AGHAST

AI-Guided Hybrid Application Static Testing

Get Started on GitHub

You know what your key code security concerns are. But how do you check for them in a way that is automatable, repeatable and scalable? AGHAST is an open-source framework that lets you define and check for these concerns.

Custom Security Checks

Define logic tests specific to your codebase and organization, not just generic vulnerability patterns

Hybrid Analysis

Combine the efficient precision of static rules with the flexible intelligence of AI-powered code analysis

Open Source

Free to use, extend, and integrate into your existing security workflows

AGHAST logo

Find the issues that generic scanners miss

AGHAST is an open source framework that combines static code discovery with AI-powered analysis to find codebase-specific and company-specific security issues.

Generic scanners catch generic bugs. But what about your custom authorization logic? Your business-specific validation rules? The security patterns unique to your organization? AGHAST is built to answer those questions.

These are questions that require context about how things should work, not just what is technically vulnerable.

How It Works

AGHAST is a framework for orchestrating custom security checks against your codebase. It supports three modes of operation, allowing you to choose the right approach for each check:

Static Checks

Traditional rule-based discovery that directly maps findings without AI involvement, for when a static rule is all you need.

Hybrid Checks

Static discovery tools pinpoint specific code locations, which are then independently analyzed by AI. The sweet spot for most use cases.

AI Scanning

Your own LLM examines your repository against your custom security instructions, analyzing the full codebase for issues you define.

Example Questions AGHAST Can Answer

Unlike generic scanners that look for known vulnerability patterns, AGHAST helps you answer organization-specific questions such as:

  • Has our custom business verification been implemented correctly?
  • Has the company's custom authorization mechanism been used correctly and consistently?
  • Are API endpoints returning too wide a data set?
  • Are there places where our internal security patterns have been bypassed?

Video Introduction

Key Features

No Codebase Modifications Required

Works with your existing code as-is. No need to add annotations, modify source files, or build anything into your codebase.

Language Agnostic

Use natural language to instruct the AI provider and a standard, language-agnostic static rule language for discovery.

CI Pipeline Ready

Designed from the start for automated CI pipelines with a simple install process, text-based configuration, and a single CLI call to run.

Pluggable Architecture

Supports multiple discovery methods (Semgrep, OpenAnt, SARIF) and output formats (JSON, SARIF). Swap in different LLM providers or static analysis engines as needed.

Flexible Configuration

Define checks per-codebase or use a central configuration for multiple codebases. One config file can drive CI jobs across your entire organization.

Custom Security Rules

Define checks tailored to your organization's specific security concerns — from custom authorization patterns to business logic validation.

Getting Started

AGHAST requires Node.js 20+. Depending on the check modes you use, you will also need an Anthropic API key (for AI and hybrid checks) and/or Semgrep Community Edition (for hybrid and static checks). OpenAnt is supported as an alternative discovery method.

AGHAST is heavily used in our Repeatable, Scalable and Valuable Code Security Scanning training course, where you will get hands-on experience writing custom checks and applying AGHAST to real-world code security challenges.

View on GitHub Read the Blog Post Get in Touch

Licensing

AGHAST is licensed under AGPL to keep it open and ensure improvements flow back to the community. If you are interested in commercial licensing, professional support, or help implementing AGHAST in your organization, get in touch.