Deterministic code security scanner. Detects and remediates hardcoded secrets.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for autonoma-security from gravatar.com autonoma-security

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers
Report project as malware

Project description

Autonoma

Python License Platform Edition PyPI

Most secret scanners detect problems. Autonoma safely fixes them — or refuses when it cannot prove the change is safe.

Deterministic secret remediation with strict safety boundaries.

Autonoma Demo

Install

The open-source package is published to PyPI as autonoma-cli.

pip install autonoma-cli

Once installed, use the autonoma command:

autonoma --version
autonoma --help

Quick Example

Scan a project:

autonoma analyze ./your-project

Scan and apply safe fixes:

autonoma analyze ./your-project --auto-fix

Example

Before

# settings.py

DATABASES = {
    "default": {
        "ENGINE": "django.db.backends.postgresql",
        "NAME": "prod_db",
        "USER": "admin",
        "PASSWORD": "Pr0d@ccess2024!",  # SEC001
        "HOST": "db.internal.company.com",
    }
}

SENDGRID_API_KEY = "SG.live-abc123xyz987_realkey"  # SEC002

After

# settings.py

import os

DATABASES = {
    "default": {
        "ENGINE": "django.db.backends.postgresql",
        "NAME": "prod_db",
        "USER": "admin",
        "PASSWORD": os.environ["PASSWORD"],
        "HOST": "db.internal.company.com",
    }
}

SENDGRID_API_KEY = os.environ["SENDGRID_API_KEY"]

Preview Fixes Safely

Preview fixes safely before applying them to guarantee deterministic outputs:

$ autonoma analyze demo-project --diff

- SENDGRID_API_KEY = "SG.live-abc123xyz987_realkey"
+ SENDGRID_API_KEY = os.environ["SENDGRID_API_KEY"]

Example CLI Output

$ autonoma analyze demo-project --auto-fix

Scanning 10 files...

SEC001  settings.py:8
Hardcoded password detected
Status: FIXED

SEC002  config.py:3
Hardcoded API key detected
Status: FIXED

SEC002  utils.py:14
Ambiguous secret pattern
Status: REFUSED

--------------------------------
Files scanned: 10
Issues detected: 3
Fixed: 2
Refused: 1

Commands

autonoma analyze PATH
autonoma analyze PATH --auto-fix
autonoma analyze PATH --diff
autonoma analyze PATH --json
autonoma analyze PATH --ci
autonoma history-scan PATH
autonoma --version

CLI Features

Autonoma supports:

  • --auto-fix — apply deterministic safe fixes
  • --diff — preview proposed fixes as unified diffs
  • --json — emit machine-readable output for automation
  • --ci — use CI-oriented exit codes
  • --quiet — minimize console output for pipelines
  • --threads — parallelize scanning on larger repositories
  • .autonomaignore — exclude noisy paths
  • history-scan — detect secrets that still exist in Git history

What Autonoma Detects

Code Description
SEC001 Hardcoded passwords
SEC002 Hardcoded API keys
SEC003 High-risk SQL string construction
SEC004 Python SSTI patterns
SEC005 Insecure deserialization (pickle, unsafe yaml)

Auto-fix support:

Code Behavior
SEC001 Auto-fixed when safe
SEC002 Auto-fixed when safe
SEC003–SEC005 Detection only

Autonoma deliberately avoids automatic rewrites for logic-level vulnerabilities.

Safety Model

Autonoma only applies a fix when all three conditions are satisfied:

  1. The transformation is structurally safe
  2. The environment variable contract can be established
  3. The modification introduces no ambiguity

Every finding produces one of four outcomes:

Status Meaning
FIXED Deterministic fix applied
REFUSED Change declined to prevent unsafe modification
SKIPPED Code already compliant
FAILED Tool error

Refusal Examples

Refusal is intentional. A wrong automated fix is worse than no fix.

No Environment Contract

API_KEY = "sk-live-abc123"

Refused because the project has no .env or dotenv dependency.

Ambiguous Variable Name

x = "sk-live-abc123"

Autonoma cannot safely infer an environment variable name.

Already Compliant

API_KEY = os.getenv("API_KEY", "sk-live-abc123")

Environment lookup already exists.

Ambiguous Secret Construction

token = "Bearer " + "sk-live-abc123"

Literal cannot be safely isolated.

