An autonomous AI agent that crawls code, commit history, and config files to find exposed passwords, API keys, and tokens β before the bad guys do.
π Documentation Β· π‘οΈ Security
The Problem: Accidental Password Posting
Imagine accidentally leaving your house keys under the doormat and posting a photo of it online. That's essentially what happens when a developer commits a password, API key, or database credential to a public GitHub repository. It happens more often than you'd think β and hackers have automated tools that scan millions of repos every day looking for exactly this mistake.
How VaultHound Solves It
VaultHound is an autonomous AI agent that acts like a security expert reviewing your codebase. You give it a GitHub URL, and it systematically hunts through every file, every past commit, and every configuration to find secrets that shouldn't be there. Unlike simple keyword scanners, VaultHound uses GPT-4o to understand context β it can tell the difference between a real production password and a test password in example code.
Why This Matters for Your Business
Every data breach costs money β not just in fines (GDPR can fine up to 4% of annual revenue), but in lost customer trust and reputation damage. A single exposed AWS key has led to ransomware attacks costing hundreds of thousands of dollars. VaultHound catches these leaks before attackers find them, saving your business from costly incidents.
| Feature | What It Does | Why It Matters |
|---|---|---|
| π€ AI Semantic Analysis | GPT-4o reads code like a human, not just pattern-matching | Catches secrets that regex tools miss (e.g., a password disguised as a variable name) |
| π΅οΈ Commit History Forensics | Digs through deleted files and past commits | Secrets deleted last year are still in Git history β still exploitable |
| π Risk Scoring Dashboard | Assigns a 0β10 danger score to every finding | Prioritize what to fix first, instantly |
| π΄ Live Scanning Progress | Watch the AI agent work in real time | Full transparency β no black box |
| π‘οΈ OWASP Hardened | Guards against 10 types of AI-specific attacks | The tool itself can't be hacked or tricked |
| π Autumn UI Theme | Beautiful, readable dark interface | Designed for long sessions and demos |
| π₯ Export Reports | Download full JSON or Markdown report | Share with your security team immediately |
| πΎ Scan History | SQLite database stores all past scans | Track improvements over time |
| π¨ Human-in-the-Loop | AI pauses and asks YOU before deep scanning | You stay in control β AI is the assistant, not the boss |
| β‘ Free to Run | Only OpenAI API costs money (~$0.01 per scan) | No expensive tooling subscriptions needed |
Here's what happens when you point VaultHound at a repository:
flowchart TD
A[π€ User enters GitHub URL] --> B[π Input Validator\nChecks for attacks & sanitizes input]
B --> C[π·οΈ Repo Crawler\nFetches files, configs, CI/CD]
C --> D[π Commit History Scanner\nLooks through past commits & deleted files]
D --> E[β‘ Entropy Analyzer\nFlags suspicious high-randomness strings]
E --> F{π¨ High Risk\nFindings?}
F -- Yes --> G[π§ GPT-4o Semantic Analyzer\nReads context like a human expert]
F -- No --> G
G --> H{π΄ Critical\nFindings?}
H -- Yes --> I[π Human Approval Gate\nYOU decide if deep scan proceeds]
H -- No --> J[π Risk Scorer\nCVSS-style 0-10 score per finding]
I -- Approved --> J
J --> K[π Report Generator\nMarkdown + JSON output]
K --> L[π‘οΈ Security Monitor\nRuns at every step checking for AI attacks]
L --> M[β
Dashboard + Export]
style A fill:#e07b39,color:#1a1008
style G fill:#8b2e0f,color:#f5e6d0
style I fill:#c4922a,color:#1a1008
style L fill:#5a8a3c,color:#f5e6d0
style M fill:#2d1f0e,color:#f5e6d0
The 9 Pipeline Steps Explained:
-
Input Validator β Before anything else, VaultHound sanitizes your input to prevent attacks (like someone trying to inject malicious code into the URL field).
-
Repo Crawler β Downloads all files from the target repository, including configuration files and CI/CD pipelines.
