Metis is an open-source, AI-driven tool by Arm's Product Security Team designed for deep security code review. It assists engineers in identifying subtle vulnerabilities and improving secure coding practices, particularly in large or legacy codebases where traditional tools struggle. Metis leverages LLMs for semantic understanding, offering more nuanced analysis than rule-based linters.

How It Works

Metis employs Large Language Models (LLMs) capable of semantic understanding and deep reasoning, moving beyond the limitations of hardcoded rules found in traditional static analysis tools. It integrates Retrieval-Augmented Generation (RAG) to provide the LLM with broader code context and related logic, enabling more accurate and actionable security suggestions. This approach aims to reduce review fatigue and uncover vulnerabilities missed by conventional methods.

Quick Start & Requirements

Installation is typically done via uv pip install . within a virtual environment. For PostgreSQL backend support, use uv pip install '.[postgres]'. Metis requires configuration of an LLM provider (OpenAI or compatible endpoints like vLLM, Ollama) and an API key (OPENAI_API_KEY). It supports ChromaDB for local, no-setup usage or PostgreSQL with pgvector for scalable indexing. Language support includes C, C++, Python, Rust, and TypeScript, with extensibility via plugins.

Highlighted Details

• Deep Reasoning: Utilizes LLMs for semantic code understanding, not static rules.
• Context-Aware Analysis: RAG enhances accuracy by incorporating broader code context.
• Extensible Architecture: Plugin system supports adding new languages, models, and prompts.
• Flexible Backends: Works with ChromaDB (default) and PostgreSQL (pgvector).
• Provider Agnostic: Compatible with OpenAI and other OpenAI-compatible LLM endpoints.
• Multi-Language Support: Currently supports C, C++, Python, Rust, and TypeScript.
• Interactive & Non-Interactive Modes: Offers a CLI for direct use and a --non-interactive flag for automation/CI/CD.
• Customization: Configuration via metis.yaml and prompt tuning via plugins.yaml.

Maintenance & Community

Developed by Arm's Product Security Team. No specific community channels (e.g., Discord, Slack) or roadmap details were found in the provided README.

Licensing & Compatibility

Distributed under the Apache v2.0 License. This license is generally permissive, allowing for commercial use and integration into closed-source projects.

Limitations & Caveats

The provided README does not explicitly detail limitations, alpha status, or known bugs. As an AI-driven tool, performance and accuracy may be subject to the underlying LLM's capabilities and potential for hallucinations, though these are not stated as explicit caveats.