Exploring AI-driven approaches to security auditing and code review
We're using this repository to discuss ideas, gather community input, and prototype approaches. Nothing here is production-ready yet.
This repository is a space for the Apache community to explore how AI agents might help with automated security auditing and code review. We're interested in questions like:
- How can agents help ASF projects achieve security and other compliance?
- What existing tools work well, and where are the gaps?
- What should we build versus adopt?
We're gathering input, prototyping ideas, and working toward tooling that could benefit the broader Apache ecosystem. Your participation is welcome, whether that's joining the discussion, sharing experiences, or contributing code.
Automated OWASP ASVS compliance auditing for any GitHub-hosted codebase. An orchestration pipeline downloads source code, discovers the codebase architecture, runs per-requirement security analysis, and produces a consolidated report with GitHub issues. See the ASVS README for the full pipeline reference.
Automated scan of GitHub Actions workflows across an organization to identify security vulnerabilities in CI/CD pipelines, find publishing channels, and flag policy violations. See the GitHub Review README for agent details and check definitions.
├── ASVS/ # ASVS security audit pipeline
│ ├── agents/ # Pipeline agent code (6 agents)
│ ├── audit_guidance/ # Project-specific false positive guidance
│ └── reports/ # Audit output organized by project and commit
├── gha-review/ # GitHub Actions security review
│ ├── agents/ # Review pipeline agents (7 agents + tests)
│ └── reports/ # Review output
├── docs/ # Platform documentation
│ ├── gofannon/ # Gofannon setup and agent development guide
│ └── how-to-contribute.md
└── util/ # Utility scripts
Community feedback is encouraged! Whether you're an ASF committer, contributor, or just interested in security tooling:
-
Introduce yourself on the mailing list: Say hello at 📧 dev@tooling.apache.org (Subscribe by sending an email with empty subject and body to dev-subscribe@tooling.apache.org and replying to the automated response, per the ASF mailing list how-to)
-
Share ideas or file issues: Use GitHub Issues to ask questions, suggest approaches, or start a discussion
-
Try things out: Experiment with the tools we're evaluating and share what you learn
- How to contribute
- Documentation helps: Add research notes or proposals to
docs/ - Evaluate tools: Try existing tooling on your project and report back
Note: Please introduce yourself on the mailing list before submitting a PR; this helps us deter spam and means your contribution won't be overlooked.
- Mailing List: dev@tooling.apache.org (subscribe)
- Slack:
#tooling-discusson the ASF Slack - Issues: GitHub Issues
This project is licensed under the Apache License 2.0.
- Alpha-Omega Project: Improving OSS security
- OWASP ASVS: The security standard we're targeting
- OpenSSF Scorecard: Automated security health checks
- VEX: Automated CVE detection
- AI Alliance: Open AI innovation community
- Gofannon: Agent-building workflow
Part of the Apache Tooling Initiative. For more information about the ASF, visit https://www.apache.org/.