You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+8-2Lines changed: 8 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -31,7 +31,7 @@ Noir is a SAST tool that reads source code and extracts the endpoints an applica
31
31
The inventory feeds three audiences:
32
32
33
33
-**Human reviewers.** Security engineers and code auditors get a focused list of attacker-reachable entrypoints — paths, parameters, source files, tags — instead of skimming the whole repo.
34
-
-**AI auditors.** LLM-based SAST agents get the same focused list, plus per-endpoint review context (`--include-callee` for 1-hop callees, `--ai-context` for guards, sinks, validators, and signals).
34
+
-**AI auditors.** LLM-based SAST agents get the same focused list, plus per-endpoint review context (`--includecallee` for 1-hop callees, `--ai-context` for guards, sinks, validators, and signals).
35
35
-**DAST tools.** ZAP, Burp Suite, and Caido get a real route list to scan, including paths they would never have reached by crawling.
36
36
37
37
## What Noir does
@@ -40,7 +40,7 @@ The inventory feeds three audiences:
40
40
-**LLM fallback.** Hand unsupported frameworks (or one-off custom routing) to OpenAI / Ollama / etc. when static rules don't apply.
41
41
-**Output for the next stage.** JSON, YAML, OpenAPI, SARIF, cURL, Postman, HTML — whichever format the next tool in the pipeline reads.
42
42
-**DAST integration.** Pipe directly into ZAP, Burp Suite, or Caido as a proxy target, or export OpenAPI for them to import.
43
-
-**AI SAST context.** The endpoint inventory (and, with `--include-callee`, the 1-hop functions each handler invokes) is the focused context an LLM auditor needs to find attacker-reachable bugs. `--ai-context` goes further and attaches aggregated review context per endpoint — guards, callees, sinks, validators, and signals — so the LLM doesn't have to rediscover them.
43
+
-**AI SAST context.** The endpoint inventory (and, with `--includecallee`, the 1-hop functions each handler invokes) is the focused context an LLM auditor needs to find attacker-reachable bugs. `--ai-context` goes further and attaches aggregated review context per endpoint — guards, callees, sinks, validators, and signals — so the LLM doesn't have to rediscover them.
44
44
-**CI/CD.** GitHub Action, SARIF output, exit codes — fits the pipeline you already have.
45
45
46
46
## Usage
@@ -71,6 +71,12 @@ From here:
71
71
- Enrich the per-endpoint review context (guards, callees, sinks, validators, signals) so human reviewers and AI auditors share the same focused view of each handler.
72
72
- Keep DAST integration first-class — OpenAPI, proxy targets, and direct hand-offs to ZAP / Burp / Caido.
73
73
74
+
## OWASP Project
75
+
76
+
OWASP Noir joined the OWASP Foundation in **June 2024**.
77
+
78
+
- Official project page: [https://owasp.org/www-project-noir/](https://owasp.org/www-project-noir/)
79
+
74
80
## News & Updates
75
81
76
82
* May 2026: Released **v1.0.0** — introducing a stable 1.x line across all analyzers, taggers, passive-scan, and a brand new verb-centric CLI structure.
0 commit comments