-
Commit History Scanner β Dives into Git history to find secrets that were committed in the past but later deleted. These are still in the repository's history and are still dangerous.
-
Entropy Analyzer β Uses mathematical formulas (Shannon entropy) to find strings that look like random passwords or API keys, even if they're not obvious keywords.
-
GPT-4o Semantic Analysis β This is the brain. GPT-4o reads the code around each suspicious finding and decides: "Is this actually a secret, or is it a test/example?"
-
Human Approval Gate β If the AI finds something critical, it pauses and asks for your permission before running deeper analysis. You're always in control.
-
Risk Scorer β Every finding gets a score from 0 to 10 based on how dangerous it is, similar to how hospitals triage patients.
-
Report Generator β Creates a clean, readable report in both JSON (for machines) and Markdown (for humans).
-
Security Monitor β Runs invisibly at every step, watching for attempts to hack or manipulate the AI itself.
Modern AI agents can be attacked, tricked, or manipulated β just like regular software. A hacker might hide fake instructions inside a repository's code, hoping the AI will follow them instead of doing its job. VaultHound is built to resist all 10 known categories of attacks against AI agents.
| # | Risk Name | Plain English Explanation | How VaultHound Defends Against It | Status |
|---|---|---|---|---|
| ASI01 | Agent Goal Hijack | A hacker hides fake "instructions" inside a repo's code hoping the AI will follow them instead of doing its job | All scanned content is wrapped in XML quarantine tags β the AI is trained to treat repo content as data, never as commands | β Protected |
| ASI02 | Tool Misuse | The AI is tricked into using its tools (like GitHub API) in unintended ways | Every tool call is validated against strict input/output schemas before and after execution | β Protected |
| ASI03 | Identity & Privilege Abuse | The AI tries to access more data than it should, or impersonates the user | GitHub token is validated to read-only scope at startup; agent identity is locked and immutable | β Protected |
| ASI04 | Supply Chain Vulnerabilities | A malicious dependency (library) is installed that compromises the AI | All 10 dependencies are pinned to exact versions in requirements.txt; integrity is checked at startup | β Protected |
| ASI05 | Unexpected Code Execution | The AI is tricked into running malicious code found in a scanned repo | Zero use of eval(), exec(), or subprocess anywhere β scanned content is NEVER executed, only read | β Protected |
| ASI06 | Memory & Context Poisoning | An attacker poisons the AI's memory so it "remembers" false information | Canary tokens detect tampering; LLM outputs are scanned for injection markers before use | β Protected |
| ASI07 | Insecure Inter-Agent Communication | Data passed between AI steps gets tampered with in transit | All data flows through a typed, validated state object β no raw strings, no direct agent-to-agent calls | β Protected |
| ASI08 | Cascading Failures | One part of the AI failing causes everything else to crash uncontrollably | Circuit breaker pattern stops the chain after 3 errors; each step degrades gracefully with partial results | β Protected |
| ASI09 | Human-Agent Trust Exploitation | The AI makes users trust it blindly and act on bad recommendations | Critical findings require explicit human confirmation; all outputs are labeled "AI-Generated β Verify Manually" | β Protected |
| ASI10 | Rogue Agents | The AI goes off-script, loops infinitely, or takes unauthorized actions | Hard recursion limit of 25 steps; kill switch button halts everything instantly; temperature=0 for determinism | β Protected |
Enter any GitHub URL and watch each AI agent step execute live. Every finding appears instantly in the results table.
Interactive Plotly charts show finding distribution, risk scores by file, and an overall danger gauge from 0β10.
