{"id":32892310,"url":"https://github.com/ashutosh0x/aardvark-security-scanner","last_synced_at":"2026-04-13T06:01:52.037Z","repository":{"id":323377835,"uuid":"1093024489","full_name":"Ashutosh0x/aardvark-security-scanner","owner":"Ashutosh0x","description":"An AI-powered security scanning system with automated triage, sandbox validation, and patch suggestions. Integrates Semgrep, Bandit, Trivy with LLM analysis for comprehensive vulnerability detection and remediation.","archived":false,"fork":false,"pushed_at":"2025-11-09T19:23:51.000Z","size":48,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-11-09T21:07:05.941Z","etag":null,"topics":["ai","automated-patching","bandit","cybersecurity","devsecops","docker","github-actions","go","javascript","llm","openai","python","sandbox","security","security-automation","security-research","security-tools","semgrep","trivy","vulnerability-scanning"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Ashutosh0x.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-11-09T19:00:55.000Z","updated_at":"2025-11-09T19:23:54.000Z","dependencies_parsed_at":"2025-11-09T21:07:24.475Z","dependency_job_id":null,"html_url":"https://github.com/Ashutosh0x/aardvark-security-scanner","commit_stats":null,"previous_names":["ashutosh0x/aardvark-security-scanner"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/Ashutosh0x/aardvark-security-scanner","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ashutosh0x%2Faardvark-security-scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ashutosh0x%2Faardvark-security-scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ashutosh0x%2Faardvark-security-scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ashutosh0x%2Faardvark-security-scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Ashutosh0x","download_url":"https://codeload.github.com/Ashutosh0x/aardvark-security-scanner/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Ashutosh0x%2Faardvark-security-scanner/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":283625008,"owners_count":26866771,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-11-10T02:00:06.292Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai","automated-patching","bandit","cybersecurity","devsecops","docker","github-actions","go","javascript","llm","openai","python","sandbox","security","security-automation","security-research","security-tools","semgrep","trivy","vulnerability-scanning"],"created_at":"2025-11-10T05:01:11.601Z","updated_at":"2025-11-10T05:02:47.683Z","avatar_url":"https://github.com/Ashutosh0x.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Aardvark-Style AI Security Scanning System \r\n\r\n![Python](https://img.shields.io/badge/Python-3.11+-3776AB?style=flat\u0026logo=python\u0026logoColor=white)\r\n![Node.js](https://img.shields.io/badge/Node.js-339933?style=flat\u0026logo=node.js\u0026logoColor=white)\r\n![Go](https://img.shields.io/badge/Go-00ADD8?style=flat\u0026logo=go\u0026logoColor=white)\r\n![Docker](https://img.shields.io/badge/Docker-2496ED?style=flat\u0026logo=docker\u0026logoColor=white)\r\n![GitHub