Git History Scanning

Autonoma can also detect secrets that were committed in the past and later removed from the working tree.

autonoma history-scan .

This helps identify secrets that still exist in Git history and may remain accessible through old commits, forks, mirrors, or cloned repositories.

Why Autonoma Exists

Most security scanners stop at detection. Developers still need to manually remove secrets from code.

Autonoma focuses on deterministic remediation — automatically fixing the subset of issues that can be proven safe.

If safety cannot be guaranteed, it refuses the change instead of guessing.

What Autonoma Deliberately Does NOT Do

Autonoma intentionally avoids features that cannot be made deterministic.

It does not perform:

  • full taint analysis
  • full data flow analysis
  • automatic SQL injection rewriting
  • automatic SSTI remediation
  • LLM-generated patches

Only transformations that can be proven safe are applied automatically. Everything else is flagged for human review.

CI Example

Autonoma can run directly in CI pipelines.

- name: Install Autonoma
  run: pip install autonoma-cli

- name: Scan repository
  run: autonoma analyze . --ci

Exit codes:

  • 0 — no issues found
  • 1 — issues found, but none are automatically fixable
  • 2 — fixable issues found
  • 3 — internal error

Architecture

Autonoma is a local-first security remediation tool.

Key characteristics:

  • Python 3.10+
  • AST-based secret detection and remediation
  • deterministic code transformations
  • no telemetry
  • no cloud dependency
  • no LLM usage

All analysis runs entirely on the local machine.

Validation

Autonoma has been tested across synthetic repositories, seeded secret datasets and real-world open-source Python projects containing exposed credentials.

Current validation results:

  • 0 crashes across tested repositories
  • 0 syntax breakage after auto-fix
  • deterministic output across repeated runs
  • idempotent fixes on rerun
  • dry-run and diff preview do not modify files

Performance benchmarks:

Repository Size Files LOC Runtime
Small 5 503 0.16s
Medium 34 3,029 0.24s
Large 77 10,025 0.27s
Very Large 351 30,063 0.55s

Unsafe patterns are refused instead of rewritten.

Enterprise

Autonoma Community Edition focuses on deterministic local remediation for Python projects.

Planned enterprise capabilities include:

  • policy enforcement
  • CI/CD integration
  • audit logs
  • approval workflows
  • multi-repository orchestration

Enterprise capabilities are under development.

If your team is interested in early evaluation or pilot deployments, feel free to reach out.

Contributing

Bug reports and edge cases are extremely valuable.

If Autonoma:

  • fixes something incorrectly
  • refuses a safe pattern
  • misses a detectable secret

please open an issue with the code sample.

Pull requests are welcome.

License

MIT License

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for autonoma-security from gravatar.com autonoma-security

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers

Release history Release notifications | RSS feed

0.1.9

0.1.8

0.1.7

0.1.6

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

autonoma_cli-0.1.0.tar.gz (63.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

autonoma_cli-0.1.0-py3-none-any.whl (34.2 kB view details)

Uploaded Python 3

File details

Details for the file autonoma_cli-0.1.0.tar.gz.

File metadata

  • Download URL: autonoma_cli-0.1.0.tar.gz
  • Upload date:
  • Size: 63.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for autonoma_cli-0.1.0.tar.gz
Algorithm Hash digest
SHA256 73bc53932a12d176e8d51be9c3c97a636df149715ed27d4382ed8b8dc0d81e07
MD5 daa916cef22189c2f3673221f7978c55
BLAKE2b-256 68f098dabde41e9e6c1a75cfd061b22ebd5a6e3a2ccd2e98427716beebce8b0b

See more details on using hashes here.

Provenance

The following attestation bundles were made for autonoma_cli-0.1.0.tar.gz:

Publisher: publish.yml on VihaanInnovations/autonoma

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file autonoma_cli-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: autonoma_cli-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 34.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for autonoma_cli-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 e4d98acc13379e9f89578e8f711969d0634c8f532ca71800c2c3642e2ba10cac
MD5 2450c379895ccd26ce3f0c4496f0f1f1
BLAKE2b-256 6e32700da6d33d35d33f204034e57f5338c9ce6b9a1687784fd635dba98b7b82

See more details on using hashes here.

Provenance

The following attestation bundles were made for autonoma_cli-0.1.0-py3-none-any.whl:

Publisher: publish.yml on VihaanInnovations/autonoma

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page