Follow these steps to run VaultHound on your own machine:
- Python 3.11 or higher β Download from python.org
- Git β Usually pre-installed on Mac/Linux; download from git-scm.com for Windows
- OpenAI API Key β Get one at platform.openai.com (costs about $0.01 per scan)
- GitHub Personal Access Token β See the next section for how to create one
git clone https://github.com/AnandSundar/vaulthound.git
cd vaulthound# On Windows
python -m venv venv
venv\Scripts\activate
# On Mac/Linux
python3 -m venv venv
source venv/bin/activatepip install -r requirements.txtCreate a file named .env in the project root (copy from the example):
# VaultHound Environment Variables
# β οΈ NEVER commit this file to Git β it's in .gitignore for a reason!
OPENAI_API_KEY=your_openai_api_key_here
GITHUB_TOKEN=your_github_personal_access_token_here # Needs repo:read scope onlystreamlit run vaulthound/app.pyOpen your browser and go to: http://localhost:8501
# One-line Docker run (placeholder for future use)
docker run -p 8501:8501 --env-file .env vaulthound:latestFollow these steps to create a GitHub Personal Access Token with minimum required permissions:
-
Go to GitHub Settings β Click your profile picture in the top-right, then select "Settings"
-
Navigate to Developer Settings β Scroll down and click "Developer settings" (near the bottom of the left sidebar)
-
Go to Personal Access Tokens β Click "Personal access tokens" β "Tokens (classic)"
-
Generate New Token β Click "Generate new token (classic)"
-
Give It a Name β Enter something like "VaultHound Scanner" in the "Note" field
-
Select the repo:read Scope β Check the box for repo (this automatically includes repo:read). This is the minimum permission VaultHound needs.
β οΈ Important: Do NOT select any write permissions. VaultHound only reads data β it never modifies anything. -
Generate and Copy β Click "Generate token" at the bottom, then copy the token immediately (you won't be able to see it again)
-
Add to .env β Paste the token into your
.envfile as shown above
β οΈ Security Note: VaultHound only needs READ access to scan repositories. Never grant write permissions. Your token is stored only in your local session β it is never logged, transmitted, or stored in the database.
| Layer | Technology | Version | Why We Chose It | Cost |
|---|---|---|---|---|
| π€ AI Brain | OpenAI GPT-4o | Latest | Most capable reasoning model for semantic secret detection β understands context, not just patterns | ~$0.01/scan |
| π Agent Orchestration | LangGraph | 0.0.37 | Builds the multi-step agent pipeline as a visual state machine β each step is auditable and controllable | Free |
| π Web Interface | Streamlit | 1.32 | Gets from Python code to a shareable web app in hours, not weeks | Free |
| π GitHub Integration | PyGithub | 2.3.0 | Official Python wrapper for GitHub API β handles rate limiting and pagination | Free |
| π Secret Detection | detect-secrets (Yelp) | 1.4.0 | Industry-proven open source library for entropy-based secret detection, used by Yelp in production | Free |
| π Charts | Plotly | 5.20.0 | Interactive, beautiful charts that work inside Streamlit without extra config | Free |
| πΎ Database | SQLite | Built-in | Zero-setup database built into Python β perfect for storing scan history without a server | Free |
| β Data Validation | Pydantic | 2.7.0 | Ensures every piece of data flowing through the agent is exactly the right shape and type | Free |
| βοΈ Hosting | Streamlit Cloud | β | Free hosting with a shareable public URL β deploy in 2 minutes from GitHub | Free |
vaulthound/
βββ vaulthound/
β βββ app.py # π Main entry point β run this to start the app
β βββ agents/
β β βββ graph.py # πΈοΈ LangGraph state machine β defines the AI pipeline
β β βββ nodes.py # π§ Each AI agent step implemented here
β β βββ state.py # π Data models β defines what information flows between steps
β β βββ security_monitor.py # π‘οΈ OWASP hardening β runs at every pipeline step
β βββ tools/
β β βββ github_tools.py # π GitHub API wrapper with rate limiting
β β βββ entropy_tools.py # β‘ Shannon entropy calculator + detect-secrets integration
β β βββ validators.py # β
Input sanitization and Pydantic schema validation
β βββ ui/
β β βββ theme.py # π Autumn color theme CSS injection
β β βββ components.py # π§© Reusable Streamlit UI components
β β βββ charts.py # π All Plotly visualization functions
β βββ db/
β βββ sqlite_store.py # πΎ Scan history read/write with SQLite
βββ .streamlit/
β βββ config.toml # βοΈ Streamlit server and theme configuration
βββ requirements.txt # π¦ Pinned dependencies (exact versions for security)
βββ .env.example # π Template for environment variables (safe to commit)
βββ .gitignore # π« Excludes .env, database files, secrets from Git
βββ vaulthound.db # πΎ SQLite database (created automatically on first run)
βββ README.md # π You are here
VaultHound uses a dual-layer detection approach. First, it uses entropy analysis (mathematical formulas that detect how random a string looks β real passwords look very random) to find suspicious strings. Then, GPT-4o semantic analysis reads the surrounding code to determine if it's actually a secret or just a test/example.
