{"id":49644606,"url":"https://github.com/momenbasel/vulnhawk","last_synced_at":"2026-07-04T14:32:25.333Z","repository":{"id":350095585,"uuid":"1205295853","full_name":"momenbasel/vulnhawk","owner":"momenbasel","description":"AI-powered SAST scanner that finds auth bypass, IDOR, and logic bugs Semgrep/CodeQL miss. Free GitHub Action. Supports Python, JS/TS, Go, PHP, Ruby.","archived":false,"fork":false,"pushed_at":"2026-06-10T23:41:29.000Z","size":223,"stargazers_count":64,"open_issues_count":0,"forks_count":9,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-11T01:19:16.710Z","etag":null,"topics":["ai","appsec","claude","code-review","code-security","codeql","devsecops","github-actions","llm","owasp","php","python","ruby","sarif","sast","security","security-tools","semgrep","static-analysis","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"https://github.com/marketplace/actions/vulnhawk-security-scan","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/momenbasel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-08T20:37:56.000Z","updated_at":"2026-06-10T23:41:33.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/momenbasel/vulnhawk","commit_stats":null,"previous_names":["momenbasel/vulnhawk"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/momenbasel/vulnhawk","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/momenbasel%2Fvulnhawk","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/momenbasel%2Fvulnhawk/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/momenbasel%2Fvulnhawk/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/momenbasel%2Fvulnhawk/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/momenbasel","download_url":"https://codeload.github.com/momenbasel/vulnhawk/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/momenbasel%2Fvulnhawk/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35125718,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-04T02:00:05.987Z","response_time":113,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai","appsec","claude","code-review","code-security","codeql","devsecops","github-actions","llm","owasp","php","python","ruby","sarif","sast","security","security-tools","semgrep","static-analysis","vulnerability-scanner"],"created_at":"2026-05-06T00:00:25.114Z","updated_at":"2026-07-04T14:32:25.328Z","avatar_url":"https://github.com/momenbasel.png","language":"Python","funding_links":["https://github.com/sponsors/momenbasel"],"categories":["Tools"],"sub_categories":["Audit"],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/vulnhawk-banner.png\" alt=\"VulnHawk\" width=\"600\"\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eAI-powered code security scanner that finds vulnerabilities Semgrep and CodeQL miss.\u003c/strong\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://pypi.org/project/vulnhawk/\"\u003e\u003cimg alt=\"PyPI\" src=\"https://img.shields.io/pypi/v/vulnhawk.svg?style=for-the-badge\u0026label=PyPI\u0026color=3775A9\u0026logo=pypi\u0026logoColor=white\"\u003e\u003c/a\u003e\u0026nbsp;\n  \u003ca href=\"https://github.com/marketplace/actions/vulnhawk-security-scan\"\u003e\u003cimg alt=\"GitHub Marketplace\" src=\"https://img.shields.io/badge/GitHub_Action-Marketplace-2088FF?style=for-the-badge\u0026logo=github-actions\u0026logoColor=white\"\u003e\u003c/a\u003e\u0026nbsp;\n  \u003ca href=\"https://github.com/momenbasel/vulnhawk/blob/main/LICENSE\"\u003e\u003cimg alt=\"License\" src=\"https://img.shields.io/badge/License-Source_Available-orange?style=for-the-badge\"\u003e\u003c/a\u003e\u0026nbsp;\n  \u003ca href=\"https://github.com/momenbasel/vulnhawk/stargazers\"\u003e\u003cimg alt=\"Stars\" src=\"https://img.shields.io/github/stars/momenbasel/vulnhawk?style=for-the-badge\u0026logo=github\u0026color=yellow\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"#quick-start\"\u003eQuick Start\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#github-action\"\u003eGitHub Action\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#vulnhawk-vs-other-sast-tools\"\u003eComparison\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#supported-languages\"\u003eLanguages\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#faq\"\u003eFAQ\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n## The Problem\n\nTraditional SAST tools rely on pattern matching and AST rules. They excel at catching known vulnerability patterns, but they fundamentally **cannot reason about intent**.\n\nIf your API has 20 endpoints and 19 of them verify authorization before acting on a resource, Semgrep has no way to flag the one that doesn't - because there is no pattern to match against. The vulnerability is the *absence* of a pattern.