Actions](https://img.shields.io/badge/GitHub_Actions-2088FF?style=flat\u0026logo=github-actions\u0026logoColor=white)\r\n![OpenAI](https://img.shields.io/badge/OpenAI-412991?style=flat\u0026logo=openai\u0026logoColor=white)\r\n![Semgrep](https://img.shields.io/badge/Semgrep-323330?style=flat\u0026logo=semgrep\u0026logoColor=white)\r\n![Bandit](https://img.shields.io/badge/Bandit-FF6B6B?style=flat\u0026logo=python\u0026logoColor=white)\r\n![Trivy](https://img.shields.io/badge/Trivy-1904DA?style=flat\u0026logo=aqua-security\u0026logoColor=white)\r\n![Flask](https://img.shields.io/badge/Flask-000000?style=flat\u0026logo=flask\u0026logoColor=white)\r\n![Express](https://img.shields.io/badge/Express-000000?style=flat\u0026logo=express\u0026logoColor=white)\r\n![License](https://img.shields.io/badge/License-MIT-green.svg)\r\n\r\nAn automated security scanning system that uses AI-powered triage, sandbox validation, and automated patch suggestions to identify and fix security vulnerabilities in code repositories.\r\n\r\n## Architecture\r\n\u003cimg width=\"1325\" height=\"768\" alt=\"Gemini_Generated_Image_aa75vxaa75vxaa75\" src=\"https://github.com/user-attachments/assets/cbe34c72-acff-49da-969c-7882c5d8bdd0\" /\u003e\r\n\r\n\r\n```mermaid\r\ngraph TB\r\n    A[GitHub Actions Trigger] --\u003e B[Scanner Layer]\r\n    B --\u003e C[Semgrep]\r\n    B --\u003e D[Bandit]\r\n    B --\u003e E[Trivy]\r\n    C --\u003e F[JSON Findings]\r\n    D --\u003e F\r\n    E --\u003e F\r\n    F --\u003e G[Triage Agent]\r\n    G --\u003e H[Secret Scrubbing]\r\n    H --\u003e I[LLM Analysis]\r\n    I --\u003e J[Triage Report]\r\n    J --\u003e K[Sandbox Validator]\r\n    K --\u003e L[Docker Container]\r\n    L --\u003e M[POC Execution]\r\n    M --\u003e N[Sandbox Results]\r\n    N --\u003e O{Patch Automation?}\r\n    O --\u003e|AUTO_OPEN_PR=true| P[Create Branch]\r\n    O --\u003e|AUTO_OPEN_PR=false| Q[Report Only]\r\n    P --\u003e R[Apply Patch]\r\n    R --\u003e S[Run Tests]\r\n    S --\u003e T{Tests Pass?}\r\n    T --\u003e|Yes| U[Create PR]\r\n    T --\u003e|No| V[Create Issue]\r\n    U --\u003e W[PR Comment]\r\n    V --\u003e W\r\n    Q --\u003e W\r\n```\r\n\r\n## Features\r\n\r\n- **Multi-Tool Scanning**: Integrates Semgrep, Bandit, and Trivy for comprehensive vulnerability detection\r\n- **AI-Powered Triage**: Uses LLM to analyze findings, assign severity, and suggest patches\r\n- **Sandbox Validation**: Safely executes proof-of-concept exploits in isolated Docker containers\r\n- **Automated Patching**: Creates branches, applies fixes, runs tests, and opens PRs (when enabled)\r\n- **Strong Guardrails**: Secret scrubbing, rate limiting, audit logging, and safety controls\r\n- **Multi-Language Support**: Works with Python, JavaScript/Node.js, and Go\r\n\r\n## Quick Start\r\n\r\n### Prerequisites\r\n\r\n- Python 3.11+\r\n- Docker (for sandbox execution)\r\n- Git\r\n- `semgrep` CLI installed\r\n- `bandit` CLI installed\r\n- `trivy` CLI (optional)\r\n\r\n### Local Setup\r\n\r\n1. Clone the repository:\r\n```bash\r\ngit clone https://github.com/Ashutosh0x/aardvark-security-scanner.git\r\ncd aardvark-security-scanner\r\n```\r\n\r\n2. Install dependencies:\r\n```bash\r\nmake setup\r\n```\r\n\r\n3. Configure the system:\r\n```bash\r\ncp config.yaml config.local.yaml\r\n# Edit config.local.yaml with your settings\r\n```\r\n\r\n4. Set required environment variables:\r\n```bash\r\nexport OPENAI_API_KEY=\"your-api-key\"  # Required for LLM triage\r\nexport GITHUB_TOKEN=\"your-token\"      # Required for PR automation\r\n```\r\n\r\n5. Run a local scan:\r\n```bash\r\nmake run-local-scan\r\n```\r\n\r\n### GitHub Actions Setup\r\n\r\n1. Add the following secrets to your repository:\r\n   - `OPENAI_API_KEY`: Your OpenAI API key (or compatible