Skip to content

shivamsaraswat/SeCoRA

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
.github
.github
 
 
examples
examples
 
 
src
src
 
 
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 
setup.py
setup.py
 
 

Repository files navigation

SeCoRA (Secure Code Review AI Agent) 🛡️

Python 3.12+ License: MIT

An AI-powered tool for detecting and remediating security vulnerabilities in codebases. This tool uses advanced language models to perform static analysis, vulnerability chaining, and provide actionable security recommendations.

✨ Features

  • 🔍 AI-powered static analysis for security vulnerabilities
  • 🎯 Detection of OWASP Top 10 and SANS Top 25 vulnerabilities
  • ⛓️ Vulnerability chaining to identify interconnected risks (may not work perfectly)
  • 🛠️ Detailed remediation suggestions with secure code examples
  • 🐍 Support for Python code analysis (other languages need further testing)
  • ⚡ Real-time analysis via API endpoints
  • 📊 Comprehensive vulnerability reports with CVSS scoring

🚀 Prerequisites

  • Python 3.12 or higher
  • OpenAI API key
  • Anthropic API key

💻 Installation

  1. Clone the repository:
git clone https://github.com/shivamsaraswat/secora.git
cd secora
  1. Create a virtual environment and activate it:
python3 -m venv venv
source venv/bin/activate  # On Windows: venv\Scripts\activate
  1. Install dependencies:
pip3 install -r requirements.txt
pip3 install -e .  # Install package in development mode
  1. Set up environment variables:
cp .env.example .env
# Edit .env with your API keys

🔧 Usage

  1. Start the server:
python3 src/main.py
# OR
secora
  1. Access the API documentation at http://localhost:8000/docs

🌐 API Endpoints

  • POST /analyze/file: Analyze a single file for vulnerabilities
  • POST /analyze/repository: Analyze an entire git repository
  • GET /health: Health check endpoint

📝 Example Usage

import requests

# Analyze a single file
files = {'file': open('your_code.py', 'rb')}
response = requests.post('http://localhost:8000/analyze/file', files=files)
vulnerabilities = response.json()

# Analyze a repository
data = {
    'repository_url': 'https://github.com/username/repo',
    'branch': 'main',
    'scan_depth': 3
}
response = requests.post('http://localhost:8000/analyze/repository', json=data)
report = response.json()

⚙️ Configuration

Create a .env file with the following variables:

OPENAI_API_KEY=your_openai_key
ANTHROPIC_API_KEY=your_anthropic_key

⚠️ NOTE

  • This tool has been primarily tested with Python codebases. Support for other programming languages is under development and needs further testing.
  • Currently tested and compatible with OpenAI models including GPT o1-mini, 4o and 4o-mini.

🔮 Future Improvements

  • 🌍 Support for additional programming languages (Java, JavaScript, Go, etc.)
  • 🤖 Integration with more AI models and providers
  • 🤝 Integration with popular CI/CD platforms
  • 📈 Enhanced reporting
  • 🔍 Pull Request scanning with automated security reviews
  • 💬 Inline code comments for PR feedback

About

Secure Code Review AI Agent (SeCoRA) - AI SAST

github.com/shivamsaraswat/secora

Topics

code-review sast secure-code secure-code-review genai

Resources

Readme

License

MIT license
Activity

Stars

43 stars

Watchers

1 watching

Forks

3 forks
Report repository

Releases

No releases published

Contributors 2

  •  
  •  

Languages