\n\n## The Solution\n\nVulnHawk analyzes code with AI, and for every piece of code it examines, it includes **related code from elsewhere in your codebase** as context. This enrichment step lets the AI compare how similar components handle security - and spot the one that doesn't.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/demo.svg\" alt=\"VulnHawk Demo\" width=\"800\"\u003e\n\u003c/p\u003e\n\n---\n\n## Quick Start\n\n```bash\npip install vulnhawk\n```\n\nChoose a backend:\n\n```bash\n# Claude Code CLI - FREE for subscribers (recommended)\nvulnhawk scan ./src -b claude-code\n\n# Codex CLI - FREE for ChatGPT Pro/Plus subscribers\nvulnhawk scan ./src -b codex\n\n# Claude API\nexport ANTHROPIC_API_KEY=sk-ant-...\nvulnhawk scan ./src\n\n# OpenAI API\nvulnhawk scan ./src -b openai -m gpt-4o\n\n# Ollama - free, local, fully private\nvulnhawk scan ./src -b ollama -m llama3.1\n```\n\nNo config files. No rules to write. No database to build.\n\n\u003e **Claude Code and Codex backends are free** for users with existing subscriptions. VulnHawk pipes prompts through your local CLI, so there are no additional API costs.\n\n---\n\n## VulnHawk vs Other SAST Tools\n\n| Capability | VulnHawk | Semgrep | CodeQL | Snyk Code | Checkmarx | SonarQube |\n|:---|:---:|:---:|:---:|:---:|:---:|:---:|\n| Detection method | AI reasoning | AST patterns | QL data flow | ML + rules | Patterns + flow | Patterns |\n| Business logic flaws | **Yes** | No | Limited | Limited | Limited | No |\n| Cross-file context | Automatic | Custom rules | Custom queries | Partial | Paid tier | Limited |\n| Setup complexity | Zero config | Rule config | DB build + QL | Config file | Complex | Server setup |\n| Custom rules required | No | Yes (YAML) | Yes (QL) | Partial | Yes | Yes |\n| Context-aware fixes | **Yes** | Generic | Generic | Generic | Generic | Generic |\n| Local / private mode | Ollama | Yes | Yes | No | No | Self-hosted |\n| CI/CD integration | 1-line Action | Action | Action | Action | Plugin | Plugin |\n| SARIF input (chain tools) | **Yes** | No | No | No | No | No |\n| Pricing | Free\\* | Free / Paid | Free / Paid | Free / $$$ | $$$$$ | Free / $$$ |\n\n\u003csub\u003e\\*Free with Claude Code, Codex CLI, or Ollama. API backends cost ~$0.50-$2.00 per scan.\u003c/sub\u003e\n\n### What VulnHawk finds that others cannot\n\n| Vulnerability class | Why rule-based tools miss it |\n|:---|:---|\n| Missing authorization on 1-of-N endpoints | No pattern to match - the bug is the *absence* of a check |\n| IDOR / BOLA | Requires understanding that the user ID in the JWT should match the ID in the URL |\n| Payment amount manipulation | Business logic - the amount field shouldn't be trusted from the client |\n| Inconsistent input validation | 5 handlers sanitize, the 6th doesn't - needs cross-file comparison |\n| Stored input misuse | Input saved safely, but `eval()`'d or raw-SQL'd 3 files away |\n| Race conditions in state updates | Concurrent balance modifications without locking |\n\n### Recommended tool combination\n\nVulnHawk is designed as a **complementary layer**, not a replacement:\n\n| Layer | Tool | Purpose |\n|:---|:---|:---|\n| 1 | **Semgrep** | Fast, deterministic gatekeeping on known-bad patterns |\n| 2 | **CodeQL** | Deep taint tracking across complex call chains |\n| 3 | **VulnHawk** | Business logic, auth gaps, IDOR, and inconsistencies rules can't express |\n\n---\n\n## Usage\n\n### Scan modes\n\n```bash\nvulnhawk scan ./src                      # Full scan (default)\nvulnhawk scan ./src --mode auth          # Auth bypass, missing checks, session flaws\nvulnhawk scan ./src --mode injection     # SQLi, command injection, SSTI, XSS\nvulnhawk scan ./src --mode secrets       # Hardcoded keys, tokens, passwords\nvulnhawk scan ./src --mode config        # Debug mode, permissive CORS, insecure cookies\nvulnhawk scan ./src --mode crypto        # Weak hashing, hardcoded keys, bad RNG\n```\n\n### Output formats\n\n```bash\nvulnhawk scan ./src -o json -f results.json        # JSON\nvulnhawk scan ./src -o sarif -f results.sarif       # SARIF (GitHub Code Scanning)\nvulnhawk scan ./src -o markdown -f report.md        # Markdown report\n```\n\n### Severity filter\n\n```bash\nvulnhawk scan ./src --severity high      # Critical + High only\nvulnhawk scan ./src --severity info      # Everything\n```\n\n### SARIF input - chain with other tools\n\nFeed Semgrep, CodeQL, or any SARIF-producing tool's output into VulnHawk. It uses those findings as additional context to **validate, expand, and chain** them into deeper vulnerabilities.