{"id":49305324,"url":"https://github.com/mythos-agent/mythos-agent","last_synced_at":"2026-04-26T09:04:28.072Z","repository":{"id":352431215,"uuid":"1210444100","full_name":"mythos-agent/mythos-agent","owner":"mythos-agent","description":"The AI security agent that guards your code.","archived":false,"fork":false,"pushed_at":"2026-04-19T14:22:10.000Z","size":1336,"stargazers_count":0,"open_issues_count":16,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-19T16:23:02.829Z","etag":null,"topics":["ai","appsec","cli","cybersecurity","dast","devsecops","llm-security","owasp","sast","scanner","security","typescript","vulnerability"],"latest_commit_sha":null,"homepage":"https://sphinx-agent.com","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mythos-agent.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":"SUPPORT.md","governance":"GOVERNANCE.md","roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":"MAINTAINERS.md","copyright":null,"agents":null,"dco":null,"cla":null},"funding":null},"created_at":"2026-04-14T12:27:00.000Z","updated_at":"2026-04-19T14:21:55.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/mythos-agent/mythos-agent","commit_stats":null,"previous_names":["mythos-agent/mythos-agent"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/mythos-agent/mythos-agent","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mythos-agent%2Fmythos-agent","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mythos-agent%2Fmythos-agent/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mythos-agent%2Fmythos-agent/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mythos-agent%2Fmythos-agent/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mythos-agent","download_url":"https://codeload.github.com/mythos-agent/mythos-agent/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mythos-agent%2Fmythos-agent/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32291347,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T08:29:33.829Z","status":"ssl_error","status_checked_at":"2026-04-26T08:29:18.366Z","response_time":129,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai","appsec","cli","cybersecurity","dast","devsecops","llm-security","owasp","sast","scanner","security","typescript","vulnerability"],"created_at":"2026-04-26T09:04:08.310Z","updated_at":"2026-04-26T09:04:28.065Z","avatar_url":"https://github.com/mythos-agent.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eEnglish\u003c/strong\u003e · \u003ca href=\"README.zh-CN.md\"\u003e简体中文\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg alt=\"mythos-agent — Cerby the guard puppy\" src=\"assets/cerby-banner.svg\" width=\"640\"\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg alt=\"mythos-agent — 10-second security check demo\" src=\"assets/demo.gif\" width=\"720\"\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ch1 align=\"center\"\u003emythos-agent\u003c/h1\u003e\n  \u003cp align=\"center\"\u003e\u003cstrong\u003eAI code-review assistant for application security.\u003c/strong\u003e\u003c/p\u003e\n  \u003cp align=\"center\"\u003e\u003cem\u003eOpen-source. Reads your code, flags likely security issues, explains its reasoning, suggests fixes.\u003c/em\u003e\u003c/p\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/mythos-agent/mythos-agent/actions\"\u003e\u003cimg src=\"https://github.com/mythos-agent/mythos-agent/workflows/CI/badge.svg\" alt=\"CI\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.npmjs.com/package/mythos-agent\"\u003e\u003cimg src=\"https://img.shields.io/npm/v/mythos-agent\" alt=\"npm\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/mythos-agent/mythos-agent/blob/main/LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-MIT-blue\" alt=\"License\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://mythos-agent.com/discord\"\u003e\u003cimg