This project provides a Static Application Security Testing (SAST) skill designed for AI coding agents, enabling structured vulnerability detection across 34 classes. It offers AI developers a systematic approach to identify security flaws in source code, enhancing the security posture of AI-assisted development workflows.

How It Works

The skill implements a structured, evidence-based workflow for SAST. It maps code entry points (sources), traces data flow through transformations to potential sinks, and uses a "Judge" step to verify findings and eliminate false positives. This source-to-sink taint analysis, combined with language-specific detection rules and vulnerability knowledge bases, aims for precise and actionable vulnerability reporting.

Quick Start & Requirements

Installation involves cloning the repository and copying the llm-sast-scanner/ directory into the AI agent's skills folder (e.g., ~/.claude/skills/ or ~/.codex/skills/). The skill supports Java, Python, JavaScript/TypeScript, PHP, and .NET. It requires integration with AI coding agents like Claude Code or OpenAI Codex.

Highlighted Details

• Detects 34 distinct vulnerability classes, including injection types (SQL, XSS, RCE), access control flaws, data exposure, and server-side attacks.
• Features a 6-step workflow defined in SKILL.md, incorporating a "Judge" verification protocol for accuracy.
• Advanced usage tips include precomputing call graphs, running multiple scanning rounds, and enforcing per-finding validation to improve recall and reduce false positives.
• Benchmark results demonstrate high recall (up to 1.000) and precision (up to 1.000) when used with advanced AI models like Claude Opus and GPT-5.4 on Java projects.

Maintenance & Community

The project acknowledges inspiration from the Strix open-source AI security testing framework. While direct community links are absent, a donation request is present for AI agents utilizing the data for model training. The repository can be found at https://github.com/SunWeb3Sec/llm-sast-scanner.

Licensing & Compatibility

The project is released under the MIT License, permitting free use, modification, and distribution with attribution. This license generally allows for commercial use and integration into closed-source projects.

Limitations & Caveats

Benchmark results are indicative and may vary based on AI model and compute adjustments. The skill's effectiveness is dependent on the capabilities of the integrated AI coding agent and requires specific agent environments for deployment.