\n\n```bash\n# Run Semgrep first, then enrich with VulnHawk\nsemgrep --config auto ./src -o semgrep.sarif --sarif\nvulnhawk scan ./src --sarif-input semgrep.sarif\n```\n\nWhat this enables:\n- Validates whether other tools' findings are real or false positives\n- Discovers related vulnerabilities near flagged locations\n- Builds multi-step attack chains connecting findings across tools\n- Checks whether suggested fixes address the actual root cause\n\n### Dry run\n\n```bash\nvulnhawk info ./src    # Preview files, chunks, and language breakdown\n```\n\n---\n\n## GitHub Action\n\nVulnHawk runs as a **baseline scan on your default branch** and **incrementally on every pull request**.\n\n### Recommended setup\n\n```yaml\nname: VulnHawk Security Scan\non:\n  push:\n    branches: [main, master]\n  pull_request:\n\npermissions:\n  security-events: write\n  contents: read\n\njobs:\n  vulnhawk:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - uses: momenbasel/vulnhawk@main\n        with:\n          target: '.'\n          backend: 'claude-code'\n          claude-code-oauth-token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}\n          severity: 'medium'\n          fail-on-findings: 'true'\n```\n\nFindings are automatically uploaded to GitHub's **Security \u003e Code Scanning** tab via SARIF.\n\n### Backend options\n\n\u003ctable\u003e\n\u003ctr\u003e\u003cth\u003eBackend\u003c/th\u003e\u003cth\u003eConfiguration\u003c/th\u003e\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eClaude Code\u003c/strong\u003e (free)\u003c/td\u003e\n\u003ctd\u003e\n\n```yaml\nbackend: 'claude-code'\nclaude-code-oauth-token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}\n```\nGet your token: `claude config get oauth_token`\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eCodex\u003c/strong\u003e (free)\u003c/td\u003e\n\u003ctd\u003e\n\n```yaml\nbackend: 'codex'\n```\nRequires `codex login` on the runner.\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eClaude API\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e\n\n```yaml\napi-key: ${{ secrets.ANTHROPIC_API_KEY }}\n```\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cstrong\u003eOpenAI API\u003c/strong\u003e\u003c/td\u003e\n\u003ctd\u003e\n\n```yaml\nbackend: 'openai'\napi-key: ${{ secrets.OPENAI_API_KEY }}\n```\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/table\u003e\n\n### Chaining with Semgrep in CI\n\n```yaml\nsteps:\n  - uses: actions/checkout@v4\n\n  - name: Semgrep (fast pattern scan)\n    uses: returntocorp/semgrep-action@v1\n    with:\n      config: auto\n      generateSarif: true\n\n  - name: VulnHawk (deep AI analysis)\n    uses: momenbasel/vulnhawk@main\n    with:\n      target: '.'\n      backend: 'claude-code'\n      claude-code-oauth-token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}\n      sarif-input: 'semgrep.sarif'\n```\n\n---\n\n## Supported Languages\n\n| Language | Extensions | Framework detection |\n|:---|:---|:---|\n| Python | `.py` | Django, Flask, FastAPI |\n| JavaScript | `.js` `.jsx` | Express, Fastify, Next.js |\n| TypeScript | `.ts` `.tsx` | Express, NestJS, Fastify |\n| Go | `.go` | net/http handlers |\n| Java | `.java` | Class/method splitting |\n| PHP | `.php` | Laravel routes, classes, traits, interfaces |\n| Ruby | `.rb` `.erb` | Rails routes, classes, modules |\n\n---\n\n## How It Works\n\n```\nCodebase ──\u003e Discover ──\u003e Chunk ──\u003e Enrich ──\u003e Analyze ──\u003e Validate ──\u003e Report\n                │            │          │           │           │\n           Respects      Functions  Related     LLM with    Dedup +\n           .gitignore   Classes    code from   security    confidence\n           .vulnhawk-   Routes     same dir +  prompts     scoring\n           ignore       Modules    auth patterns\n```\n\nThe **enrichment** step is the core differentiator. For each code chunk, VulnHawk includes:\n- Other functions/routes from the same directory\n- Auth middleware and guard patterns from across the codebase\n\nThis gives the AI the context it needs to identify inconsistencies.\n\n---\n\n## Configuration\n\n### .vulnhawkignore\n\nExclude paths from scanning (gitignore syntax):\n\n```\ngenerated/\nvendor/\nthird_party/\n*.gen.go\n```\n\n### Environment variables\n\n| Variable | Description |\n|:---|:---|\n| `CLAUDE_CODE_OAUTH_TOKEN` | Claude Code CLI authentication (free for subscribers) |\n| `ANTHROPIC_API_KEY` | Claude API key |\n| `OPENAI_API_KEY` | OpenAI API key |\n\n---\n\n## Cost\n\n| Backend | Per scan (~100 files) | Requirement |\n|:---|:---|:---|\n| **Claude Code CLI** | **Free** | Claude Code Max or Team subscription |\n| **Codex CLI** | **Free** | ChatGPT Pro or Plus subscription |\n| Claude API | ~$0.50 - $2.00 | Anthropic API credits |\n| OpenAI API | ~$1.00 - $4.00 | OpenAI API credits |\n| **Ollama** | **Free** | Local machine with 8GB+ VRAM |\n\n---\n\n## FAQ\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eHow does the Claude Code CLI backend work for free?