Mirror Flowers (镜花) is an AI-powered code security auditing tool designed to automatically detect security vulnerabilities in code across multiple programming languages. It assists developers by providing detailed analysis and actionable remediation suggestions, supporting popular AI models like DeepSeek-R1 and ChatGPT-4o.

How It Works

Mirror Flowers employs a multi-faceted approach combining static code analysis with AI-driven validation and a vector database for enhanced context. It first performs a traditional static code scan to identify potential vulnerabilities. Subsequently, it leverages AI models, integrated via LangChain, to validate these findings and provide deeper analysis. A key innovation is the use of a vector database (ChromaDB) to store vectorized code, enabling semantic similarity searches and context-aware analysis for more accurate vulnerability identification and remediation advice.

Quick Start & Requirements

• Installation: Clone the repository (git clone https://github.com/Ky0toFu/Mirror-Flowers.git), navigate into the directory, and install dependencies using pip install -e . or pip install -r requirements.txt. Development dependencies can be installed with pip install -e ".[dev]".
• Prerequisites: Python 3.8+, FastAPI, Node.js (for frontend development), and an AI model API key (e.g., OpenAI or SiliconFlow for DeepSeek-R1).
• Configuration: Set environment variables for OPENAI_API_KEY, OPENAI_API_BASE, and OPENAI_MODEL.
• Running: Start the backend service with uvicorn backend.app:app --reload. Access the web UI at http://localhost:8000/ui.
• Documentation: API documentation is available at http://127.0.0.1:8000/docs.

Highlighted Details

• Supports multiple languages: PHP, Python, Java, JavaScript.
• Analyzes dependencies via Maven, NPM, Python, and Composer.
• Includes framework-specific security checks for Spring, Django, Express.js, and Hibernate.
• Integrates a vector database (ChromaDB) for code vectorization and semantic search.
• AI analysis capabilities include vulnerability validation, correlation, and context-aware suggestions.

Maintenance & Community

The project is actively maintained, with recent updates focusing on API configuration, frontend display, dependency management, and core feature enhancements like vector database integration. Contributions via Pull Requests and Issues are welcomed.

Licensing & Compatibility

The repository does not explicitly state a license in the provided README. Users should verify licensing terms before commercial use or integration into closed-source projects.

Limitations & Caveats

Analysis time can be significant for large projects. The accuracy of AI-generated suggestions should be validated through manual review. Users may need to adjust API Base URLs (e.g., adding or removing /v1) if encountering API configuration errors.