OASIS 🏝️ is an AI-powered security auditing tool that leverages Ollama models to automatically detect and analyze potential security vulnerabilities within codebases. It targets engineers, researchers, and power users seeking advanced, automated code security analysis, offering a comprehensive approach to identifying and understanding security risks. The primary benefit is the automated, AI-driven detection and detailed reporting of vulnerabilities, streamlining the security auditing process.

How It Works

OASIS employs a two-phase scanning strategy, initially using lightweight Ollama models for rapid identification of potential issues, followed by more powerful models for deep analysis of flagged code segments. The core workflow is orchestrated by LangGraph, defining a pipeline that progresses from discovery and scanning to context expansion, deep analysis, verification, and reporting. It features dual-layer caching for both code embeddings and analysis results to accelerate repeated scans, alongside multi-model analysis capabilities and an optional RAG-enhanced dashboard assistant for interactive vulnerability triage.

Quick Start & Requirements

• Primary install: pipx is recommended for CLI installation. After installing pipx, run pipx install -e . from the cloned repository. Docker support is also available.
• Prerequisites: Python 3.9+ and Ollama installed and running locally. Models must be pulled via Ollama before scanning.
• Hardware: Minimum requirements include a 4+ core CPU, 16 GB RAM, and 100 GB storage. 32 GB RAM and an NVIDIA GPU with 8 GB+ VRAM are recommended for better performance, especially for larger projects. High-end CPUs, 64 GB+ RAM, and powerful GPUs (16GB+ VRAM) are essential for analyzing large codebases (>100,000 LOC).
• Links: GitHub repository (implied by git clone), Discord server.

Highlighted Details

• AI-powered security auditing leveraging Ollama models.
• Interactive dashboard assistant with optional RAG over local embeddings.
• LangGraph orchestration for a structured discover → scan → expand → deep → verify → report pipeline.
• Dual-layer caching for embeddings and analysis results to speed up repeated scans.
• Comprehensive reporting formats including JSON, SARIF, HTML, PDF, and Markdown.
• Parallel processing for vulnerability analysis.
• Interactive model selection and guided installation for Ollama models.
• Secure, password-protected web interface for exploring reports.

Maintenance & Community

The tool supports self-updating via oasis --check-update and oasis --self-update using pipx. For development clones, git pull followed by pipx upgrade oasis keeps the installation current. Contributions are welcomed via Pull Requests, issue reporting, or feature suggestions. A Discord server is available for community support and discussion.

Licensing & Compatibility

OASIS is licensed under the GPL v3 license. This is a copyleft license, which may impose restrictions on linking with closed-source software or using it in commercial products without adhering to the GPL v3 terms.

Limitations & Caveats

Function-level embedding analysis is marked as experimental. Performance is heavily dependent on hardware, with CPU-only usage being significantly slower than GPU-accelerated analysis. The quality and reliability of structured output from Ollama models can vary, potentially leading to fallback mechanisms or requiring careful model selection and generation settings.