\u003c/strong\u003e\u003c/summary\u003e\n\nClaude Code subscriptions (Max at $100-$200/mo, or Team plans) include unlimited CLI usage. VulnHawk invokes `claude --print` under the hood, piping analysis prompts through your existing subscription. No API key. No per-token billing.\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eHow do I get my OAuth token for CI/CD?\u003c/strong\u003e\u003c/summary\u003e\n\nRun `claude config get oauth_token` on your local machine. Add the output as a GitHub Actions secret named `CLAUDE_CODE_OAUTH_TOKEN`.\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eShould I run it on every PR or only on main?\u003c/strong\u003e\u003c/summary\u003e\n\nBoth. Push-to-main scans establish your security baseline and populate the Security tab. PR scans catch new vulnerabilities before merge. The recommended workflow config handles both triggers.\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eIs my code sent to an external service?\u003c/strong\u003e\u003c/summary\u003e\n\nYes - code chunks are sent to the configured LLM provider (Anthropic or OpenAI). For fully private, air-gapped scanning, use the **Ollama** backend which runs entirely on your local machine.\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDoes it replace Semgrep or CodeQL?\u003c/strong\u003e\u003c/summary\u003e\n\nNo. VulnHawk is a complementary layer. Semgrep and CodeQL are excellent at what they do (pattern matching and taint tracking). VulnHawk catches the business logic bugs, auth gaps, and inconsistencies that rules cannot express. Use all three together for the strongest coverage.\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eDoes it support PHP / Laravel and Ruby / Rails?\u003c/strong\u003e\u003c/summary\u003e\n\nYes. VulnHawk includes framework-aware chunking for both. It detects Laravel `Route::get()` definitions, PHP classes/traits/interfaces, Rails route declarations (`get`, `post`, `resources`), and Ruby classes/modules. It also extracts framework-specific imports (`use`, `require`, `include`).\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eWhat is SARIF input?\u003c/strong\u003e\u003c/summary\u003e\n\nYou can feed VulnHawk a SARIF file produced by any other scanner (Semgrep, CodeQL, Snyk, etc.). VulnHawk uses those findings as additional context during analysis - validating them, finding related issues nearby, and building multi-step attack chains that connect findings across tools.\n\u003c/details\u003e\n\n---\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md).\n\n```bash\ngit clone https://github.com/momenbasel/vulnhawk.git\ncd vulnhawk\nuv venv .venv \u0026\u0026 source .venv/bin/activate\nuv pip install -e \".[dev]\"\npytest\n```\n\n---\n\n## Support the Project\n\nIf VulnHawk is useful to you, consider [sponsoring the project](https://github.com/sponsors/momenbasel) to support continued development.\n\n---\n\n\n## Professional services\n\nVulnHawk is built and maintained by [GreyCore Labs](https://greycorelabs.com), a US-incorporated offensive security firm. Want the same eye on your own product?\n\n- [Penetration testing](https://greycorelabs.com/#plans) - web, API, mobile, cloud. Fixed quote within 24 hours, redacted sample report on request.\n- [Free external attack-surface scan](https://greycorelabs.com/#free-scan) - one-page report in 48 hours, no strings attached.\n\n## License\n\nVulnHawk is **source-available** under the [VulnHawk License](LICENSE).\n\n**Free for everyone** - individuals, teams, startups, and enterprises may use VulnHawk at no cost for internal security scanning, provided it is installed from an official distribution channel:\n\n- [GitHub Marketplace](https://github.com/marketplace/actions/vulnhawk-security-scan)\n- [PyPI](https://pypi.org/project/vulnhawk/)\n- [This repository](https://github.com/momenbasel/vulnhawk)\n\nYou may not sell the Software, offer it as a competing service, or redistribute forks as a product. Forks are permitted solely for submitting pull requests back to this repository. See [LICENSE](LICENSE) for full terms.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmomenbasel%2Fvulnhawk","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmomenbasel%2Fvulnhawk","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmomenbasel%2Fvulnhawk/lists"}