GitHub

AI-Enhanced Security
Vulnerability Scanner

Paste a GitHub repository URL to run Semgrep static analysis. Get AI-generated explanations, attack scenarios, and fix suggestions for every vulnerability found.

Try an example repo:

Overview

This scanner turns a GitHub repository into a fast, readable security report. It combines Semgrep detection with AI risk explanation so teams can move from finding issues to fixing them.

How It Works

GitHub URL
Clone (depth=1)
Semgrep Rules
SARIF Parse
AI Enhance (parallel)
Prioritized Results

Architecture

Frontend (Next.js) -> POST /api/scan
                     -> poll GET /api/scan/{id}/status
                     -> GET /api/scan/{id}/results

Backend (FastAPI):
RepoManager -> SemgrepRunner -> SARIFParser -> AIEnhancer (parallel)

Security Focus

  • Injection Risks: SQL/command injection patterns are treated as high-priority.
  • Input Validation: Detects unsafe handling of user-controlled data.
  • Auth + Access: Flags weak authorization and privilege mistakes.
  • Secrets Hygiene: Highlights exposed credentials and sensitive data paths.

What You Get

  • Live Progress: Polling status fromPOST /api/scan to completion.
  • Severity Summary: Critical, high, medium, low breakdown.
  • Attack Context: Realistic exploitation paths and business impact.
  • Fix Guidance: Safer code suggestions with diffs for faster remediation.

API Flow

  1. Start: POST /api/scan returns a scan ID.
  2. Track: GET /api/scan/{id}/status reports steps and progress.
  3. Collect: GET /api/scan/{id}/results returns enriched vulnerabilities.

Design Decisions

  • Semgrep over CodeQL: lower memory usage for Railway deployment.
  • Parallel AI: findings are enhanced concurrently for lower latency.
  • Shallow clone: faster scans using depth=1.
  • Fallback mode: scanner still works without an Anthropic API key.

Security Controls

GitHub URL validation (SSRF defense)Path validation (traversal defense)Repo size limitsScan timeout controlsRate limitingTemp file cleanup

Supported Languages

Python: p/python, p/flask, p/django, p/owasp-top-ten

JavaScript: p/javascript, p/nodejs, p/owasp-top-ten

Java: p/java, p/owasp-top-ten

Go: p/golang, p/owasp-top-ten

Ruby: p/ruby, p/owasp-top-ten

PHP: p/php, p/owasp-top-ten

Other: p/owasp-top-ten, p/security-audit