changes enter Git history.

I am also wondering if it makes more sense to have the tool check right before a push instead since that's when the vulnerabilities actually get sent to the Internet

The problem for me was contributions I was getting 183 a day and couldn’t figure out what was malware and what was legit so my friend built me vu1nz