src=\"https://img.shields.io/badge/discord-join-5865F2?logo=discord\u0026logoColor=white\" alt=\"Discord\"\u003e\u003c/a\u003e\n  \u003cimg src=\"https://img.shields.io/badge/node-%3E%3D20-green\" alt=\"Node\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/scanners-15_wired-5B2A86\" alt=\"Wired scanners\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/experimental-28-6B7280\" alt=\"Experimental scanners\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/rules-329%2B-FB923C\" alt=\"Rules\"\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003e\u003ca href=\"https://mythos-agent.com\"\u003emythos-agent.com\u003c/a\u003e\u003c/strong\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"#quick-start\"\u003eQuick Start\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#how-it-works\"\u003eHow It Works\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#commands\"\u003eCommands\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#hunt-mode\"\u003eHunt Mode\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#variant-analysis\"\u003eVariant Analysis\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#integrations\"\u003eIntegrations\u003c/a\u003e \u0026bull;\n  \u003ca href=\"#contributing\"\u003eContributing\u003c/a\u003e \u0026bull;\n  \u003ca href=\"VISION.md\"\u003eVision\u003c/a\u003e \u0026bull;\n  \u003ca href=\"ROADMAP.md\"\u003eRoadmap\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\nmythos-agent **reviews your code the way a reviewer on a security-focused team would.** It walks through likely issue patterns, checks for variants of known CVEs, ranks findings by confidence, and suggests fixes you can accept or reject. See [VISION.md](VISION.md) for the full framing.\n\n\u003e **For new contributors:** the active 6-month working plan is in the pinned issue **`[Roadmap] mythos-agent H1 2026 Goals`**. Look for 🙋 markers to spot items where help is wanted. New here? See [CONTRIBUTING.md](CONTRIBUTING.md) for `good-first-issue` guidance.\n\u003e\n\u003e **For security teams and EU CRA-compliant downstream manufacturers:** see [SECURITY.md](SECURITY.md) for our vulnerability disclosure SLAs, [docs/security/cra-stance.md](docs/security/cra-stance.md) for our EU CRA role declaration, [docs/security/threat-model.md](docs/security/threat-model.md) for our public threat model, and [RELEASES.md](RELEASES.md) for our versioning, LTS, and EOL policy. OpenSSF Best Practices Badge (Passing) submission targeted **June 2026**; releases are signed via [Sigstore](docs/security/sbom.md) and ship with [CycloneDX SBOMs](docs/security/sbom.md) for downstream Manufacturer compliance.\n\n```bash\nnpx mythos-agent hunt\n```\n\n```\n🔐 mythos-agent hunt — AI Code-Review Assistant\n\n✔ Phase 1: Reconnaissance — 12 entry points, express, typescript, postgresql\n✔ Phase 2: Hypothesis — 8 security hypotheses generated\n✔ Phase 3: Analysis — 15 findings (semgrep, gitleaks, trivy, built-in), 22 false positives dismissed\n✔ Phase 4: Reproduction — 2 finding chains, 3 reproductions\n\n🧪 Security Hypotheses\n\n  [HIGH] HYPO-001 — Race condition: concurrent payment requests could double-charge\n    src/payments.ts:45 (race-condition)\n  [HIGH] HYPO-002 — Auth bypass: JWT token not validated after password change\n    src/auth.ts:78 (auth-bypass)\n\n📊 Confidence Summary\n\n  3 confirmed | 8 likely | 4 possible | 22 dismissed\n\n⛓️ FINDING CHAINS\n\n CRITICAL  SQL Injection → Auth Bypass → Data Exfiltration\n  ├── src/api/search.ts:45      — unsanitized input in SQL query\n  ├── src/middleware/auth.ts:88  — JWT verification skippable\n  └── src/api/export.ts:23      — bulk export has no ACL\n\n🧪 Reproductions\n\n  SPX-0001 — SQL injection in search endpoint\n    See repro steps in docs/reproductions/SPX-0001.md\n\n  Trust Score: 2.3/10 — critical issues found\n```\n\n## Quick Start\n\n```bash\n# Install\nnpm install -g mythos-agent\n\n# Quick scan (no API key needed)\nmythos-agent scan\n\n# Full autonomous hunt (needs API key)\nmythos-agent init\nmythos-agent hunt\n\n# Find variants of known CVEs\nmythos-agent variants CVE-2021-44228\n\n# Ask security questions\nmythos-agent ask \"are there any auth bypasses?