Share
## https://sploitus.com/exploit?id=78946AD8-B049-559F-B793-515B005E2842
# AppSec-Sentinel
AI-powered security scanner with **cross-file vulnerability analysis** and **automated remediation**. Supports 10+ languages with OpenAI, Claude, and AWS Bedrock.
> ๐ **Open Source** - Licensed under the MIT License. Free for personal and commercial use.
## Features
- **Multi-Scanner Engine** - Semgrep (SAST), Gitleaks (secrets), Trivy (dependencies) + code quality linters
- **Threat Modeling** - Automated STRIDE analysis, architecture mapping, and attack surface assessment
- **Code Quality Scanning** - ESLint, Pylint, Checkstyle, golangci-lint, RuboCop with bundled configs (no project setup needed)
- **Zero Configuration Required** - Works on any repo out-of-the-box with sensible defaults
- **Auto-Remediation** - Creates GitHub PRs with AI-generated code fixes (deterministic by default)
- **Cross-File Analysis** - Traces attack chains across multiple files and languages
- **Flexible AI Providers** - OpenAI (default), Claude, or AWS Bedrock
- **10+ Languages** - JavaScript, TypeScript, Python, Java, Go, Ruby, Rust, C#, PHP, Swift, Kotlin
- **3 Deployment Modes** - Web UI, CLI, and GitHub Actions CI/CD
- **MCP Server** - Model Context Protocol integration for Claude Desktop
- **Compliance** - Automatic SBOM generation (CycloneDX & SPDX)
## Quick Start
### What You Get Out-of-the-Box โ
**Security scanning works immediately** - no extra installations needed:
- โ
Semgrep (SAST) - included
- โ
Gitleaks (secrets) - auto-detects
- โ
Trivy (dependencies) - bundled
**Code quality scanning is optional** - install what you need:
- ESLint (JavaScript/TypeScript) - `npm install -g eslint`
- Pylint (Python) - auto-installs if missing
- Checkstyle, golangci-lint, RuboCop, Clippy, PHPStan - install as needed
> ๐ก **Skip code quality?** Just ignore the "โ ๏ธ not installed" warnings - security scanning still works perfectly!
### Prerequisites
Configure AI provider in `.env` (only needed for AI auto-remediation):
```bash
cp env.example .env
# Edit .env and set:
# AI_PROVIDER=openai
# OPENAI_API_KEY=sk-...
# AI_MODEL=gpt-5-mini
```
> ๐ก **Alternative providers**: Also supports `AI_PROVIDER=claude` or `AI_PROVIDER=aws_bedrock` (see env.example for all options)
### Web Interface
```bash
./start_web.sh
# โ Opens http://localhost:8000
```
**Features:**
- โ
Tool selection via checkboxes (Semgrep, Trivy, Gitleaks, Code Quality, SBOM)
- ๐ Visual reports with executive summaries
- ๐ฅ Download SBOM files (CycloneDX & SPDX)
### CLI Mode
```bash
./start_cli.sh
# โ Interactive menu with tool selection, severity levels, and auto-fix options
```
**Features:**
- ๐ง Choose which tools to run (SAST, secrets, dependencies, code quality, SBOM)
- ๐ฏ Select scan level (critical-high or all)
- ๐ค Configure auto-remediation mode
### CI/CD Integration
```bash
# Copy workflow template
cp projects/security-scan.yml .github/workflows/
# Add GitHub secret:
# - OPENAI_API_KEY (or CLAUDE_API_KEY, or AWS credentials)
git add .github/workflows/security-scan.yml
git commit -m "Add AppSec-Sentinel security scanning"
git push
```
## How It Works
1. **Scan** - Runs 3 scanners in parallel (SAST, secrets, dependencies)
2. **Analyze** - Cross-file analysis identifies attack chains across files
3. **Threat Model** - STRIDE analysis maps vulnerabilities to architectural threats
4. **Remediate** - AI generates fixes and creates separate PRs for code vs dependencies
5. **Report** - HTML reports + SBOM files + threat models (CycloneDX & SPDX)
## MCP Integration
Turn Claude Desktop into a conversational security expert - scan, analyze, and auto-remediate through natural language.
