OpenHack  by openhackai

Agentic security scanner for codebases

Created 1 month ago
279 stars

Top 92.9% on SourcePulse

GitHubView on GitHub
Project Summary

OpenHack provides an open-source agentic security scanner and verifier for codebases, offering a transparent alternative to proprietary solutions. It leverages exclusively open-source models to identify high-quality, verified vulnerabilities. This tool is designed for engineers, researchers, and power users seeking a comprehensive and auditable approach to code security analysis, delivering detailed findings with actionable fixes.

How It Works

The project utilizes a sophisticated multi-agent pipeline. It begins with Recon agents that build a deep, model-based understanding of the application and custom context. Specialized Hunter agents then identify potential vulnerabilities across various categories and risk areas. Validation agents review candidate findings for impact and accuracy, followed by Verification agents that perform sandbox and browser-based attacks to confirm exploits in a simulated or real environment.

Quick Start & Requirements

Installation is available via pipx install openhack, uv tool install openhack, or pip install openhack. An initial one-time setup involves logging into an OpenHack account via a browser to obtain an API token and receive free credits. For the advanced sandbox and browser verification features, Docker Desktop (or a compatible Docker daemon) is a mandatory prerequisite. Community support is available via Discord.

Highlighted Details

  • Comprehensive pipeline: Reconnaissance, specialized hunting, validation, and multi-stage verification (sandbox and browser).
  • Agent activity trace provides live, detailed visibility into the scanning process.
  • Sandbox verification confirms vulnerabilities by attempting exploits within a Docker container.
  • Browser verification uses a headless browser to validate client-side issues like XSS and CSRF.
  • Findings are presented with syntax highlighting, severity, CVSS scores, code snippets, and recommended fixes.
  • Supports both an interactive TUI and headless CLI operation for CI/scripting workflows.

Maintenance & Community

Contributions are welcomed through GitHub issues and pull requests. A community Discord server is provided for user interaction and support.

Licensing & Compatibility

The project is licensed under the MIT License, which is permissive and generally allows for commercial use and integration into closed-source applications.

Limitations & Caveats

The sandbox and browser verification features are currently in Beta. These advanced verification steps are dependent on a correctly configured Docker environment. The core functionality relies on an OpenHack account login, indicating an integration with an external inference API for LLM operations.

Health Check
Last Commit

4 weeks ago

Responsiveness

Inactive

Pull Requests (30d)
0
Issues (30d)
0
Star History
141 stars in the last 30 days

Explore Similar Projects

Feedback? Help us improve.