{"id":50533150,"url":"https://github.com/daedalus/ai-vuln-harness","last_synced_at":"2026-06-03T15:30:25.732Z","repository":{"id":360223582,"uuid":"1245954838","full_name":"daedalus/ai-vuln-harness","owner":"daedalus","description":"Multi-agent vulnerability discovery pipeline following the Project Glasswing / Cloudflare methodology. Hunt, validate, dedupe, trace, and POC vulnerabilities at scale with LLM agents.","archived":false,"fork":false,"pushed_at":"2026-06-01T14:31:18.000Z","size":813,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-06-01T16:16:17.303Z","etag":null,"topics":["ai-security","code-audit","devsecops","fuzzing","llm-security","penetration-testing","security","static-analysis","vulnerability-discovery","vulnerability-research"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/daedalus.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-05-21T18:17:19.000Z","updated_at":"2026-06-01T14:56:37.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/daedalus/ai-vuln-harness","commit_stats":null,"previous_names":["daedalus/ai-vuln-harness"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/daedalus/ai-vuln-harness","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daedalus%2Fai-vuln-harness","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daedalus%2Fai-vuln-harness/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daedalus%2Fai-vuln-harness/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daedalus%2Fai-vuln-harness/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/daedalus","download_url":"https://codeload.github.com/daedalus/ai-vuln-harness/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daedalus%2Fai-vuln-harness/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33872297,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-03T02:00:06.370Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-security","code-audit","devsecops","fuzzing","llm-security","penetration-testing","security","static-analysis","vulnerability-discovery","vulnerability-research"],"created_at":"2026-06-03T15:30:24.281Z","updated_at":"2026-06-03T15:30:25.719Z","avatar_url":"https://github.com/daedalus.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ai-vuln-harness\n\n[![Python](https://img.shields.io/pypi/pyversions/ai-vuln-harness.svg)](https://pypi.org/project/ai-vuln-harness/)\n[![Ruff](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/master/assets/badge/v2.json)](https://github.com/astral-sh/ruff)\n[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/daedalus/ai-vuln-harness)\n\nMulti-agent vulnerability research harness — 15-stage pipeline from repo ingestion to structured security report, following the Project Glasswing / Cloudflare methodology.\n\n## Install\n\n```bash\npip install ai-vuln-harness\n```\n\nOptional solver pilot (VALIDATE stage):\n\n```bash\npip install \"ai-vuln-harness[solver]\"\npython -m ai_vuln_harness --mode full --repo /path/to/repo --enable-z3-validate --z3-timeout-ms 50\n```\n\n## Usage\n\n```bash\npython -m ai_vuln_harness --mode full --repo /path/to/repo\n```\n\n```python\nfrom ai_vuln_harness import run, run_all\n\n# Single mode\nreport = run(\"full\", \"/path/to/repo\")\n\n# All modes merged\nreport = run_all(\"/path/to/repo\")\n```\n\n## Pipeline\n\n```\nINGESTOR → RECON → COORDINATOR → HUNT → LOCALIZATION → VALIDATE →\nFUZZ_ORCHESTRATOR → GAPFILL → VOTING → SHIELD → SUPPRESSIONS → CHAINS →\nPOC → TRACE → EXPOSURE → FEEDBACK → REPORT\n```\n\nOnly HUNT and VALIDATE call LLMs — all other stages are deterministic logic.