AI-driven vulnerability discovery and live validation are addressed by RedAI, a terminal workbench designed to move beyond static code analysis. It targets security engineers and researchers, offering a system that not only flags potential vulnerabilities but actively confirms or disproves them within a live environment, thereby reducing false positives and providing concrete, actionable evidence.

How It Works

RedAI employs a sophisticated two-phase pipeline. Initially, scanner agents, powered by large language models like Claude Code or Codex, analyze source code to generate candidate vulnerability findings. Subsequently, validator agents take over, interacting with a live, dynamic environment—which is extensible via plugins such as a Chrome browser or an iOS Simulator—to execute tests, write proof-of-concept scripts, and probe the application's behavior. This approach ensures that findings are validated in a realistic context, leading to detailed reports complete with irrefutable evidence.

Quick Start & Requirements

Installation is achieved globally via npm: bun install -g @kpolley/redai. The repository includes two intentionally vulnerable demo applications (examples/webapp and examples/iosapp) to facilitate immediate end-to-end testing. Core requirements include Bun version 1.2 or higher. Scanner agents necessitate API keys (e.g., ANTHROPIC_API_KEY or OPENAI_API_KEY). The Browser validator requires a Chrome installation, while the iOS validator depends on macOS with Xcode command line tools and xcrun simctl.

Highlighted Details

• Validator agents actively engage with live environments, performing actions such as UI navigation, endpoint testing, and the execution of proof-of-concept scripts.
• Environments are designed as extensible plugins, supporting custom targets like virtual machines or emulators in addition to the bundled Browser and iOS Simulator.
• Generated reports are comprehensive, detailing vulnerability severity, step-by-step reproduction instructions, agent verdicts (confirmed, disproved, unable to test), and collected evidence like logs and screenshots.

Maintenance & Community

No specific details regarding maintainers, community channels (e.g., Discord, Slack), or project roadmap were found in the provided README.

Licensing & Compatibility

The project is licensed under the permissive MIT license. This license generally allows for commercial use and integration with closed-source projects without significant restrictions.

Limitations & Caveats

Usage of RedAI is restricted to authorized software and environments; users must own or have explicit permission to assess the target. Agent outputs may occasionally be incomplete or inaccurate, necessitating manual review of findings and evidence before any action is taken. Furthermore, specific validator environments impose platform dependencies, such as requiring macOS for iOS validation.