Skip to main content

An open-source AI Security Engineer: maps your application, finds vulnerabilities, explains them, and proposes verified fixes.

Project description

Argus

An open-source AI Security Engineer. Point it at a codebase or a running application; it maps the system, runs layered security analysis, explains every finding the way a senior application-security engineer would, and — where possible — proposes and verifies a fix.

Argus is not just another scanner that prints a list. For each finding it tells you why it is a vulnerability, how an attacker would exploit it, the business impact, the likelihood and severity, the CWE/OWASP mapping, and concrete remediation — and it can generate a patch and check that the patch closes the issue.

Status: early alpha. The architecture and core pipeline are in place with a working CLI, four built-in scanners, a multi-provider AI layer, and five report formats. See the roadmap.


Highlights

  • Understands the project first. Detects languages and frameworks and builds an architecture map — APIs, auth flows, datastores, third-party services, cloud, containers, CI/CD, and dependency manifests — before scanning.
  • Layered analysis. Secret detection, dependency vulnerabilities — including transitive dependencies from lock files across PyPI (poetry.lock, Pipfile.lock), npm (package-lock.json, yarn.lock), Go (go.mod), Rust (Cargo.lock), Ruby (Gemfile.lock), and PHP (composer.lock), checked against the live OSV database — static code analysis (SAST), and infrastructure-as-code checks out of the box, extensible via plugins.
  • CI-native. Deterministic, reproducible output; baseline / diff-aware scanning so pull requests are gated only on newly introduced findings.
  • Findings that teach. Every finding carries reasoning, taxonomy mappings, and remediation — not just a line number.
  • Attack Simulation Mode. Instead of "this is vulnerable", Argus produces a safe, isolated walkthrough: how the flaw is discovered, a step-by-step (non-weaponized) exploit, the data at risk, the business impact, and how the fix blocks the attack — with a before/after comparison.
  • Bring your own model. Offline heuristic provider by default (no key, no network); Anthropic and OpenAI for cloud models; Ollama for fully local models so source never leaves your environment.
  • Plugin-based throughout. Scanners, reporters, and AI providers are plugins. Add a language or a report format without touching the core.
  • CI-ready output. JSON, SARIF (GitHub Code Scanning), Markdown, HTML, and CSV.

Install

# From PyPI
pip install argus-appsec

# With cloud model support
pip install "argus-appsec[anthropic,openai]"

From source (for development):

git clone https://github.com/hasipfaruk/Argus
cd Argus
pip install -e ".[dev]"

Requires Python 3.10+. The command installed is argus.

Quick start

# Scan a local project and print a table
argus scan ./my-app

# Turn on the flagship features and write an HTML report
argus scan ./my-app --attack-sim --patches -f html -o report.html

# Scan a remote repository (shallow-cloned to a temp dir, then cleaned up)
argus scan https://github.com/org/repo

# Apply Argus's verified fixes to a branch and open a pull request
argus fix ./my-app --open-pr

# Use a local model so code stays on your machine
argus scan ./my-app --ai-provider ollama --ai-model llama3.1

# Machine-readable output for CI, failing the build on High+
argus scan ./my-app -f sarif -o results.sarif --fail-on high

Explore what's available:

argus scanners     # list scanners
argus reporters    # list report formats
argus providers    # list AI providers and whether each is usable right now
argus init         # write a starter .argus.yml

How it works

target ──▶ resolve ──▶ analyze ──▶ scan ──▶ enrich (agents) ──▶ report
          (path/git/    (languages,  (secrets,   (reasoning,        (json, sarif,
           url)          frameworks,  deps,        attack sim,        markdown,
                         architecture) sast, iac)  patches)           html, csv)

The engine is synchronous and side-effect free apart from reading the target: it returns a ScanResult and writes nothing. Reporting and any PR creation are separate, explicit steps. See docs/architecture.md.

Configuration

Drop a .argus.yml in your project root (generate one with argus init):

min_severity: low
fail_on: high
attack_simulation: true
generate_patches: true
ai:
  provider: ollama      # heuristic | anthropic | openai | ollama
  model: llama3.1
scanner_options:
  secrets:
    entropy_threshold: 4.2

Full reference: docs/configuration.md.

