Skip to main content

An open-source AI Security Engineer: maps your application, finds vulnerabilities, explains them, and proposes verified fixes.

Project description

Argus

An open-source AI Security Engineer. Point it at a codebase or a running application; it maps the system, runs layered security analysis, explains every finding the way a senior application-security engineer would, and — where possible — proposes and verifies a fix.

Argus is not just another scanner that prints a list. For each finding it tells you why it is a vulnerability, how an attacker would exploit it, the business impact, the likelihood and severity, the CWE/OWASP mapping, and concrete remediation — and it can generate a patch and check that the patch closes the issue.

Status: early alpha. The architecture and core pipeline are in place with a working CLI, four built-in scanners, a multi-provider AI layer, and five report formats. See the roadmap.


Highlights

  • Understands the project first. Detects languages and frameworks and builds an architecture map — APIs, auth flows, datastores, third-party services, cloud, containers, CI/CD, and dependency manifests — before scanning.
  • Layered analysis. Secret detection, dependency vulnerabilities, static code analysis (SAST), and infrastructure-as-code checks out of the box, extensible to more via plugins.
  • Findings that teach. Every finding carries reasoning, taxonomy mappings, and remediation — not just a line number.
  • Attack Simulation Mode. Instead of "this is vulnerable", Argus produces a safe, isolated walkthrough: how the flaw is discovered, a step-by-step (non-weaponized) exploit, the data at risk, the business impact, and how the fix blocks the attack — with a before/after comparison.
  • Bring your own model. Offline heuristic provider by default (no key, no network); Anthropic and OpenAI for cloud models; Ollama for fully local models so source never leaves your environment.
  • Plugin-based throughout. Scanners, reporters, and AI providers are plugins. Add a language or a report format without touching the core.
  • CI-ready output. JSON, SARIF (GitHub Code Scanning), Markdown, HTML, and CSV.

Install

# From PyPI
pip install argus-appsec

# With cloud model support
pip install "argus-appsec[anthropic,openai]"

From source (for development):

git clone https://github.com/hasipfaruk/Argus
cd Argus
pip install -e ".[dev]"

Requires Python 3.10+. The command installed is argus.

Quick start

# Scan a local project and print a table
argus scan ./my-app

# Turn on the flagship features and write an HTML report
argus scan ./my-app --attack-sim --patches -f html -o report.html

# Scan a remote repository (shallow-cloned to a temp dir, then cleaned up)
argus scan https://github.com/org/repo

# Apply Argus's verified fixes to a branch and open a pull request
argus fix ./my-app --open-pr

# Use a local model so code stays on your machine
argus scan ./my-app --ai-provider ollama --ai-model llama3.1

# Machine-readable output for CI, failing the build on High+
argus scan ./my-app -f sarif -o results.sarif --fail-on high

Explore what's available:

argus scanners     # list scanners
argus reporters    # list report formats
argus providers    # list AI providers and whether each is usable right now
argus init         # write a starter .argus.yml

How it works

target ──▶ resolve ──▶ analyze ──▶ scan ──▶ enrich (agents) ──▶ report
          (path/git/    (languages,  (secrets,   (reasoning,        (json, sarif,
           url)          frameworks,  deps,        attack sim,        markdown,
                         architecture) sast, iac)  patches)           html, csv)

The engine is synchronous and side-effect free apart from reading the target: it returns a ScanResult and writes nothing. Reporting and any PR creation are separate, explicit steps. See docs/architecture.md.

Configuration

Drop a .argus.yml in your project root (generate one with argus init):

min_severity: low
fail_on: high
attack_simulation: true
generate_patches: true
ai:
  provider: ollama      # heuristic | anthropic | openai | ollama
  model: llama3.1
scanner_options:
  secrets:
    entropy_threshold: 4.2

Full reference: docs/configuration.md.

