Skip to main content

AI-Powered Codebase Bug & Vulnerability Scanning CLI

Project description

Remy Agent

AI-Powered Codebase Bug & Vulnerability Scanning CLI

PyPI version License CI


What is Remy?

Remy is a terminal-native AI security and bug-scanning agent. It performs static application security testing (SAST) plus an optional AI-assisted logic/bug detection pass across your codebase, then generates a single, structured Fix Prompt — ready to paste into any AI coding agent of your choice.

Remy is the finder and prompt-compiler, not the editor. That makes it lightweight, model-agnostic, and safe to run on any codebase without needing write access.


Features

  • Multi-engine SAST — Python AST rules for injection, insecure deserialization, weak crypto, and more
  • Secrets scanner — regex + Shannon entropy detection for API keys, tokens, and credentials across all file types
  • API surface auditor — finds unauthenticated routes, missing rate limiting, and overly permissive CORS
  • Auth/bypass scanner — detects JWT bypass, IDOR patterns, non-constant-time comparisons, client-controlled admin flags
  • Dependency scanner — cross-references your packages against the OSV vulnerability database
  • LLM logic-bug pass (--deep) — sends code to your AI provider to catch race conditions, edge cases, and business logic flaws
  • Multi-provider AI — bring your own key for OpenRouter, Groq, OpenAI, Anthropic, xAI, NVIDIA NIM, or run fully local with Ollama
  • Drop-in Fix Prompt — output is a portable Markdown artifact you paste into Claude Code, Cursor, Windsurf, Copilot, or any other agent

Install

pip install remy-agent

Quick Start

# First run — launches config wizard
remy

# After setup — scan current directory
remy scan

# Deep scan (SAST + LLM logic pass)
remy scan --deep

# Scan a specific path
remy scan /path/to/your/project

# Secrets only (fast, no LLM needed)
remy scan --secrets-only

# Get the Fix Prompt and copy to clipboard
remy prompt --copy

Supported Providers

Provider API Key Required Notes
OpenRouter ✅ Yes Routes to 200+ models. Great flexibility.
Groq ✅ Yes Ultra-low latency. Best for fast bulk scanning.
OpenAI ✅ Yes GPT-4o and newer models.
Anthropic ✅ Yes Claude family. Excellent at code reasoning.
xAI ✅ Yes Grok model family. OpenAI-compatible.
NVIDIA NIM ✅ Yes Cloud or self-hosted NIM endpoint.
Ollama ❌ No Fully local. Run ollama serve first.

Example Terminal Output

  ██████╗ ███████╗███╗   ███╗██╗   ██╗
  ██╔══██╗██╔════╝████╗ ████║╚██╗ ██╔╝
  ██████╔╝█████╗  ██╔████╔██║ ╚████╔╝
  ██╔══██╗██╔══╝  ██║╚██╔╝██║  ╚██╔╝
  ██║  ██║███████╗██║ ╚═╝ ██║   ██║
  ╚═╝  ╚═╝╚══════╝╚═╝     ╚═╝   ╚═╝

  ┌─────────────────────────────────────────────┐
  │   Remy Scan Report — 14 Finding(s)          │
  │  🔴 CRITICAL  3  ████████░░░░░░░░           │
  │  🟠 HIGH      5  ██████████████░░           │
  │  🟡 MEDIUM    4  ██████████░░░░░░           │
  │  🔵 LOW       2  ████░░░░░░░░░░░░           │
  └─────────────────────────────────────────────┘

Example Fix Prompt Output

# Remy Security & Bug Fix Prompt

You are an AI coding agent. Fix the following issues in this codebase.
Apply minimal, targeted changes. Preserve existing behavior and style.

## Findings

### [CRITICAL] Hardcoded production Stripe API key
**File:** `src/services/payments.py`, lines 12–14
**CWE:** CWE-798

**Issue:** A Stripe Live API key was found hardcoded in source code: `sk_l***0xyz`.
Committing secrets to version control is a critical security risk.

**Fix instructions:** Remove from source code immediately. Store in environment
variable: `STRIPE_SECRET_KEY = os.environ['STRIPE_SECRET_KEY']`. Rotate the key
in your Stripe Dashboard.

Configuration

Config is stored at ~/.remy/config.toml. API keys are stored in the OS keyring.

Setting Default Description
provider LLM provider (openrouter, groq, openai, anthropic, xai, nvidia_nim, ollama)
model Model ID (e.g. gpt-4o, claude-sonnet-4-5)
base_url provider default Override base URL (for Ollama or self-hosted NIM)
scan_defaults.deep false Enable LLM logic-bug pass by default
scan_defaults.max_file_size_kb 1000 Skip files larger than this
scan_defaults.respect_gitignore true Honor .gitignore and .remyignore

Run remy config show to see your current settings (key redacted).


Commands

remy                        # First run → wizard; subsequent → scan cwd
remy scan [PATH]            # Full scan
remy scan --deep            # SAST + LLM logic pass
remy scan --secrets-only    # Secrets/credentials only
remy scan --api-surface     # API route audit only
remy scan --bypass-check    # Auth bypass detection only
remy scan --deps            # Dependency CVE scan only
remy scan --format json     # Machine-readable output
remy scan --output FILE     # Write output to file
remy prompt                 # View last scan's Fix Prompt
remy prompt --copy          # Copy Fix Prompt to clipboard
remy config                 # Run config wizard
remy config show            # Print current config
remy config set-provider    # Change provider/model
remy providers list         # List all supported providers
remy version                # Show version

Using as a CI Gate

Remy exits with code 2 when Critical or High findings are present, making it easy to use as a CI gate:

# .github/workflows/security.yml
- name: Remy security scan
  run: remy scan . --secrets-only --format json --output scan.json
  # Exits 2 if critical/high findings found

Roadmap

  • tree-sitter multi-language SAST (JS/TS, Go, Java, Rust, PHP, Ruby)
  • VS Code extension for inline findings
  • SARIF output format for GitHub Security tab integration
  • Custom rule packs via ~/.remy/rules/
  • PR diff scanning (scan only changed files)
  • HTML report output
  • Jira/Linear issue creation from findings

Contributing

See CONTRIBUTING.md for setup instructions, how to add SAST rules, and how to add new providers.


License

Apache License 2.0 — see LICENSE.


Credits

Built by Medusa Security.
Maintained by Abhay Gupta (CTO, Medusa Security).

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

remy_agent-0.1.1.tar.gz (79.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

remy_agent-0.1.1-py3-none-any.whl (84.7 kB view details)

Uploaded Python 3

File details

Details for the file remy_agent-0.1.1.tar.gz.

File metadata

  • Download URL: remy_agent-0.1.1.tar.gz
  • Upload date:
  • Size: 79.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.10

File hashes

Hashes for remy_agent-0.1.1.tar.gz
Algorithm Hash digest
SHA256 c809bca71294c5ccc1e7dd4a655e251c20bbeef1486b4cf8b71623732f15cab3
MD5 ece38ad02abeda4552371b27d76f3990
BLAKE2b-256 11c19fc35551e96af0fca09d3b7ecbad739f070c96694a1aca301961520bf253

See more details on using hashes here.

File details

Details for the file remy_agent-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: remy_agent-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 84.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.10

File hashes

Hashes for remy_agent-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 9e7a2d746a33da3746803724a1a83535847aaa82a13bd282f29d8320d62ceda2
MD5 dfb4279ea9c5dfc7c0414c387c5b2e67
BLAKE2b-256 1a626bd04dc0b9576231fdb69f3ad7671018f88c6ad6b88389c67b4dc184c7a8

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page