An intelligent, multi-stage code vulnerability scanning platform that combines traditional static application security testing (SAST) with advanced AI-driven contextual evaluation.
Vulture uses tools like Semgrep and Tree-sitter for deep structural codebase analysis and orchestrates complex verification workflows using LangGraph and Large Language Models (LLMs) to reduce false positives and prioritize real security threats.
The project consists of a full-stack application separated into frontend and backend directories:
- Frontend: A modern, interactive React application built with Vite, Tailwind CSS, and Framer Motion. Uses Clerk for authentication and features rich data visualization for vulnerability reports.
- Backend: A FastAPI Python service that handles codebase parsing, AST generation, pattern matching, and AI-based vulnerability verification. It integrates LangGraph to manage complex, multi-agent workflows.
- Multi-Engine Scanning: Combines Tree-sitter for Abstract Syntax Tree (AST) analysis and Semgrep for fast security pattern matching.
- AI-Assisted Verification: Significantly reduces false positives by feeding static analysis results into an LLM (via AWS Bedrock or OpenAI) for contextual validation and exploitability scoring.
- Rich Security Dashboard: Detailed interactive visualizations for security scores, vulnerability breakdowns, and remediation priorities using Recharts.
- Real-time Streaming: Progressive streaming of scan progress and intermediate results via WebSockets.
- Comprehensive Reporting: Generates detailed, actionable vulnerability reports with suggested remediations and priority rankings.
- Core: React 19, Vite
- Styling & UI: Tailwind CSS v4, Framer Motion, React Three Fiber / Drei
- Authentication: Clerk
- State Management: Zustand
- Data Visualization: Recharts
- Core: Python 3.12+, FastAPI
- AI & Orchestration: LangGraph, LangChain, OpenAI / AWS Bedrock
- Code Analysis: Semgrep, Tree-sitter
- Database: SQLite, SQLAlchemy, Alembic
- Node.js (v18+)
- Python 3.12+
- uv (recommended Python package manager)
- Navigate to the
backenddirectory:cd backend - Create your environment variables file based on the example:
Configure your AWS Bedrock/OpenAI API keys and Clerk secret keys in
cp .env.example .env
.env. - Install dependencies using
uv:uv sync
- Run database migrations:
uv run alembic upgrade head
- Start the backend server:
The API will be available at
uv run uvicorn main:app --reload
http://localhost:8000.
- Navigate to the
frontenddirectory:cd frontend - Create your environment variables file based on the example:
Add your
cp .env.example .env
VITE_CLERK_PUBLISHABLE_KEYhere. - Install dependencies:
npm install
- Start the development server:
The UI will be accessible at
npm run dev
http://localhost:5173.
- Log In: Access the frontend application and authenticate using Clerk.
- Initiate Scan: Provide a local repository path to the application to begin a security scan.
- Monitor Progress: The dashboard will stream real-time updates as the backend runs code parsing, Semgrep rules, and AI evaluations.
- Review Report: Once complete, review the comprehensive vulnerability report, check the priority scores, and begin remediation based on the provided fixes.