Share
## https://sploitus.com/exploit?id=9F981C7A-05FA-5F6F-9A52-E1D5E3CFBE4B
# amihit
**Am I Hit? -- CVE Impact Analyzer**
[](https://go.dev)
[](LICENSE)
[](https://github.com/Sentinel-Atlas/amihit/releases)
Other scanners tell you what's vulnerable. amihit tells you what's **exploitable**.
The only open-source tool that runs the full chain: CVE detection, function reachability, taint analysis, exposure mapping, and exploitability verdict -- across codebases, websites, networks, and containers.
---
## The Problem
CVE scanners generate noise. A typical scan returns hundreds of alerts, but **90%+ are not actually exploitable** in your environment. The vulnerable function is never called, user input never reaches it, or the endpoint isn't exposed to the network.
Teams waste hours triaging alerts that don't matter while real risks hide in the pile.
## How amihit Is Different
amihit runs a verdict engine on every CVE it finds. Instead of stopping at "you have a vulnerable dependency," it answers the question that actually matters: **can an attacker exploit this?**
```
CVE Detected
|
v
Reachability Analysis ---- Is the vulnerable function called by your code?
|
v
Taint Analysis ----------- Does user-controlled input reach it?
|
v
Exposure Mapping --------- Is it reachable from the network/internet?
|
v
Exploitability Verdict
|
+---> EXPLOITABLE -- Fix immediately
+---> REACHABLE ---- Investigate
+---> NOISE -------- Ignore safely
```
Every finding gets a verdict. No more guessing.
---
## Quick Start
### Install
**Go install:**
```bash
go install github.com/Sentinel-Atlas/amihit@latest
```
**Binary download:**
Download the latest release from [GitHub Releases](https://github.com/Sentinel-Atlas/amihit/releases). Binaries are available for Linux, macOS, and Windows (amd64 and arm64).
```bash
# Linux / macOS
tar xzf amihit_*_linux_amd64.tar.gz
sudo mv amihit /usr/local/bin/
# Windows โ extract the zip and add to PATH
```
**Build from source:**
```bash
git clone https://github.com/Sentinel-Atlas/amihit.git
cd amihit
make build
```
### Basic Usage
```bash
amihit scan .
amihit cve CVE-2026-31337
```
---
## Scan Types
### Codebase
Detects dependencies across 7 ecosystems, matches them against CVE databases, then runs reachability, taint, and exposure analysis to produce a verdict.
```bash
amihit scan .
amihit scan /path/to/project
amihit scan . --severity critical,high
```
### Website
Fingerprints server technologies, JavaScript libraries, CMS platforms, security headers, and TLS configuration. Matches detected versions against CVE databases.
```bash
amihit scan https://example.com
```
### Network
Port scanning, service fingerprinting via banner grabbing, and CVE matching for discovered services. Optionally checks for default credentials on common services.
```bash
amihit scan 192.168.1.0/24
amihit scan 10.0.0.5
amihit scan 192.168.1.0/24 --creds
```
### Container
Automatically runs when Dockerfiles are found in the target directory. Parses Dockerfiles, identifies base images, detects misconfigurations, and checks for image-level CVEs.
```bash
amihit scan . --full
```
### Full Scan
Combines codebase, container, website, and network scanning in a single pass.
```bash
amihit scan . --full
```
---
## Output Formats
Five output formats are available via the `--output` flag.
**Terminal** (default) -- color-coded verdicts with call sites, input flows, exposure paths, and fix versions:
```bash
amihit scan .
```
**JSON** -- structured output for scripting and dashboards:
```bash
amihit scan . --output json
```
**SARIF** -- standard format for GitHub Code Scanning, VS Code SARIF Viewer, and other security tools:
```bash
amihit scan . --output sarif > results.sarif
```
**CycloneDX** -- SBOM with embedded vulnerability data:
```bash
amihit scan . --output cyclonedx > sbom.cdx.json
```
**SPDX** -- software bill of materials:
```bash
amihit scan . --output spdx > sbom.spdx.json
```
---
## CI/CD Integration
### Fail on Severity
Use `--fail-on` to break the build when findings match a severity threshold. Exit code 2 signals a policy violation.
```bash
amihit scan . --fail-on critical,high
```
### Exit Codes
| Code | Meaning |
|------|---------|
| 0 | Scan completed, no policy violations |
| 1 | Scan error |
| 2 | Policy violation (`--fail-on` triggered) |
| 130 | Interrupted (Ctrl+C) |
### GitHub Actions
```yaml
- name: Install amihit
run: go install github.com/Sentinel-Atlas/amihit@latest
- name: CVE Scan
run: amihit scan . --output sarif --fail-on critical,high > results.sarif
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
```
### GitLab CI
```yaml
security_scan:
script:
- go install github.com/Sentinel-Atlas/amihit@latest
- amihit scan . --fail-on critical,high --output json > amihit-report.json
artifacts:
reports:
security: amihit-report.json
```
---
## CVE Lookup
Look up specific CVEs, check them against your codebase, or query recent disclosures.