\n\n## Design defaults\n\n- **Library target hardening**: default directory exclusion and target-aware tags\n- **Recon-driven Coordinator**: no full DB fallback unless `--allow-full-db-fallback`\n- **Strict contracts**: schema validation + bounded repair turns\n- **Reliability**: sync path default, disjoint hunt/validate pools, JSON cache, SQLite state DB\n- **Validate/Trace policy**: code-in-prompt and trace-required promotion for library targets\n- **Validate runtime check**: C/C++ snippets can be recompiled and executed (optionally via container/qemu wrapper and valgrind in fuzz orchestrator) to capture real PoC signals\n\n## CVE corpus\n\nThe harness builds a corpus of known CVEs to serve as negative examples — the HUNT stage is instructed not to report them as new findings. Three sources feed into the corpus:\n\n1. **Manual corpus** — JSON file passed via `--cve-corpus path/to/cves.json`. Each entry requires a `cve_id` field; `class`, `description`, `file`, `function`, `severity` are optional.\n1. **OSV.dev auto-fetch** — enabled by default. Scans manifest files (`package.json`, `Cargo.toml`, `go.mod`, `requirements.txt`, `Gemfile`, etc.) and raw import statements for dependency names, queries the [OSV.dev batch API](https://osv.dev) for known vulnerabilities, and maps CVE classes to domains via a 31-class taxonomy.\n1. **Git history scan** — enabled by default in git repos. Scans all commits via `git log --all` and all branches via `git branch -a` for CVE references (e.g. `CVE-2024-1234`), extracts the full diff/patch for matching commits, and hydrates entries with `commit_hash`, `commit_message`, `commit_author`, `commit_date`, `branch`, and `diff` fields.\n\nControl with CLI flags:\n\n| Flag | Effect |\n|------|--------|\n| `--cve-corpus PATH` | Load a manual corpus JSON file |\n| `--no-fetch-cves` | Skip OSV.dev auto-fetch (use only manual corpus + git scan) |\n| `--no-scan-git-cves` | Skip git history scan (use only manual corpus + OSV) |\n\nCached corpus entries use a SHA-256 fingerprint of the dependency list as cache key with a 24-hour TTL, so re-runs on unchanged repos hit the cache.\n\n## Benchmark regression gate\n\nRun benchmark mode to compare KPI deltas against stored per-profile baselines:\n\n```bash\npython -m ai_vuln_harness.run \\\n  --mode benchmark \\\n  --repo /path/to/repo \\\n  --benchmark-corpus src/ai_vuln_harness/config/benchmark_corpus.json \\\n  --benchmark-baseline src/ai_vuln_harness/config/benchmark_baselines.json \\\n  --benchmark-thresholds src/ai_vuln_harness/config/benchmark_thresholds.json \\\n  --benchmark-output output/benchmark_regression_report.json\n```\n\nIf no baseline exists (or you intentionally want to accept a new baseline), run:\n\n```bash\npython -m ai_vuln_harness.run --mode benchmark --repo /path/to/repo --update-benchmark-baseline\n```\n\nThe output artifact includes both machine-readable comparison fields and a human summary in `summary_markdown`.\n\n## Development\n\n```bash\ngit clone https://github.com/daedalus/ai-vuln-harness.git\ncd ai-vuln-harness\npip install -e \".[test]\"\n\n# run tests\npytest\n\n# format\nruff format src/ tests/\n\n# lint + type check\nprospector --with-tool ruff --with-tool mypy --with-tool pylint src/ai_vuln_harness/\nsemgrep --config=auto --severity=ERROR src/ai_vuln_harness/\n\n# dead code detection\nvulture --min-confidence 90 src/ai_vuln_harness/ --exclude src/ai_vuln_harness/.vulture_whitelist.py\n```\n\n## API\n\n| Symbol | Description |\n|--------|------------|\n| `run(mode, repo, **kwargs)` | Run a single pipeline mode |\n| `run_all(repo, **kwargs)` | Run all modes and merge reports |\n| `main()` | CLI entry point |\n\n## Skill metadata discovery\n\n```python\nfrom ai_vuln_harness.skill_loader import discover_skills, load_skill_metadata\n\nmeta = load_skill_metadata()\nskills = discover_skills()\ncustom = load_skill_metadata(name=\"my-skill\")\n```\n\n`discover_skills()` returns the bundled skill plus any user-defined skills found\nunder `~/.ai-vuln-harness/skills/**/SKILL.md`. `load_skill_metadata(name=...)`\nloads a discovered skill by its front matter `name`.\n\n## CLI\n\n```bash\npython -m ai_vuln_harness --help\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdaedalus%2Fai-vuln-harness","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdaedalus%2Fai-vuln-harness","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdaedalus%2Fai-vuln-harness/lists"}