| Severity | Risk Score | What It Means | Example | Action Required |
|---|---|---|---|---|
| π΄ CRITICAL | 9.0 β 10.0 | A live, working secret exposed in current code | Active AWS production key in config.py | Rotate immediately. Assume compromised. |
| π HIGH | 7.0 β 8.9 | Very likely a real secret, possibly still active | Stripe API key in a commit from 3 months ago | Rotate and audit access logs |
| π‘ MEDIUM | 4.0 β 6.9 | Possibly real β needs human review | High-entropy string in .env.example | Review manually β may be a placeholder |
| π’ LOW | 1.0 β 3.9 | Probably test/example data but flagged for awareness | password = "test123" in a unit test file | Review and confirm it's not production data |
| βΉοΈ INFO | 0.0 β 0.9 | Not a secret β logged for completeness | Base64-encoded public certificate | No action needed |
You can deploy VaultHound to Streamlit Cloud for free β no credit card required:
-
Push Your Code to GitHub β Make sure your repository is public or you're comfortable making it public
-
Go to Streamlit Cloud β Visit share.streamlit.io and sign in with GitHub
-
Connect Your Repository β Click "New app" and select your GitHub repository
-
Set Your Secrets β In the Streamlit Cloud dashboard, go to "Secrets" and add your environment variables:
OPENAI_API_KEY = "your-openai-api-key" GITHUB_TOKEN = "your-github-token" -
Deploy β Click "Deploy". Within 2 minutes, your app will be live at a URL like
https://vaulthound.streamlit.app
Note: On Streamlit Cloud, secrets are stored in their encrypted secrets manager β never in your code. They're automatically available as environment variables when your app runs.
| Feature | Status | Description |
|---|---|---|
| Core LangGraph agent pipeline | β Complete | 9-node autonomous scanning pipeline |
| GPT-4o semantic analysis | β Complete | Context-aware secret classification |
| Autumn UI theme | β Complete | Full custom CSS with warm color palette |
| OWASP Top 10 Agentic AI hardening | β Complete | All 10 risks mitigated |
| GitHub org-level scanning | π§ In Progress | Scan all repos in an organization at once |
| Slack/email alerting | π Planned | Auto-notify on critical findings |
| CI/CD GitHub Action integration | π Planned | Run VaultHound as a pre-merge check |
| Docker container | π Planned | One-command local deployment |
| SARIF report export | π Planned | Import findings into GitHub Security tab |
| Multiple LLM support | π‘ Idea | Add Anthropic Claude, local Ollama as alternatives |
We welcome contributions from the community! Here's how to help:
- Fork the repository
- Create a branch for your feature or bugfix (
git checkout -b my-feature) - Make your changes and commit with clear messages
- Push to your fork and submit a Pull Request
- We use Black for code formatting β run
black .before committing - Type hints are required for all new code
- All functions need docstrings
If you find a security vulnerability in VaultHound itself, please email your.email@example.com rather than opening a public issue. We'll respond within 24 hours and coordinate a responsible disclosure.
MIT License β feel free to use VaultHound in your projects, commercial or otherwise.