**Setup:** Add to Claude Desktop config:
- macOS: `~/Library/Application Support/Claude/claude_desktop_config.json`
- Windows: `%APPDATA%/Claude/claude_desktop_config.json`
```json
{
"mcpServers": {
"appsec-sentinel": {
"command": "/path/to/appsec-sentinel/.venv/bin/python",
"args": ["/path/to/appsec-sentinel/mcp/appsec_mcp_server.py"],
"cwd": "/path/to/appsec-sentinel",
"env": {
"PATH": "/usr/local/bin:/usr/bin:/bin:/opt/homebrew/bin",
"PYTHONPATH": "/path/to/appsec-sentinel/src"
}
}
}
}
```
> ๐ก Credentials in `mcp/mcp_env` - no secrets in config! Install gitleaks/trivy first.
**15 MCP Tools Available:**
- **Core:** `scan_repository` โข `auto_remediate` โข `get_report` โข `view_report_html` โข `health_check`
- **Analysis:** `cross_file_analysis` โข `assess_business_impact` โข `generate_sbom` โข `generate_threat_model`
- **API Tools:** `get_scan_findings` โข `get_semgrep_findings` โข `get_trivy_findings` โข `get_gitleaks_findings` โข `get_code_quality_findings` โข `get_sbom_data`
**Usage:** "Scan nodejs-goof for vulnerabilities" โ detailed findings with file paths, line numbers, remediation
[Full MCP setup guide โ](mcp/README.md)
## Auto-Fix Modes
- **Mode 1**: SAST + secrets (1 PR)
- **Mode 2**: Dependencies only (1 PR)
- **Mode 3**: Both (2 separate PRs) โญ Recommended
- **Mode 4**: Scan only (no PRs)
## Cross-File Analysis
Traces attack paths across multiple files and languages:
- **Multi-Language AST** - Real code understanding (not regex)
- **Data Flow Tracing** - Entry points โ attack paths โ sensitive sinks
- **Framework-Aware** - Express, Spring, Django, Rails, Laravel, ASP.NET
## Architecture
```
Repository โ [Semgrep + Gitleaks + Trivy] โ Cross-File Analysis โ AI (OpenAI/Claude/Bedrock) โ PRs + Reports
```
## Code Quality Scanning
AppSec-Sentinel includes code quality scanning that works on any repository without configuration.
**Supported Languages:**
- โ
**JavaScript/TypeScript** - ESLint (auto-detects v8 vs v9, uses bundled config)
- โ
**Python** - Pylint (auto-installs to virtualenv)
- โ
**Java** - Checkstyle (fully integrated in all modes)
- โ
**Go** - golangci-lint (fully integrated in all modes)
- โ
**Ruby** - RuboCop (fully integrated in all modes)
- โ
**Rust** - Clippy (official Rust linter, 600+ checks)
- โ
**PHP** - PHPStan (static analysis without running code)
- ๐ **C#** - Coming soon (Roslyn Analyzers)
- ๐ **Swift** - Coming soon (SwiftLint for iOS/macOS)
- ๐ **Kotlin** - Coming soon (ktlint/detekt for Android/JVM)