\"\n\n# Check available tools\nmythos-agent tools\n```\n\n## How It Works\n\nmythos-agent combines **three things no other open-source tool does together**:\n\n### 1. Hypothesis-Driven Scanning\nInstead of matching known patterns, the AI **reasons about what COULD go wrong**, generating hypotheses like \"this transaction doesn't lock the row, potential race condition\" or \"this auth check uses string comparison, potential timing attack.\"\n\n### 2. Variant Analysis (Big Sleep technique)\nGiven a known CVE, mythos-agent finds **structurally similar but syntactically different** code in your codebase. Same root cause, different location. This is how Google's Big Sleep found 20 real zero-days.\n\n### 3. Multi-Stage Verification\nEvery finding goes through a confidence pipeline:\n- **Pattern scan** → candidate\n- **AI hypothesis** → theoretical risk confirmed\n- **Smart fuzzer** → dynamically tested\n- **PoC generator** → concrete exploit proves it's real\n\nOnly findings that survive multiple stages are reported as \"confirmed.\"\n\n## Commands\n\n| Command | Description |\n|---------|-------------|\n| `hunt [path]` | Full autonomous multi-agent scan (Recon → Hypothesize → Analyze → Exploit) |\n| `scan [path]` | Standard scan (patterns + secrets + deps + IaC + AI) |\n| `variants [cve-id]` | Find variants of known CVEs in your codebase |\n| `fix [path]` | AI-generated patches with `--apply` |\n| `ask [question]` | Natural language security queries |\n| `taint [path]` | AI data flow / taint analysis |\n| `watch` | Continuous monitoring that scans on file save |\n| `dashboard` | Local web UI with charts and findings table |\n| `report [path]` | Export as terminal / JSON / HTML / SARIF |\n| `policy` | Policy-as-code with SOC2/HIPAA/PCI/OWASP compliance |\n| `rules` | Community rule pack registry (search/install/publish) |\n| `tools` | Check which external security tools are installed |\n| `init` | Setup wizard (Anthropic, OpenAI, Ollama, LM Studio) |\n\n## Hunt Mode\n\n`mythos-agent hunt` runs the full multi-agent pipeline:\n\n```\n┌──────────────┐     ┌──────────────┐     ┌──────────────┐     ┌──────────────┐\n│    Recon     │ →   │  Hypothesis  │ →   │   Analyze    │ →   │   Exploit    │\n│    Agent     │     │    Agent     │     │    Agent     │     │    Agent     │\n├──────────────┤     ├──────────────┤     ├──────────────┤     ├──────────────┤\n│ Map entry    │     │ Reason about │     │ All scanners │     │ Chain vulns  │\n│ points, auth │     │ what could   │     │ + external   │     │ + generate   │\n│ boundaries,  │     │ go wrong per │     │ tools + AI   │     │ PoC exploits │\n│ data stores  │     │ function     │     │ verification │     │              │\n└──────────────┘     └──────────────┘     └──────────────┘     └──────────────┘\n```\n\n## Variant Analysis\n\nFind code in your project that has the same root cause as known CVEs:\n\n```bash\n# Search for Log4Shell-like patterns\nmythos-agent variants CVE-2021-44228\n\n# Auto-detect and scan for variants\nmythos-agent variants --auto\n```\n\nThe variant analyzer extracts the **root cause pattern** from the CVE (not the surface syntax) and searches your codebase for structurally similar code.\n\n## Scanners (15 wired + 28 experimental, 329+ rules)\n\nThe **Default** scanners run on every `mythos-agent scan`. **Experimental** scanners are implemented + unit-tested classes that ship in the tarball but are not yet reachable from any CLI, HTTP, MCP, or agent entry point. They are tracked by [`KNOWN_EXPERIMENTAL`](src/scanner/__tests__/wiring-invariant.test.ts) in the wiring-invariant test.