```bash
# Look up a CVE
amihit cve CVE-2026-31337
# Check against a specific project
amihit cve CVE-2026-31337 --target /path/to/project
# Verify a fix was applied
amihit cve CVE-2026-31337 --verify --target .
# Check multiple CVEs
amihit cve CVE-2026-1111 CVE-2026-2222
# Recent CVEs since a date
amihit cve --since 2026-03-25
# Filter by severity
amihit cve --since 2026-03-25 --severity critical,high
# JSON output
amihit cve CVE-2026-31337 --output json
```
---
## CVE Data Sources
amihit aggregates data from five vulnerability databases for maximum coverage.
| Source | What It Provides |
|--------|-----------------|
| **[OSV](https://osv.dev/)** | Precise affected version ranges for open-source packages across all ecosystems. Primary source for dependency CVE matching via batch API. |
| **[NVD](https://nvd.nist.gov/)** | CVSS scores, severity ratings, CPE matching, and authoritative CVE metadata from NIST. |
| **[GHSA](https://github.com/advisories)** | Curated security advisories with fix versions. Strong coverage for npm, pip, Go, Maven, and RubyGems. |
| **[CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)** | Known Exploited Vulnerabilities catalog. CVEs confirmed to be actively exploited in the wild. |
| **[ExploitDB](https://exploit-db.com/)** | Public exploit database. Indicates whether a proof-of-concept or working exploit exists. |
---
## Architecture
```
amihit/
โโโ cmd/ CLI layer (cobra)
โ โโโ root.go Global flags, banner, help template
โ โโโ scan.go Scan command, target type routing
โ โโโ cve.go CVE lookup, --verify, --since
โ โโโ version.go Version (injected by goreleaser)
โ
โโโ internal/
โ โโโ cache/ Local CVE data cache (disk-backed)
โ โโโ config/ Config loading (.amihit.yaml, env vars)
โ โโโ cve/ CVE aggregator, source clients, data types
โ โโโ intel/ Cross-layer correlation engine
โ โโโ matcher/ Version range matching and comparison
โ โโโ output/ Formatters: terminal, JSON, SARIF, CycloneDX, SPDX
โ โโโ scanner/
โ โ โโโ codebase.go Dependency extraction orchestrator
โ โ โโโ deps/ Lock file parsers (npm, pip, go.sum, pom.xml, etc.)
โ โ โโโ reachability/ Call graph analysis, function reachability
โ โ โโโ taint/ Taint analysis, user input tracking
โ โ โโโ exposure/ Network exposure mapping
โ โ โโโ container/ Dockerfile parsing, base image CVE checks
โ โ โโโ network/ Port scanning, service fingerprinting
โ โ โโโ website/ Tech fingerprinting, headers, TLS
โ โโโ verdict/ Exploitability verdict engine
โ
โโโ main.go Entry point, signal handling, exit codes
โโโ Makefile build, test, test-cover, lint, install
โโโ .goreleaser.yml Cross-platform release builds
```
---
## Configuration
### Config File
Create `.amihit.yaml` in your project root or home directory.
```yaml
nvd_api_key: ""
github_token: ""
cache_dir: ~/.amihit
cache_ttl_hrs: 24
```
### Environment Variables
| Variable | Description |
|----------|-------------|
| `NVD_API_KEY` | NVD API key for higher rate limits (5 -> 50 requests per 30s). Free at [nvd.nist.gov](https://nvd.nist.gov/developers/request-an-api-key). |
| `GITHUB_TOKEN` | GitHub personal access token for authenticated GHSA access (60 -> 5000 requests per hour). |
### Flags Reference
```
Global Flags:
-o, --output string Output format: terminal, json, sarif, cyclonedx, spdx (default "terminal")
--severity strings Filter by severity: critical, high, medium, low
--fail-on strings Exit code 2 if findings match severity (CI gate)
-q, --quiet Suppress banner and progress output
--no-color Disable colored output
-v, --verbose Verbose output for debugging
Scan Flags:
--full Run all scan types (codebase + containers + servers)
--creds Check for default/no-auth credentials on discovered services
CVE Flags:
--target string Target to check against (default ".")
--verify Verify that a CVE is patched after applying a fix
--since string Check all CVEs published since date (YYYY-MM-DD)
```
---
## Supported Ecosystems
| Ecosystem | Lock Files |
|-----------|-----------|
| npm | package-lock.json, yarn.lock, package.json |
| PyPI | requirements.txt, Pipfile.lock, poetry.lock |
| Go | go.mod, go.sum |
| Maven | pom.xml |
| Cargo | Cargo.lock |
| RubyGems | Gemfile.lock |
| Composer | composer.lock |
---
## Contributing
1. Fork the repository
2. Create a feature branch (`git checkout -b feature/your-feature`)
3. Make changes and add tests
4. Run `make test` and `make lint`
5. Submit a pull request
One PR per feature or fix. Keep changes focused.
---
## License
[MIT](LICENSE)