AI-powered multi-agent security scanner for detecting security vulnerabilities within a given github codebase
Project description
๐ก๏ธ Vigil
AI-Powered Security Scanner for Codebases
Vigil is a multi-agent AI security scanner that combines static analysis (Semgrep) with LLM verification to find real vulnerabilities in your code โ and filter out the noise.
The Problem: Traditional static analysis tools generate hundreds of warnings. 80% are false positives. Developers stop reading them.
The Solution: Vigil uses an AI verifier agent to analyze each finding with Chain-of-Thought reasoning, filtering out false alarms and keeping only real threats.
โจ Key Features
- AI-Verified Findings โ LLM analyzes each vulnerability with a 4-step security framework
- 86% Accuracy โ Benchmarked on 100 real-world code samples with near-zero missed threats
- Multi-Provider LLM Support โ Groq (free), Google Gemini, OpenAI, or local Ollama
- GitHub URL Scanning โ Point it at any public repo and scan instantly
- CISO Executive Summary โ AI-generated security report for stakeholders
- Interactive Setup โ First-run wizard configures everything for you
- Docker Ready โ Run anywhere with a single container
๐ Quick Start
Install
pip install vigil-scanner
Requires Python 3.11 โ 3.13. If your default Python is 3.14+, use one of these:
# Windows py -3.12 -m pip install vigil-scanner # Or use pipx (recommended for CLI tools) pipx install vigil-scanner --python 3.12 # Or use Docker (no Python needed) docker run -e LLM_PROVIDER=groq -e GROQ_API_KEY=your_key vigil scan <repo-url>
Scan a Repository
# Scan a remote GitHub repo
vigil scan https://github.com/username/repo
# Scan a local project
vigil scan ./my-project
On first run, Vigil will ask you to choose an LLM provider:
๐ก๏ธ Welcome to Vigil!
Available LLM Providers:
1. Groq โ Free cloud API (recommended)
2. Google Gemini โ Free tier available
3. Ollama / LMStudio โ Local & free
4. OpenAI โ Paid (GPT-4o)
Select provider (number): 1
Enter your Groq API key: gsk_xxxxx
Configuration saved!
Reconfigure Anytime
vigil init
๐ณ Docker
# Build
docker build -t vigil .
# Scan with cloud LLM
docker run -e LLM_PROVIDER=groq -e GROQ_API_KEY=your_key \
vigil scan https://github.com/username/repo
# Scan with local Ollama (using docker compose)
docker compose up -d
docker compose exec ollama ollama pull llama3
docker compose run vigil scan https://github.com/username/repo
๐๏ธ Architecture
Vigil uses a LangGraph multi-agent pipeline with three specialized nodes:
โโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโ
โ Scanner โโโโโโบโ Verifier โโโโโโบโ Reporter โ
โ (Semgrep) โ โ (LLM + CoT) โ โ (LLM) โ
โ โ โ โ โ โ
โ Static โ โ AI verifies โ โ Generates โ
โ analysis โ โ each finding โ โ executive โ
โ rules โ โ with Chain- โ โ summary & โ
โ โ โ of-Thought โ โ fix advice โ
โโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโ
Finds Filters Reports
candidates false positives to the team
Verification Strategy
The Verifier agent uses:
- Chain-of-Thought (CoT) reasoning โ 4-step analysis framework (data flow โ defenses โ CWE mapping โ verdict)
- Few-Shot examples โ Calibrated with real vulnerability patterns
- Batch processing โ 10 findings per LLM call for token efficiency
- Confidence thresholds โ Low-confidence dismissals are overridden (security-first)
๐ Benchmark Results
Tested on 100 real-world code samples from the Code Vulnerability Labeled Dataset:
| Metric | Score |
|---|---|
| Accuracy | 86% |
| False Negative Rate | 2% |
| False Positive Rate | ~14% |
| Missed Threats | 1 out of 100 |
โ๏ธ Configuration
Vigil supports configuration through environment variables or the ~/.vigil/.env file:
| Variable | Description | Default |
|---|---|---|
LLM_PROVIDER |
groq, google, openai, ollama |
ollama |
GROQ_API_KEY |
Groq API key | โ |
GOOGLE_API_KEY |
Google Gemini API key | โ |
OPENAI_API_KEY |
OpenAI API key | โ |
OLLAMA_BASE_URL |
Ollama endpoint URL | http://localhost:11434 |
OLLAMA_MODEL |
Model name for Ollama | llama3 |
๐ ๏ธ Development
# Clone the repo
git clone https://github.com/yugan243/security-scanner.git
cd security-scanner
# Install dependencies
poetry install
# Run locally
poetry run vigil scan ./my-project
# Run benchmarks
poetry run python -m tests.benchmark
๐ License
MIT License โ see LICENSE for details.
Built by Yugan Nimsara โค๏ธ with the help of Antigravity
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file vigil_scanner-0.1.2.tar.gz.
File metadata
- Download URL: vigil_scanner-0.1.2.tar.gz
- Upload date:
- Size: 18.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.3.2 CPython/3.14.3 Windows/11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2e7989d0fdc8a0abddb5a59f99739eaa189e1eb7b8223ceeb3bdcf98896aa855
|
|
| MD5 |
93bbd0ab9691bcf945fab0b8135f79d9
|
|
| BLAKE2b-256 |
e8e037f415088554c69374b355a9e022ddd61ca13e090dd9f22d31457e5290f2
|
File details
Details for the file vigil_scanner-0.1.2-py3-none-any.whl.
File metadata
- Download URL: vigil_scanner-0.1.2-py3-none-any.whl
- Upload date:
- Size: 22.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.3.2 CPython/3.14.3 Windows/11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
47b4d23719489ba6e1f57254f2bd74b4dc7af80c24864456ea2a398850826cac
|
|
| MD5 |
2824e3cfbac6d8990e175eacbb4f22f8
|
|
| BLAKE2b-256 |
5e603b791c70916b5e60a58b42a6d699149ed5988083e6afd0346084ab1650cb
|