\n\n| Category | What it finds | Rules | Status |\n|----------|---------------|-------|--------|\n| Code patterns | SQLi, XSS, command injection, eval, SSRF, etc. | 25+ | Default |\n| Framework rules | React, Next.js, Express, Django, Flask, Spring, Go | 27 | Default |\n| Secrets | AWS, GitHub, Stripe, API keys, DB URLs, private keys + entropy | 22 | Default |\n| Dependencies (SCA) | Known CVEs via OSV API (10 lockfile formats) | OSV | Default |\n| IaC | Docker, Terraform, Kubernetes misconfigurations | 13 | Default |\n| AI/LLM Security | Prompt injection, unsafe eval of AI output, cost attacks | 13 | Default |\n| API Security | OWASP API Top 10: BOLA, mass assignment, broken auth | 12 | Default |\n| Cloud Misconfig | AWS/Azure/GCP: public storage, wildcard IAM, open firewalls | 14 | Default |\n| Security Headers | CSP, HSTS, X-Frame-Options, Referrer-Policy | 8 | Default |\n| JWT | Algorithm, expiry, storage, revocation, audience | 9 | Default |\n| Session | Fixation, expiry, cookie flags, localStorage tokens | 7 | Default |\n| Business Logic | Negative amounts, coupon reuse, inventory races, role escalation | 6 | Default |\n| Crypto Audit | Weak hashes, ECB mode, hardcoded keys, deprecated TLS | 11 | Default |\n| Privacy/GDPR | PII handling, consent, data retention (GDPR article mapping) | 9 | Default |\n| Race Conditions | TOCTOU, non-atomic ops, double-spend, missing transactions | 7 | Default |\n| ReDoS | Catastrophic backtracking in regex (nested quantifiers, overlapping alternatives) | — | Default |\n| Supply Chain | Typosquatting, dependency confusion, dangerous install scripts | 12 | Experimental |\n| Zero Trust | Service trust, mTLS, network segmentation, IP-based auth | 8 | Experimental |\n| GraphQL | Introspection, depth limit, field auth, batching | 8 | Experimental |\n| WebSocket | Auth, origin check, message validation, broadcast XSS | 7 | Experimental |\n| CORS | Origin reflection, credentials handling, substring bypass | 7 | Experimental |\n| OAuth/OIDC | Missing state, no PKCE, implicit flow, client secret exposure | 7 | Experimental |\n| SSTI | Jinja2, EJS, Handlebars, Pug, Nunjucks, Twig, Go templates | 7 | Experimental |\n\n\u003cdetails\u003e\n\u003csummary\u003eAdditional experimental scanners (21 more, not yet wired into default scan)\u003c/summary\u003e\n\nSQL injection deep, XSS deep, NoSQL, command injection, deserialization, path traversal, open redirect, XXE, input validation, clickjacking, DNS rebinding, subdomain enumeration, dep confusion, environment variables, logging, error handling, cache, email, upload, memory safety, permissions.\n\nEach exists as a class under `src/scanner/` and has unit tests in `src/scanner/__tests__/coverage-scanners.test.ts` / `new-scanners.test.ts`, but is not invoked by any CLI command, HTTP API route, MCP handler, or agent pipeline. See `KNOWN_EXPERIMENTAL` in the wiring-invariant test for each scanner's deferral reason. Wiring one up follows the pattern of the HeadersScanner / JwtScanner / SessionScanner / BusinessLogicScanner commits on `main`.\n\n\u003c/details\u003e\n\nBeyond the scanners above, mythos-agent ships complementary analyses (not counted in the scanner totals): call-graph + taint engine, DAST smart fuzzer, AI hypothesis agent, variant analysis, and git-history mining.