Extending Argus

Everything is a plugin. A minimal scanner:

from argus.core.plugin import Scanner, ScannerContext, scanner
from argus.core.models import Finding, Location, Severity

@scanner
class HelloScanner(Scanner):
    name = "hello"
    category = "example"
    description = "Flags TODO comments as a demo."

    def scan(self, ctx: ScannerContext):
        for f in ctx.project.files():
            for i, line in enumerate(f.lines(), 1):
                if "TODO" in line:
                    yield Finding(
                        id=f"hello:todo:{i}", rule_id="hello.todo", scanner=self.name,
                        title="TODO left in code", description="A TODO marker.",
                        location=Location(path=f.rel_path, start_line=i),
                        severity=Severity.INFO,
                    )

Register it via the argus.plugins entry point in your package and it is picked up automatically. Full guide: docs/plugins.md.

AI providers and data handling

Provider Location Source leaves your machine? Needs
heuristic local no nothing (default)
ollama local no a running Ollama server
anthropic cloud yes ANTHROPIC_API_KEY + [anthropic] extra
openai cloud yes OPENAI_API_KEY + [openai] extra

If a requested provider is unavailable, Argus warns and falls back to heuristic so a scan always completes.

Fixing, not just finding

argus fix closes the loop: it scans a repository, applies the fixes it can verify locally to a fresh branch, commits them, and (with --open-pr) opens a pull request.

argus fix ./my-app --dry-run      # preview the changes, write nothing
argus fix ./my-app                # apply fixes to a branch and commit locally
argus fix ./my-app --open-pr      # also push and open a PR (needs GITHUB_TOKEN)

Only deterministic, self-verified fixes are applied by default (e.g. unsafe yaml.loadyaml.safe_load, weak hashes → SHA-256, shell=True removal, debug=Truedebug=False). See docs/fixing.md.

Roadmap

Implemented: project analysis, secrets/dependency/SAST/IaC scanners, multi-provider AI enrichment, Attack Simulation Mode, deterministic patch generation with self-verification, automated fix branches and pull requests (argus fix), and JSON/SARIF/Markdown/HTML/CSV reporting.

Planned: dynamic analysis (DAST) for deployed URLs, AST-based per-language scanners, live advisory-database sync (OSV), the web dashboard (trends, timelines, collaboration), and richer compliance rule packs.

Contributing

Contributions are welcome from everyone. The flow is the standard one:

  1. Fork this repository.
  2. Create a branch and make your change (with tests).
  3. Open a pull request — the template will guide you, and CI runs tests and lint automatically.

Scanners, language support, compliance rules, and report formats are especially welcome — the plugin model means most additions never touch the core. See CONTRIBUTING.md for setup and standards, and CODE_OF_CONDUCT.md for community guidelines.

License

Apache-2.0. See LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

argus_appsec-0.5.1.tar.gz (100.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

argus_appsec-0.5.1-py3-none-any.whl (92.4 kB view details)

Uploaded Python 3

File details

Details for the file argus_appsec-0.5.1.tar.gz.

File metadata

  • Download URL: argus_appsec-0.5.1.tar.gz
  • Upload date:
  • Size: 100.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for argus_appsec-0.5.1.tar.gz
Algorithm Hash digest
SHA256 b5f2ef62d836c0c5e71c5bd077a2da41cc385a8d367ed3f7f9ffb01d8ddb4cb8
MD5 278818ce076257916b9f111c1d94542d
BLAKE2b-256 dcbc353b968e4dbf9595d86bf98eb49603d9307499bf206fc7cbdf3087520f3f

See more details on using hashes here.

Provenance

The following attestation bundles were made for argus_appsec-0.5.1.tar.gz:

Publisher: publish.yml on hasipfaruk/Argus

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file argus_appsec-0.5.1-py3-none-any.whl.

File metadata

  • Download URL: argus_appsec-0.5.1-py3-none-any.whl
  • Upload date:
  • Size: 92.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for argus_appsec-0.5.1-py3-none-any.whl
Algorithm Hash digest
SHA256 a88668446de834c1266fd3c41ae88fb6dc2ca9d6e666d012bf0e7cb3bb19098c
MD5 fd33d0061d7a1e5b8bb2202ece1130cc
BLAKE2b-256 9da3d7d539cef30de8711d37493fef4a1ff411cee80333b5671712d6f34a8950

See more details on using hashes here.

Provenance

The following attestation bundles were made for argus_appsec-0.5.1-py3-none-any.whl:

Publisher: publish.yml on hasipfaruk/Argus

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page