AI-Powered Codebase Bug & Vulnerability Scanning CLI
Project description
Remy Agent
AI-Powered Codebase Bug & Vulnerability Scanning CLI
What is Remy?
Remy is a terminal-native AI security and bug-scanning agent. It performs static application security testing (SAST) plus an optional AI-assisted logic/bug detection pass across your codebase, then generates a single, structured Fix Prompt — ready to paste into any AI coding agent of your choice.
Remy is the finder and prompt-compiler, not the editor. That makes it lightweight, model-agnostic, and safe to run on any codebase without needing write access.
Features
- Multi-engine SAST — Python AST rules for injection, insecure deserialization, weak crypto, and more
- Secrets scanner — regex + Shannon entropy detection for API keys, tokens, and credentials across all file types
- API surface auditor — finds unauthenticated routes, missing rate limiting, and overly permissive CORS
- Auth/bypass scanner — detects JWT bypass, IDOR patterns, non-constant-time comparisons, client-controlled admin flags
- Dependency scanner — cross-references your packages against the OSV vulnerability database
- LLM logic-bug pass (
--deep) — sends code to your AI provider to catch race conditions, edge cases, and business logic flaws - Multi-provider AI — bring your own key for OpenRouter, Groq, OpenAI, Anthropic, xAI, NVIDIA NIM, or run fully local with Ollama
- Drop-in Fix Prompt — output is a portable Markdown artifact you paste into Claude Code, Cursor, Windsurf, Copilot, or any other agent
Install
pip install remy-agent
Quick Start
# First run — launches config wizard
remy
# After setup — scan current directory
remy scan
# Deep scan (SAST + LLM logic pass)
remy scan --deep
# Scan a specific path
remy scan /path/to/your/project
# Secrets only (fast, no LLM needed)
remy scan --secrets-only
# Get the Fix Prompt and copy to clipboard
remy prompt --copy
Supported Providers
| Provider | API Key Required | Notes |
|---|---|---|
| OpenRouter | ✅ Yes | Routes to 200+ models. Great flexibility. |
| Groq | ✅ Yes | Ultra-low latency. Best for fast bulk scanning. |
| OpenAI | ✅ Yes | GPT-4o and newer models. |
| Anthropic | ✅ Yes | Claude family. Excellent at code reasoning. |
| xAI | ✅ Yes | Grok model family. OpenAI-compatible. |
| NVIDIA NIM | ✅ Yes | Cloud or self-hosted NIM endpoint. |
| Ollama | ❌ No | Fully local. Run ollama serve first. |
Example Terminal Output
██████╗ ███████╗███╗ ███╗██╗ ██╗
██╔══██╗██╔════╝████╗ ████║╚██╗ ██╔╝
██████╔╝█████╗ ██╔████╔██║ ╚████╔╝
██╔══██╗██╔══╝ ██║╚██╔╝██║ ╚██╔╝
██║ ██║███████╗██║ ╚═╝ ██║ ██║
╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═╝
┌─────────────────────────────────────────────┐
│ Remy Scan Report — 14 Finding(s) │
│ 🔴 CRITICAL 3 ████████░░░░░░░░ │
│ 🟠 HIGH 5 ██████████████░░ │
│ 🟡 MEDIUM 4 ██████████░░░░░░ │
│ 🔵 LOW 2 ████░░░░░░░░░░░░ │
└─────────────────────────────────────────────┘
Example Fix Prompt Output
# Remy Security & Bug Fix Prompt
You are an AI coding agent. Fix the following issues in this codebase.
Apply minimal, targeted changes. Preserve existing behavior and style.
## Findings
### [CRITICAL] Hardcoded production Stripe API key
**File:** `src/services/payments.py`, lines 12–14
**CWE:** CWE-798
**Issue:** A Stripe Live API key was found hardcoded in source code: `sk_l***0xyz`.
Committing secrets to version control is a critical security risk.
**Fix instructions:** Remove from source code immediately. Store in environment
variable: `STRIPE_SECRET_KEY = os.environ['STRIPE_SECRET_KEY']`. Rotate the key
in your Stripe Dashboard.
Configuration
Config is stored at ~/.remy/config.toml. API keys are stored in the OS keyring.
| Setting | Default | Description |
|---|---|---|
provider |
— | LLM provider (openrouter, groq, openai, anthropic, xai, nvidia_nim, ollama) |
model |
— | Model ID (e.g. gpt-4o, claude-sonnet-4-5) |
base_url |
provider default | Override base URL (for Ollama or self-hosted NIM) |
scan_defaults.deep |
false |
Enable LLM logic-bug pass by default |
scan_defaults.max_file_size_kb |
1000 |
Skip files larger than this |
scan_defaults.respect_gitignore |
true |
Honor .gitignore and .remyignore |
Run remy config show to see your current settings (key redacted).
Commands
remy # First run → wizard; subsequent → scan cwd
remy scan [PATH] # Full scan
remy scan --deep # SAST + LLM logic pass
remy scan --secrets-only # Secrets/credentials only
remy scan --api-surface # API route audit only
remy scan --bypass-check # Auth bypass detection only
remy scan --deps # Dependency CVE scan only
remy scan --format json # Machine-readable output
remy scan --output FILE # Write output to file
remy prompt # View last scan's Fix Prompt
remy prompt --copy # Copy Fix Prompt to clipboard
remy config # Run config wizard
remy config show # Print current config
remy config set-provider # Change provider/model
remy providers list # List all supported providers
remy version # Show version
Using as a CI Gate
Remy exits with code 2 when Critical or High findings are present, making it easy to use as a CI gate:
# .github/workflows/security.yml
- name: Remy security scan
run: remy scan . --secrets-only --format json --output scan.json
# Exits 2 if critical/high findings found
Roadmap
-
tree-sittermulti-language SAST (JS/TS, Go, Java, Rust, PHP, Ruby) - VS Code extension for inline findings
- SARIF output format for GitHub Security tab integration
- Custom rule packs via
~/.remy/rules/ - PR diff scanning (scan only changed files)
- HTML report output
- Jira/Linear issue creation from findings
Contributing
See CONTRIBUTING.md for setup instructions, how to add SAST rules, and how to add new providers.
License
Apache License 2.0 — see LICENSE.
Credits
Built by Medusa Security.
Maintained by Abhay Gupta (CTO, Medusa Security).
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file remy_agent-0.1.0.tar.gz.
File metadata
- Download URL: remy_agent-0.1.0.tar.gz
- Upload date:
- Size: 79.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
110a051e00286a6d5bbd47aeb08e2241ee00ff9f2821ff9b9dfa31e28d02a442
|
|
| MD5 |
192ff21fd5dd1324dcaaa493a6722180
|
|
| BLAKE2b-256 |
d82e18edc47c3d637c9c9f3d5e8d06b28ee03c813cecd263e9ce4ae3118b05f4
|
File details
Details for the file remy_agent-0.1.0-py3-none-any.whl.
File metadata
- Download URL: remy_agent-0.1.0-py3-none-any.whl
- Upload date:
- Size: 84.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f3633e136132ab78288a70f7ee6db707c26b80821a925d3b55266fbb38706db1
|
|
| MD5 |
351e6b1a8d7938f89b4ab53ce2e14d81
|
|
| BLAKE2b-256 |
0bd302e54f2d1805b89d8a9735e619b08061891bd541380f475ef7dca88c01ef
|