Skip to content

luoowei/aegis

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
docs
docs
 
 
internal
internal
 
 
.gitignore
.gitignore
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
README_CN.md
README_CN.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
install.sh
install.sh
 
 

Repository files navigation

English 简体中文

🛡️ Aegis

AI Code Security Scanner — Catch vulnerabilities before they ship.

English | 简体中文


Stars License Go Reference

Aegis scans your codebase for 36 security issues across 9 categories — with a special focus on AI-generated code risks. Ships as a single <15MB Go binary. No runtime dependencies. No network calls.

~50% of AI-generated code contains security vulnerabilities. Aegis catches them before they reach production.

Why Aegis?

Problem Aegis Solution
AI generates 50% more code, 81% of teams report review bottlenecks Instant pre-commit scan — catches issues before human review
Hardcoded secrets are the #1 cloud breach vector Detects 8 types of secrets: API keys, tokens, private keys, passwords
AI tools leave unsafe patterns (eval, innerHTML, raw SQL) 9 dedicated AI-specific rules
Traditional SAST tools are slow, expensive, complex Single binary, sub-second scans, zero config

Quick Start

# macOS / Linux
curl -fsSL https://raw.githubusercontent.com/luoowei/aegis/main/install.sh | bash

# Go
go install github.com/luoowei/aegis/cmd/aegis@latest

# Windows
iwr https://raw.githubusercontent.com/luoowei/aegis/main/install.ps1 | iex

Usage

Scan Your Codebase

# Scan current directory
aegis

# Scan specific paths, only high severity
aegis scan ./src --min-severity HIGH

# JSON output for CI pipelines
aegis scan . --json > report.json

# Filter by category
aegis scan . --categories secrets,ai-generated-patterns

Git Pre-Commit Hook

aegis install
# Now every commit is checked for secrets and vulnerabilities

GitHub Actions CI

aegis ci-init
# Creates .github/workflows/aegis-security.yml

Detection Categories

Category Rules Examples
Secrets & Credentials 9 API keys, AWS tokens, GitHub tokens, OpenAI keys, private keys, passwords
Injection Attacks 7 SQL injection, Command injection, XSS, eval/exec
Authentication 3 Weak password hashes, HTTPS enforcement, session secrets
Cryptography 3 Weak ciphers, hardcoded encryption keys, insecure RNG
File Access 2 Path traversal, world-writable permissions
Network Security 3 TLS verification disabled, SSRF, 0.0.0.0 binding
Dependencies 2 Vulnerable NPM/Python packages
Configuration 4 Debug mode, CORS wildcard, missing CSP, security TODOs
AI-Generated Code 3 AI attribution, unvalidated AI output, prompt injection

Example Output

   ___              _
  / _ \            (_)
 / /_\ \  ___  __ _ _ ___
/ /_\\ \/ _ \/ _`  | / __|
\____/\___/\__, |_|\__ \\
            __/ |  __/ |
           |___/  |___/
AI Code Security Scanner

Scanned 8 files • Found 5 issues

  0 CRITICAL  3 HIGH  2 MEDIUM  0 LOW

src/auth/login.ts
  ▲ HIGH src/auth/login.ts:23:15 [AEG-010] SQL Injection via String Concatenation
    ...const query = "SELECT * FROM users WHERE email = '" + email + "'"...
    Fix: Use parameterized queries: db.query("SELECT * FROM users WHERE id = ?", id)

src/config.ts
  ◆ CRITICAL src/config.ts:5:12 [AEG-001] Hardcoded API Key
    ...apiKey: "sk-live-abc123def456ghi789jkl"...
    Fix: Use environment variables: os.Getenv("API_KEY")

How It Works

  Codebase        Aegis Scanner       Report
  (.ts/.py/       (Go Binary)    -->  Terminal
  .js/.go/...      |                 JSON
                   | 36 regex         Exit Code
                  rules match        (0/1/2)
  1. Walks the file tree (skipping node_modules, .git, binaries, etc.)
  2. Scans each text file against 36 security regex rules (8-way parallel)
  3. Prints findings with severity, line numbers, snippets, and fix hints
  4. Returns exit code 2 (CRITICAL), 1 (HIGH), or 0 (clean)

Comparison

Aegis ESLint security Bandit Semgrep SonarQube
Single binary Yes No No No No
Pre-commit hook Yes Yes Yes Yes No
AI-specific rules Yes No No No No
Zero config Yes Partially Yes No No
GitHub Actions Yes Yes Yes Yes Yes
Language coverage All text JS/TS Python Multi Multi
Speed <1s <5s <3s <10s 30s+

Build from Source

git clone https://github.com/luoowei/aegis.git
cd aegis
go build -o aegis ./cmd/aegis
./aegis --help

Roadmap

  • AST-based rules for deeper analysis (Go, TS, Python)
  • SARIF output for GitHub code scanning integration
  • Auto-fix mode for common issues (remove secrets, add parameterization)
  • MCP server for agent integration
  • Custom rule support via YAML/JSON
  • VS Code extension for real-time feedback
  • Docker image for CI/CD pipelines

Contributing

PRs welcome! See CONTRIBUTING.md.

License

MIT © Aegis Contributors

Star this repo if you care about shipping secure AI code.
Built with Go and paranoia for the AI era

About

🛡️ AI Code Security Scanner — Catch 36 security issues before they ship. Single binary, zero deps, sub-second scans. Built for the AI code generation era.

Resources

Readme

License

MIT license

Contributing

Contributing
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages