dianxing  by tianchong-zerotemp

AI-driven system for end-to-end code security auditing

Created 2 weeks ago

New!

543 stars

Top 57.9% on SourcePulse

GitHubView on GitHub
Project Summary

DianXing: AI-Driven End-to-End Code Security Auditing

DianXing is an AI-powered system for end-to-end code security auditing, designed to operate at industrial scale with zero human intervention. It aims to discover deep, logic-based vulnerabilities that traditional Static Application Security Testing (SAST) tools often miss, providing a structured list of findings. The system is targeted at organizations and security professionals requiring comprehensive and automated code security analysis.

How It Works

DianXing utilizes AI to achieve a semantic understanding of code, moving beyond rule-based pattern matching. This allows it to identify complex vulnerabilities such as authentication bypasses, authorization flaws, and intricate business logic defects. The system automates the entire process from vulnerability discovery to validation, including the ability to autonomously discover zero-permission Remote Code Execution (RCE) vulnerabilities and verify them through attack chain simulation. The core implementation is intentionally not publicly disclosed due to its advanced capabilities.

Quick Start & Requirements

The provided README focuses on the system's capabilities and audit results rather than direct installation or usage instructions. Specific commands for setup or execution are not detailed.

Highlighted Details

  • AI-Driven Auditing: Leverages AI for semantic code understanding to find deep logic flaws.
  • Zero-Human Intervention: Fully automated process from discovery to validation.
  • Advanced Vulnerability Detection: Identifies issues missed by traditional SAST, including RCE, auth bypass, and business logic flaws.
  • Automated RCE Validation: Capable of discovering zero-permission RCEs and verifying them with attack chain simulation.
  • Extensive Audit Data: Audited 14 projects, identifying 8,451 vulnerabilities, including 11 critical RCEs.
  • High Recall Benchmark: Claims "Zero Miss" recall across 9 languages in controlled tests.
  • Multi-Format Auditing: Supports source code, binary (APK, JAR, DLL, SO), and firmware (IoT, industrial control) analysis.
  • Performance: Demonstrates significantly higher detection rates compared to mainstream AI auditing products in head-to-head comparisons.

Maintenance & Community

The project is developed by the tianchong-zerotemp team, with listed core members. It engages the community through a "Vulnerability Hunter Challenge" to validate its findings and accepts feedback via GitHub Discussions. Specific community channels like Discord or Slack are not detailed.

Licensing & Compatibility

The README does not specify a software license. This lack of licensing information presents a significant adoption blocker, as compatibility for commercial use or integration into closed-source projects cannot be determined.

Limitations & Caveats

The primary limitation is the non-public nature of the core AI technology and implementation, which is a deliberate security measure. The system is a specialized vertical engine, not a general-purpose LLM. While audit data is provided for verification, direct access to the tool for independent evaluation is not offered. The absence of licensing information is a critical adoption barrier.

Health Check
Last Commit

2 weeks ago

Responsiveness

Inactive

Pull Requests (30d)
0
Issues (30d)
4
Star History
542 stars in the last 20 days

Explore Similar Projects

Feedback? Help us improve.