endpoint)\r\n   - `GITHUB_TOKEN`: Automatically provided by GitHub Actions (for PR creation)\r\n\r\n2. Configure `config.yaml` in your repository:\r\n   - Set `auto_open_pr: false` by default (enable only when ready)\r\n   - Adjust `fail_on_critical` based on your security policy\r\n   - Configure `max_tokens` and other limits\r\n\r\n3. The workflow will automatically run on:\r\n   - Pull requests (opened, synchronize, reopened)\r\n   - Pushes to protected branches\r\n   - Manual trigger via `workflow_dispatch`\r\n\r\n## Configuration\r\n\r\nEdit `config.yaml` to customize behavior:\r\n\r\n- `allowed_domains`: Whitelist for network access in sandbox\r\n- `max_tokens`: LLM token budget per request\r\n- `redact_patterns`: Custom regex patterns for secret detection\r\n- `fail_on_critical`: Fail CI job if critical findings exist\r\n- `auto_open_pr`: Enable automatic PR creation (default: false)\r\n- `sandbox_timeout_seconds`: Maximum execution time for sandbox\r\n- `llm_endpoint`: LLM API endpoint (defaults to OpenAI)\r\n- `data_retention_days`: How long to keep artifacts (default: 30)\r\n\r\n## Safety Features\r\n\r\n- **Secret Protection**: All secrets are redacted before sending to LLM\r\n- **Sandbox Isolation**: Network disabled by default, resource limits enforced\r\n- **Human Review Gate**: PR automation disabled by default\r\n- **Audit Logging**: All LLM calls logged with correlation IDs\r\n- **Data Retention**: Automatic cleanup of old artifacts\r\n\r\n## Sample Vulnerable Apps\r\n\r\nThe repository includes sample applications demonstrating common vulnerabilities:\r\n\r\n- `sample-app/python-vuln/`: Flask app with hardcoded secrets and insecure token handling\r\n- `sample-app/js-vuln/`: Node.js app with command injection vulnerability\r\n- `sample-app/go-vuln/`: Go app with SQL injection vulnerability\r\n\r\nRun the demo:\r\n```bash\r\n./demo/run_demo.sh\r\n```\r\n\r\n## Testing\r\n\r\nRun unit tests:\r\n```bash\r\nmake test\r\n```\r\n\r\nRun specific test suites:\r\n```bash\r\npytest tests/test_scrub_secrets.py\r\npytest tests/test_triage_prompt.py\r\npytest tests/test_patch_apply.py\r\n```\r\n\r\n## Workflow\r\n\r\n1. **Scanning**: Security scanners analyze the codebase\r\n2. **Triage**: LLM analyzes findings and suggests patches\r\n3. **Validation**: Sandbox verifies exploit reproducibility\r\n4. **Remediation**: Patches applied and PRs created (if enabled)\r\n5. **Reporting**: Results posted as PR comments and artifacts\r\n\r\n## Output\r\n\r\nThe system generates:\r\n\r\n- `out/triage_report.json`: Structured findings with severity and patches\r\n- `out/sandbox_results.json`: Sandbox validation results\r\n- `logs/`: Rotating audit logs\r\n- `metrics.json`: Runtime statistics and token usage\r\n\r\n## License\r\n\r\nMIT License - see [LICENSE](LICENSE) file for details.\r\n\r\n## Contributing\r\n\r\n1. Fork the repository\r\n2. Create a feature branch\r\n3. Make your changes\r\n4. Add tests\r\n5. Submit a pull request\r\n\r\n## Security\r\n\r\nIf you discover a security vulnerability, please email ashutoshkumarsingh0x@gmail.com instead of opening a public issue.\r\n\r\nBuilt with 💖 OPENAI\r\n\r\n\r\n\r\n\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fashutosh0x%2Faardvark-security-scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fashutosh0x%2Faardvark-security-scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fashutosh0x%2Faardvark-security-scanner/lists"}