@mevichitra/abhay
v0.1.0
Published
Abhay: local ML-assisted code security scanner with remediation reports.
Maintainers
Readme
Abhay
Abhay is a local CLI security scanner for JavaScript, Python, and Java codebases. It combines deterministic security rules, a project-owned ML ranker, and local Ollama remediation generation.
Quick Start
npm install
npm run build
npm startThe default command starts an interactive scan and prompts for:
- repo/codebase path, relative or absolute
- output directory
- minimum severity
- whether to use Ollama remediation
For direct non-interactive scans:
node dist/cli.js scan <path-to-codebase> --out reports --no-llmRecommended remediation model:
ollama pull qwen2.5-coder:7bAbhay will fall back to authored remediation if Ollama is unavailable.
Package as a CLI
For the easiest local package:
npm install
npm packThat creates a tarball like abhay-0.1.0.tgz. Give that file to another user, then they can install it globally:
npm install -g ./abhay-0.1.0.tgz
abhayOr they can run a scan directly:
abhay scan . --out reports --no-llmFor npm registry distribution, publish the package after choosing an available package name:
npm publish --access publicIf abhay is already taken on npm, change the package name to a scoped name like @your-scope/abhay.
Commands
abhay
abhay scan [path] [--out reports] [--model qwen2.5-coder:7b] [--no-llm]
abhay train
abhay evaluateMake Targets
If make is available, these commands cover the normal workflow:
make install
make verify
make scan TARGET=<path-to-codebase>
make finetuneOn Windows without Make, use the equivalent npm scripts:
npm.cmd run verify
npm.cmd run scan:offline
npm.cmd run finetuneSubmission Notes
The custom model is named Abhay.
The dataset workflow generates curated vulnerable/safe pairs:
npm.cmd run data:buildIt writes:
data/training/security-train.jsonldata/training/security-validation.jsonldata/training/security-test.jsonldata/training/DATASET_CARD.md
For real-world data, import CodeXGLUE defect detection data:
npm.cmd run py:install
npm.cmd run data:import:hfThat writes normalized JSONL files under data/real-world. Use them for stronger generalization evidence:
npm.cmd run finetune:realThere are two model artifacts:
model/abhay-ranker.json: lightweight local fallback ranker trained by the TypeScript CLI.model/abhay-finetuned: real fine-tuned transformer artifact produced bytraining/finetune_abhay.py.
For submission, use the fine-tuning workflow in training/README.md. After that step, Abhay can accurately be described as a fine-tuned vulnerability classification model based on GraphCodeBERT.
The ranker is intentionally paired with static evidence. ML-only vulnerability detection has known generalization limits, so Abhay uses a hybrid design: rules identify concrete evidence, the custom model ranks confidence and priority, and the local code LLM generates remediation text.
