An AI-powered security scanner that combines Semgrep's static analysis with OpenAI's GPT-4o-mini to intelligently filter false positives and provide accurate vulnerability assessments.
- π Recursively scans entire GitHub repositories
- π‘οΈ Uses Semgrep's comprehensive security rulesets (1330+ rules)
- π€ AI-powered analysis to reduce false positives
- π Preserves directory structure during analysis
- π Secure configuration via environment variables
- π Detailed vulnerability reporting with severity levels
- π― Intelligent risk assessment and remediation suggestions
- Python 3.10+
- pip
- Semgrep CLI
- GitHub Personal Access Token
- OpenAI API Key (for AI analysis)
- Clone the repository:
git clone https://github.com/yourusername/ai-auditor.git
cd ai-auditor- Install dependencies:
pip install -r requirements.txt- Configure environment:
# Copy the example environment file
copy env.example.txt .env
# Edit .env with your credentials:
# - REPO: owner/repository-name
# - BRANCH: branch to scan (e.g., main)
# - GITHUB_TOKEN: your GitHub personal access token
# - OPENAI_API_KEY: your OpenAI API keyRun the scanner:
python scan.pyThe script will:
- Fetch all files from the specified GitHub repository
- Download them to a temporary directory
- Run Semgrep security analysis (1330+ rules)
- Analyze each finding with AI to filter false positives
- Display true vulnerabilities with risk assessments
- Save detailed results to
results.jsonandai_analysis.json
Edit your .env file with these variables:
| Variable | Description | Default |
|---|---|---|
REPO |
GitHub repository (owner/repo) | username/repository-name |
BRANCH |
Branch to scan | main |
GITHUB_TOKEN |
GitHub Personal Access Token | Required |
OPENAI_API_KEY |
OpenAI API Key | Required |
OPENAI_MODEL |
OpenAI model to use | gpt-4o-mini |
RULES_PATH |
Semgrep ruleset | p/ci |
OUTPUT_FILE |
Semgrep output JSON file | results.json |
AI_ANALYSIS_FILE |
AI-analyzed results file | ai_analysis.json |
TEMP_DIR |
Temporary download directory | temp_repo |
DISABLE_SSL_VERIFY |
Disable SSL verification (corporate proxies) | false |
- Go to GitHub β Settings β Developer settings β Personal access tokens
- Generate a new token (classic)
- Select scopes:
repo(for private repositories)public_repo(for public repositories only)
- Copy the token and add it to your
.envfile
- Go to OpenAI Platform
- Create a new API key
- Copy the key and add it to your
.envfile - The tool uses GPT-4o-mini for cost-effective analysis
The scanner provides:
- Real-time scan progress
- Semgrep findings summary
- AI analysis progress with true/false positive classification
- Final vulnerability report with:
- Risk level (CRITICAL/HIGH/MEDIUM/LOW/INFO)
- AI confidence level
- Reasoning for the assessment
- Remediation recommendations
results.json- Raw Semgrep findingsai_analysis.json- AI-analyzed results with:- True positives vs false positives count
- Detailed analysis for each finding
- Risk assessments and fix recommendations
- Static Analysis: Semgrep scans the code with 1330+ security rules and provides dataflow traces
- Program Slicing (NEW!): For each finding, an AST-based slicer builds a dataflow-aware program slice:
- Sink Context: The complete function containing the vulnerability
- Upstream Dataflow: Backward slice showing how suspicious variables are defined and flow to the sink
- Helpers & Sanitizers: Any validation/sanitization functions that process the data
- Callers: Functions that call the vulnerable code (limited to keep size manageable)
- AI Analysis: GPT-4.1-mini evaluates each finding using the structured program slice:
- Analyzes the complete dataflow from source to sink
- Identifies input validation and sanitization
- Understands helper functions and security controls
- Determines if it's a real vulnerability or false positive
- Assigns accurate risk levels based on exploit feasibility
- Provides specific, actionable remediation advice
- Results: Only true vulnerabilities are reported, with dataflow-aware insights
Traditional SAST tools often produce false positives because they analyze code patterns in isolation. This tool uses AST-based program slicing to provide rich, dataflow-aware context to the LLM:
Instead of sending fixed line ranges (e.g., "first 100 lines + Β±50 around the bug"), the tool:
- Parses the source code into an Abstract Syntax Tree (AST)
- Identifies the sink (the dangerous operation Semgrep flagged)
- Traces suspicious variables backward through the code
- Builds a backward slice showing how data flows to the vulnerability
- Includes helper functions that might sanitize or validate the data
- Adds caller context to show how data enters the vulnerable function
Example: False Positive Reduction
# Line 5: Helper function with validation
def sanitize_input(user_input):
return re.sub(r'[^a-zA-Z0-9]', '', user_input)
# Line 50: Vulnerable-looking code
def search_user(username):
username = sanitize_input(username) # β Sanitization happens here!
query = f"SELECT * FROM users WHERE name = '{username}'" # β Semgrep flags this
return db.execute(query)Without program slicing:
- AI only sees line 52:
query = f"SELECT * FROM users WHERE name = '{username}'" - Looks vulnerable β FALSE POSITIVE flagged
With program slicing:
- AI sees the complete dataflow:
user input β sanitize_input() β query - AI reads the
sanitize_input()function (line 5) - Understands the input is sanitized β CORRECTLY IDENTIFIED AS SAFE
- Python: Full AST-based slicing with dataflow analysis
- Other languages: Fallback to intelligent line-based context extraction
If AST parsing fails (syntax errors, unsupported language, etc.), the system automatically falls back to the previous method (header + context), ensuring the scanner continues to function.
.env file or expose your GitHub token. The .gitignore file is configured to exclude sensitive files.
See LICENSE file for details