Extending Argus

Everything is a plugin. A minimal scanner:

from argus.core.plugin import Scanner, ScannerContext, scanner
from argus.core.models import Finding, Location, Severity

@scanner
class HelloScanner(Scanner):
    name = "hello"
    category = "example"
    description = "Flags TODO comments as a demo."

    def scan(self, ctx: ScannerContext):
        for f in ctx.project.files():
            for i, line in enumerate(f.lines(), 1):
                if "TODO" in line:
                    yield Finding(
                        id=f"hello:todo:{i}", rule_id="hello.todo", scanner=self.name,
                        title="TODO left in code", description="A TODO marker.",
                        location=Location(path=f.rel_path, start_line=i),
                        severity=Severity.INFO,
                    )

Register it via the argus.plugins entry point in your package and it is picked up automatically. Full guide: docs/plugins.md.

AI providers and data handling

Provider Location Source leaves your machine? Needs
heuristic local no nothing (default)
ollama local no a running Ollama server
anthropic cloud yes ANTHROPIC_API_KEY + [anthropic] extra
openai cloud yes OPENAI_API_KEY + [openai] extra

If a requested provider is unavailable, Argus warns and falls back to heuristic so a scan always completes.

Fixing, not just finding

argus fix closes the loop: it scans a repository, applies the fixes it can verify locally to a fresh branch, commits them, and (with --open-pr) opens a pull request.

argus fix ./my-app --dry-run      # preview the changes, write nothing
argus fix ./my-app                # apply fixes to a branch and commit locally
argus fix ./my-app --open-pr      # also push and open a PR (needs GITHUB_TOKEN)

Only deterministic, self-verified fixes are applied by default (e.g. unsafe yaml.loadyaml.safe_load, weak hashes → SHA-256, shell=True removal, debug=Truedebug=False). See docs/fixing.md.

Roadmap

Implemented: project analysis, secrets/dependency/SAST/IaC scanners, multi-provider AI enrichment, Attack Simulation Mode, deterministic patch generation with self-verification, automated fix branches and pull requests (argus fix), and JSON/SARIF/Markdown/HTML/CSV reporting.

Planned: dynamic analysis (DAST) for deployed URLs, AST-based per-language scanners, live advisory-database sync (OSV), the web dashboard (trends, timelines, collaboration), and richer compliance rule packs.

Contributing

Contributions are welcome from everyone. The flow is the standard one:

  1. Fork this repository.
  2. Create a branch and make your change (with tests).
  3. Open a pull request — the template will guide you, and CI runs tests and lint automatically.

Scanners, language support, compliance rules, and report formats are especially welcome — the plugin model means most additions never touch the core. See CONTRIBUTING.md for setup and standards, and CODE_OF_CONDUCT.md for community guidelines.

License

Apache-2.0. See LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

argus_appsec-0.1.0.tar.gz (81.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

argus_appsec-0.1.0-py3-none-any.whl (79.4 kB view details)

Uploaded Python 3

File details

Details for the file argus_appsec-0.1.0.tar.gz.

File metadata

  • Download URL: argus_appsec-0.1.0.tar.gz
  • Upload date:
  • Size: 81.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for argus_appsec-0.1.0.tar.gz
Algorithm Hash digest
SHA256 0e0cfa07b78e06864ef216b7586da616698f53b858801a56c5973052dd8d1e1a
MD5 86bcebe985bf6df65b0e15f48cfec88a
BLAKE2b-256 ccb15b8eb7d555653cb13b5f9572a0f2092189589b0471945621b2080685175e

See more details on using hashes here.

Provenance

The following attestation bundles were made for argus_appsec-0.1.0.tar.gz:

Publisher: publish.yml on hasipfaruk/Argus

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file argus_appsec-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: argus_appsec-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 79.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for argus_appsec-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 0a99dc58801ec542a56651fbb82adc2c72b1541d73fa0db5217ae470785469d6
MD5 68f753e691d54ed44167821c4cc895c7
BLAKE2b-256 e83170cc8622a87626e549b6946ca04c32ae326210f0a8fb18145a910f07943a

See more details on using hashes here.

Provenance

The following attestation bundles were made for argus_appsec-0.1.0-py3-none-any.whl:

Publisher: publish.yml on hasipfaruk/Argus

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page