Discover and explore top open-source AI tools and projects—updated daily.
visaAgentic harness for autonomous vulnerability discovery
Top 49.1% on SourcePulse
Visa Vulnerability Agentic Harness (VVAH) is an open-source SAST pipeline designed for autonomous vulnerability discovery using advanced AI models, building on learnings from Anthropic's Project Glasswing. It targets security engineers and researchers seeking to accelerate the vulnerability management lifecycle by focusing on triage speed and Mean Time to Adapt (MTTA). VVAH offers a multi-model approach, supporting Anthropic Claude, OpenAI, or combinations thereof, ensuring flexibility and avoiding single-provider dependency.
How It Works
VVAH employs a structured, three-phase, nine-stage pipeline that integrates deterministic controls with frontier AI model reasoning. The process begins with Discovery & Modeling (attack surface mapping, threat modeling, and hunting plan), progresses through Deep Dive & Verification (multi-lens research, policy gates, adversarial verification), and concludes with Synthesis, Chaining & Reporting (deduplication, exploit chain construction, SARIF emission). Each stage is implemented as a composable, reusable "skill," allowing for independent tuning and replacement. This approach prioritizes finding quality through threat modeling upfront and reducing false positives via multi-agent deterministic voting, aiming to compress the lifecycle from AI-discovered weakness to actionable finding.
Quick Start & Requirements
python3 -m venv .venv; source .venv/bin/activate; pip install .) or globally via pipx install .. This installs the vvaharness command.ANTHROPIC_SDK_API_KEY) / OpenAI API key (OPENAI_API_KEY) if switching roles. The claude CLI is required for the default profile..env file. Detailed setup and configuration guidance is available in docs/SETUP_GUIDE.md and docs/configuration.md.docs/USER_GUIDE.md covers commands and options.Highlighted Details
.md), SARIF 2.1.0 (.sarif), and error (.jsonl) formats.Maintenance & Community
This repository is not accepting external contributions. Usage is restricted to authorized operators and requires explicit permission to test codebases ("Authorized use only. Run scans only against code you own or have explicit permission to test."). No community links (e.g., Discord, Slack) are provided.
Licensing & Compatibility
Licensed under the Apache License, Version 2.0. While the license permits commercial use, the "Authorized use only" clause and the requirement to only scan code you own or have explicit permission for are significant restrictions on deployment scope.
Limitations & Caveats
Findings are LLM-generated triage candidates and are non-deterministic, requiring human review; results may differ between runs. The system is described as "token-hungry," with per-stage budget caps. Published accuracy or precision/recall figures are not yet available. The tool runs with elevated privilege, posing a security risk if used against untrusted repositories without proper hardening, potentially exposing host credentials and sensitive files.
1 week ago
Inactive