Agentic Dependency Vulnerability Scanner

English | 中文

An intelligent dependency vulnerability triage system that transforms noisy CVE findings into actionable security insights

What It Does

This is not just another vulnerability scanner. It's an intelligent triage system that:

• ✅ Filters out noise - Removes vulnerabilities from unused dependencies
• ✅ Provides context - Enriches CVE data with actionable intelligence
• ✅ Finds evidence - Locates actual code touchpoints using Semgrep
• ✅ Generates insights - Produces human-readable reports for security teams
• ✅ Integrates seamlessly - Works with existing security workflows

Quick Start

# Install dependencies
pip install -r requirements.txt

# Configure your environment
cp .env.example .env
# Edit .env with your API keys

# Run a scan
python main.py /path/to/your/project --language python

Example Output

The system produces a comprehensive AUDIT_REPORT.md that includes:

• Executive Summary - High-level risk assessment
• Detailed Findings - Evidence-backed vulnerability analysis
• Actionable Recommendations - Specific remediation steps
• Technical Context - Code locations and exploitation paths

Architecture

Built on a deterministic LangGraph pipeline that ensures consistent, reliable results:

graph TD
    A[Trivy Scan] --> B[Dependency Verification]
    B --> C[CVE Enrichment]
    C --> D[Trigger Surface Analysis]
    D --> E[Semgrep Evidence Collection]
    E --> F[Report Generation]

Loading

Key Components

• LangGraph Workflow - State machine ensuring deterministic execution
• Trivy Integration - Industry-standard vulnerability detection
• LLM Analysis - Intelligent context enrichment and reasoning
• Semgrep Rules - Precise code pattern matching
• Pydantic Models - Type-safe data validation

Advanced Usage

Language Support

# Scan JavaScript/Node.js projects
python main.py /path/to/js/project --language javascript

# Scan Java projects  
python main.py /path/to/java/project --language java

Severity Filtering

# Focus on critical and high-severity issues
python main.py /path/to/project --severities CRITICAL HIGH

# Include medium severity
python main.py /path/to/project --severities CRITICAL HIGH MEDIUM

Database Management

# Force database refresh
python main.py /path/to/project --db-update-policy refresh

# Skip database updates (offline mode)
python main.py /path/to/project --db-update-policy skip

Export Options

# Export report to specific location
python main.py /path/to/project --export-audit-report /custom/path/

# Export to project directory
python main.py /path/to/project --export-audit-report /path/to/project

🔧 Development

Code Quality

We maintain high code quality standards:

# Run all tests
python -m pytest

# Check code style
python -m ruff check .

# Type checking
python -m mypy

Project Structure

project/
├── src/
│   ├── core/          # Core models and configuration
│   ├── nodes/         # LangGraph workflow nodes
│   └── resource/      # Prompts and templates
├── tests/              # Comprehensive test suite
├── docs/               # Documentation (EN/ZH)
└── runtime/            # Runtime artifacts

Contributing

We welcome contributions! Please see our Contributing Guide for details.

Documentation

• English Documentation - Complete guide in English
• 中文文档 - 完整的中文指南
• Architecture Overview - Technical deep-dive
• API Reference - Configuration options

Use Cases

Security Teams

• Vulnerability Triage - Quickly identify exploitable vulnerabilities
• Risk Assessment - Understand actual vs. theoretical risk
• Compliance Reporting - Generate evidence-based security reports

Development Teams

• Secure Development - Catch vulnerabilities early in the pipeline
• Dependency Management - Make informed update decisions
• Code Review - Focus on high-risk code paths

DevOps/Platform Teams

• CI/CD Integration - Automated security scanning
• Infrastructure Security - Container and dependency scanning
• Incident Response - Rapid vulnerability assessment

Key Advantages

vs. Traditional Scanners

• Intelligent Filtering - Removes false positives automatically
• Context Awareness - Understands your specific codebase
• Evidence-Based - Provides concrete proof of vulnerability impact

vs. Manual Analysis

• Scalable - Handles large codebases efficiently
• Consistent - Applies uniform analysis criteria
• Fast - Delivers results in minutes, not hours

vs. Simple Tools

• Multi-Stage Pipeline - Comprehensive analysis workflow
• LLM-Powered - Leverages latest AI technology
• Extensible - Easy to add new analysis capabilities

Security Considerations

• Local Processing - Code analysis happens locally
• API Security - Secure API key management
• Data Privacy - No code sent to external services
• Audit Trail - Complete analysis history

Performance

• Parallel Processing - Multi-threaded evidence collection
• Smart Caching - Efficient dependency verification
• Batch Processing - Optimized LLM API usage
• Streaming Results - Real-time progress updates

Roadmap

Upcoming Features

• Multi-Language Support - Enhanced Java, Go, Rust analysis
• Container Scanning - Docker image vulnerability detection
• Integration Plugins - IDE and CI/CD platform integrations
• Advanced Reporting - PDF exports and dashboard views

Long-term Vision

• AI-Powered Remediation - Automatic fix suggestions
• Historical Analysis - Track vulnerability trends
• Team Collaboration - Shared analysis workspaces
• Enterprise Features - RBAC and advanced analytics

Community

• Issues - Report bugs and request features
• Discussions - Share use cases and best practices
• Contributions - Help improve the project
• Documentation - Improve guides and examples

License

This project is licensed under the MIT License - see the LICENSE file for details.

Acknowledgments

• Trivy Team - Excellent vulnerability database
• Semgrep Community - Powerful static analysis engine
• LangChain/LangGraph - Flexible agent framework