flounder  by adshao

Autonomous security auditing powered by AI agents

Created 1 month ago
309 stars

Top 86.8% on SourcePulse

GitHubView on GitHub
Project Summary

Autonomous white-hat security auditor for transforming coding agents into end-to-end security audit systems. It automates target preparation, attack surface mapping, exploit construction, and proof execution, benefiting developers and security researchers by streamlining complex security workflows.

How It Works

Flounder implements a thin white-hat audit workflow around large language models, managing the execution sandbox, command policies, state, and reporting. Its core is an autonomous audit loop (prepare -> map -> dig -> confirm -> report) that allows LLMs to dictate the audit strategy across diverse technology stacks without requiring framework-specific rewrites. Findings are rigorously validated through execution-grounded proof, ensuring they are not merely plausible but demonstrably reproducible.

Quick Start & Requirements

  • Prerequisites: Node.js 24 LTS (via nvm).
  • Installation: Clone the repo, run nvm use, npm install, npm run build. Global install: npx skills add adshao/flounder --skill flounder -g -a codex -a claude-code.
  • Core Commands: flounder ui (dashboard), flounder daemon provider login, flounder daemon start. Example CLI: flounder run <clue>, flounder confirm <run-dir>.
  • Sandboxing: Defaults to Docker-backed OCI for secure, isolated execution of model-generated code and tests.
  • Documentation: docs/USAGE.md, SECURITY.md, CONTRIBUTING.md.

Highlighted Details

  • Autonomous Audit Loop: Automates prepare, map, dig, confirm, and report phases for end-to-end security auditing.
  • Framework-Agnostic Reasoning: Leverages LLMs for audit strategy, adaptable to new stacks as models evolve.
  • Execution-Grounded Findings: Requires verifiable local commands to confirm vulnerabilities, enhancing reliability.
  • Sandboxed Execution: Utilizes OCI/Docker to isolate audit processes, mitigating risks from untrusted code.
  • Solidity/ZK Focus: Strong support for smart contract and zero-knowledge proof system audits via local testing and forking.

Maintenance & Community

The provided README does not detail specific contributors, sponsorships, community channels (e.g., Discord, Slack), or a public roadmap.

Licensing & Compatibility

Licensed under the AGPL v3 license. This strong copyleft license requires derivative works to be shared under the same terms, potentially impacting commercial use or integration into closed-source projects.

Limitations & Caveats

The project prioritizes secure, sandboxed execution, especially for model-generated code. While not explicitly stated as alpha/beta, the emphasis on controlled environments and the AGPL v3 license are key considerations for adoption, particularly regarding compliance and integration flexibility.

Health Check
Last Commit

1 day ago

Responsiveness

Inactive

Pull Requests (30d)
42
Issues (30d)
0
Star History
311 stars in the last 30 days

Explore Similar Projects

Feedback? Help us improve.