@bouncesecurity/aghast
v0.2.0
Published
AI Guided Hybrid Application Static Testing
Readme
AI Guided Hybrid Application Static Testing (AGHAST) - ALPHA VERSION
Warning AGHAST is in early alpha. APIs, CLI flags, configuration formats, and output schemas may change between releases without notice. Use in production CI/CD pipelines at your own risk.
An open source tool that combines static scanning rules with AI prompts to find code-specific and company-specific security issues.
Define static rules, security checks as markdown instructions, point AGHAST at a repo, and get structured results (JSON or SARIF).
What AGHAST Does
You can read the full background to this tool in our blogpost here but, to cut to the chase, AGHAST uses three core mechanisms:
- Repository-wide AI analysis — let the LLM analyze the whole repo against your security check instructions
- Targeted checks — a pluggable discovery method (Semgrep rules, OpenAnt code units, or external SARIF findings) identifies specific code locations, then AI analyzes each independently. This is the sweet spot for most use cases
- Static checks — a discovery method (e.g., Semgrep) finds issues mapped directly to results with no AI involvement, for when a traditional static rule is all you need
The beauty of the approach is what you don't need:
- You don't need to modify the code
- You don't need to build something into the codebase
- You don't need to write code in the language of the codebase
All you need is:
- Access to the codebase
- An understanding of the problem you are trying to discover
- The ability to write some simple rules
There are almost certainly other ways of achieving this, but to our mind, this approach is both straightforward and deterministic.
Prerequisites
- Node.js 20+
- Semgrep Community Edition (LGPL-2.1, optional) — only needed for checks that use Semgrep discovery
- OpenAnt (Apache-2.0, optional) + Python 3.11+ — only needed for checks that use OpenAnt discovery
- Anthropic API key — for AI-based checks (not needed for static checks)
Installation
See the Getting Started Guide for full installation and setup instructions.
Quick Start
Set your API key, create a check, and run a scan:
export ANTHROPIC_API_KEY=your-api-key
aghast new-check --config-dir ./my-checks
aghast scan /path/to/target-repo --config-dir ./my-checksSee the Getting Started Guide for a full walkthrough.
Example Output
Results are structured JSON (or SARIF) with per-check status and detailed issues:
{
"checks": [
{ "checkId": "aghast-api-authz", "checkName": "API Authorization Check", "status": "FAIL", "issuesFound": 1 },
{ "checkId": "aghast-sql-injection", "checkName": "SQL Injection Prevention", "status": "PASS", "issuesFound": 0 }
],
"issues": [
{
"checkId": "aghast-api-authz",
"checkName": "API Authorization Check",
"file": "src/api/users.ts",
"startLine": 45,
"endLine": 52,
"description": "Missing authorization check on DELETE endpoint.",
"codeSnippet": "router.delete('/users/:id', async (req, res) => {"
}
],
"summary": {
"totalChecks": 2,
"passedChecks": 1,
"failedChecks": 1,
"flaggedChecks": 0,
"errorChecks": 0,
"totalIssues": 1
}
}Documentation
- Getting Started — installation, setup, and first scan
- Trying It Out — example checks walkthrough and first scan guide
- Scanning — scan command options, environment variables, output formats
- Creating Checks — scaffolding new security checks
- Configuration Reference — check schemas, check types, runtime config
- Development — setup, building, testing, releasing
Contributing
We welcome bug reports and feature requests via GitHub Issues. We are not currently accepting pull requests.
License
This project is licensed under the GNU Affero General Public License v3.0 or later.
Copyright (C) 2026 Bounce Consulting Ltd.