Summary AICodeScan is a lightweight, cross-platform code auditing tool designed for red teams to accelerate vulnerability discovery. It enhances traditional sink point matching by integrating AI-driven analysis for precise identification of security issues in PHP and Java codebases.

How It Works This tool builds upon Zjackky/CodeScan, focusing on rapid sink point identification within code and its dependencies. It augments this by employing AI models to perform detailed security audits, aiming for more accurate vulnerability pinpointing than static analysis alone. The approach leverages a configurable AI prompt to guide the analysis of specific code snippets.

Quick Start & Requirements Compilation requires a Go environment using the ./build.sh script, which generates executables for all platforms. Users must create a config.yaml file in the program's directory, specifying the AI API endpoint (e.g., https://api.siliconflow.cn/v1/chat/completions), API keys, desired AI model (e.g., Qwen/QwQ-32B-Preview), and a custom prompt template. Basic usage involves running AICodeScan -L <language> -d <directory>, with options for filtering and rule specification. Further details on the tool's capabilities can be found in a Bilibili video [https://www.bilibili.com/video/BV1bnKpeJEUC/].

Highlighted Details

• Supports PHP and Java languages.
• Features AI-driven auditing for enhanced vulnerability detection accuracy.
• Provides sink point matching capabilities inherited from its base project.
• Includes reporting, progress bar, and API pooling for improved usability (v1.1).

Maintenance & Community The project encourages community involvement via WeChat for development discussions and offers a WeChat public account for project updates.

Licensing & Compatibility The repository's README does not specify a software license. Users should exercise caution regarding potential licensing implications for commercial or integrated use.

Limitations & Caveats AICodeScan's AI auditing functionality is dependent on external API services, requiring valid API keys and potentially incurring costs or facing rate limits. The tool explicitly prohibits use for illegal activities, and users bear full responsibility for any consequences arising from its application. The effectiveness of AI-driven security analysis may vary.