**How It Works:**
1. Auto-detects languages by scanning file extensions
2. Checks for repo config (.eslintrc.json, etc.) - uses it if found
3. Falls back to bundled config if repo has none
4. Runs in parallel with security scanners (no performance penalty)
**Example:**
```bash
๐ Detected languages: javascript, python
๐ Starting scan (3 security + 2 code quality scanners)...
๐ No ESLint config in repo - using default config
โ
ESLint (Code Quality): 106 code quality issues
โ
Pylint (Code Quality): 23 code quality issues
๐ฏ Scan complete: 119 security issues + 129 code quality issues
```
**Zero configuration needed.** AppSec-Sentinel provides sensible defaults that work everywhere.
---
## Optional: Install Code Quality Linters
**Want code quality scanning?** Install the linters for your languages:
```bash
# JavaScript/TypeScript
npm install -g eslint
# Python (auto-installs if missing)
pip install pylint
# Java
brew install checkstyle # macOS
# or download from https://checkstyle.org/
# Go
brew install golangci-lint # macOS
# or: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh
# Ruby
gem install rubocop
# Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh # Includes clippy
# PHP
composer global require phpstan/phpstan
```
**Don't want code quality?** Set `APPSEC_CODE_QUALITY=false` in `.env` to skip entirely.
---
## Configuration
Edit `.env` file:
```bash
# Tool Selection (CLI/Web only - CI/CD always runs all)
APPSEC_TOOLS=all # 'all' or comma-separated: semgrep,trivy,gitleaks,code_quality,sbom
# Examples:
# all - Run all tools (default)
# semgrep,gitleaks - Only SAST + secrets
# trivy - Only dependency scanning
# Code quality scanning (enabled by default, gracefully skips if linters not installed)
APPSEC_CODE_QUALITY=true
# Scan level (only affects security findings)
APPSEC_SCAN_LEVEL=critical-high # or 'all'
# AI determinism
APPSEC_AI_TEMPERATURE=0.0
# Auto-fix settings
APPSEC_AUTO_FIX=true
APPSEC_AUTO_FIX_MODE=3 # 1=SAST, 2=deps, 3=both, 4=scan only
```
**Bundled Configs** (project repos don't need these):
- `configs/eslint.config.js` / `eslintrc.v8.json` - JavaScript/TypeScript
- `configs/checkstyle.xml` - Java
- `configs/golangci.yml` - Go
- `configs/rubocop.yml` - Ruby
- `configs/clippy.toml` - Rust
- `configs/phpstan.neon` - PHP
- `configs/.gitleaks.toml` - Secrets
## Documentation
- **[Threat Modeling](THREAT_MODELING.md)** - Automated threat analysis using STRIDE framework
- **[MCP Setup](mcp/README.md)** - Model Context Protocol integration
- **[Project Setup](projects/SETUP.md)** - Project onboarding guide
- **[Architecture](ARCHITECTURE.md)** - System architecture and design patterns
## FAQ
**Q: Is AI-generated code safe to merge?**
A: All fixes require manual review via PR. We use deterministic AI (temperature=0.0) and only fix proven patterns (SQL injection, XSS, hardcoded secrets). Your existing tests validate changes. Separate PRs for code vs dependencies minimize risk. ~80% of fixes are production-ready after quick review.
**Q: What data gets sent to AI providers?**
A: Only vulnerability metadata (file path, line number, vulnerability type, code snippet). **Never** your full codebase. Secrets are flagged locally and **never** sent to AI. You control which findings trigger AI analysis.
**Q: Which mode should I use?**
- **GitHub Actions** - Automated security in CI/CD (scans every PR)
- **Web UI** - Visual reports for teams and management
- **CLI** - Deep-dive analysis for security consultants
- **MCP** - Conversational security with Claude Desktop
All modes use the same scanning engine. Choose based on your workflow.
**Q: Do I need to install linters for code quality?**
A: No - security scanning works without any linters. Code quality is **optional** and gracefully skips if tools aren't installed. Install linters (ESLint, Pylint, etc.) only if you want code smell detection. Set `APPSEC_CODE_QUALITY=false` to disable entirely.
**Q: How is this different from other security scanners?**
A: **Cross-file attack chain detection** - we trace vulnerabilities across multiple files and languages using AST analysis, not just single-file pattern matching. Plus automated threat modeling (STRIDE), AI-powered fixes, and zero-config SBOM generation.
**Q: What does automated threat modeling do?**
A: Generates STRIDE threat analysis, architecture diagrams, and attack surface assessment. **What it does:** Extracts real routes (GET /api/users), detects database types (PostgreSQL, MongoDB), maps components with file paths, color-codes vulnerabilities by severity, identifies trust boundaries. **What it can't do:** Doesn't replace manual threat modeling by security architects. Framework support varies - full route extraction for Express, Flask, Django, Spring, Laravel, FastAPI. Partial support for Rails, Go, Rust (generic endpoints only). No C#/Kotlin support yet. See [THREAT_MODELING.md](THREAT_MODELING.md) for details.
## Development
```bash
# Run tests
pytest tests/test_appsec.py -v
```
## Troubleshooting
```bash
# Permission issues
chmod +x start_web.sh start_cli.sh
# Dependency conflicts
rm -rf .venv && python -m venv .venv
source .venv/bin/activate && pip install -r requirements.txt
# Enable debug logging
export APPSEC_DEBUG=true
export APPSEC_LOG_LEVEL=DEBUG
```
## Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
## License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.