\n\n**External tool integrations:** Semgrep (30+ languages), Gitleaks (100+ patterns), Trivy (SCA + containers), Checkov (1000+ IaC policies), Nuclei (9000+ DAST templates)\n\n## Integrations\n\n| Platform | What |\n|----------|------|\n| **VS Code** | Extension with inline diagnostics + one-click AI fix |\n| **GitHub Action** | Scan on push/PR + SARIF upload to Code Scanning |\n| **PR Review Bot** | Inline comments on vulnerable lines in pull requests |\n| **Dashboard** | Local web UI at `mythos-agent dashboard` |\n| **SARIF** | GitHub Code Scanning, VS Code, any SARIF tool |\n| **Policy Engine** | SOC2, HIPAA, PCI-DSS, OWASP compliance mapping |\n\n## AI Providers\n\n| Tier | Providers | Status |\n|---|---|---|\n| **1 — Primary** | Anthropic (Claude Sonnet / Opus / Haiku) | Fully tested. Published catch-rate numbers in [`docs/benchmarks/external-scores.md`](docs/benchmarks/external-scores.md) are produced with this tier. |\n| **2 — Compatible (proxy today, native in stage 2)** | Anything OpenAI-compatible — OpenAI, Qwen via DashScope/OpenRouter, Gemini, Mistral, vLLM, Ollama, LM Studio, Bedrock, etc. | Today: route through any Anthropic-compatible proxy (LiteLLM, OpenRouter, Vercel AI Gateway, Bedrock) by setting `baseURL` in `.mythos.yml` or `ANTHROPIC_BASE_URL` env. Native OpenAI SDK support lands in stage 2. |\n| **3 — Local / community** | Local Ollama / LM Studio / vLLM | Same code path as Tier 2; called out separately because privacy and cost-of-zero are the use case. Best-effort; agentic tool-use quality depends on local model size. |\n\nPattern scanning, secrets, deps, and IaC work without any API key.\n\nSee [`docs/multi-model.md`](docs/multi-model.md) for the full tier-system policy + the staged rollout (this README is the summary; that doc is the canonical reference).\n\n## Comparison\n\n| Feature | mythos-agent | Semgrep | Snyk | CodeQL | Nuclei |\n|---------|-------------|---------|------|--------|--------|\n| Pattern scanning | Yes | Best | Yes | Yes | Templates |\n| **Hypothesis scanning** | **Yes** | No | No | No | No |\n| **Variant analysis** | **Yes** | No | No | Partial | No |\n| **AI-guided fuzzing** | **Yes** | No | No | No | Templates |\n| **PoC generation** | **Yes** | No | No | No | No |\n| AI deep analysis | Yes | No | Limited | No | No |\n| Vuln chaining | Yes | No | No | No | No |\n| AI auto-fix | Yes | No | Fix PRs | No | No |\n| NL queries | Yes | No | No | No | No |\n| Secrets | Yes | Yes | Yes | No | No |\n| SCA | Yes | No | Best | No | No |\n| IaC | Yes | No | Yes | No | Templates |\n| DAST | Yes | No | No | No | Best |\n| Open source | Yes | Partial | No | Yes | Yes |\n\nThis feature table is a capability comparison, not an accuracy claim.\nFor reproducible, third-party-runnable accuracy numbers vs Semgrep CE /\nSnyk Code / CodeQL on OWASP Benchmark, CyberSecEval 3, Vul4J, and our\nCVE replay harness, see [docs/benchmarks/external-scores.md](docs/benchmarks/external-scores.md).\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for details.\n\n```bash\ngit clone https://github.com/mythos-agent/mythos-agent.git\ncd mythos-agent \u0026\u0026 npm install \u0026\u0026 npm run build \u0026\u0026 npm test\n```\n\n### Architecture\n\n```\nsrc/\n  agents/         Multi-agent orchestrator + Recon/Hypothesis/Analyzer/Exploit agents\n  analysis/       Code parser, call graph, taint engine, variant analyzer, service mapper\n  agent/          AI integration, prompts, tools, fix validator\n  cli/            44 CLI commands\n  dast/           Smart fuzzer, PoC generator, payload library\n  policy/         Policy engine + compliance mapping\n  report/         Terminal, JSON, HTML, SARIF, dashboard\n  rules/          Built-in + custom YAML + community registry\n  scanner/        Pattern, secrets, deps, IaC, diff scanners\n  store/          Results persistence + incremental cache\n  tools/          External tool wrappers (Semgrep, Trivy, etc.)\nvscode-extension/ VS Code extension\naction/           GitHub Actions\nbot/              PR Review Bot\n```\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmythos-agent%2Fmythos-agent","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmythos-agent%2Fmythos-agent","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmythos-agent%2Fmythos-agent/lists"}