Add VulnHawk - AI-powered code security scanner#1801
Open
momenbasel wants to merge 4 commits intoanalysis-tools-dev:masterfrom
Open
Add VulnHawk - AI-powered code security scanner#1801momenbasel wants to merge 4 commits intoanalysis-tools-dev:masterfrom
momenbasel wants to merge 4 commits intoanalysis-tools-dev:masterfrom
Conversation
VulnHawk is an AI-powered code security scanner (Python, MIT licensed) that uses LLMs to understand business logic and detect vulnerabilities like missing auth checks, IDOR flaws, and logic bugs. Supports Python, JavaScript/TypeScript, and Go. Multiple LLM backends (Claude, OpenAI, Ollama). Output formats: JSON, SARIF, Markdown.
There was a problem hiding this comment.
Pull request overview
Adds a new tool definition for VulnHawk to the repository’s static analysis/tools catalog so it can be rendered/consumed alongside existing linters and security scanners.
Changes:
- Introduces
data/tools/vulnhawk.ymldescribing VulnHawk (categories, tags, license, types, source, description).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+11
to
+14
| types: | ||
| - cli | ||
| source: 'https://github.com/momenbasel/vulnhawk' | ||
| description: >- |
There was a problem hiding this comment.
homepage appears to be a required field for tool entries (the renderer’s Entry/ParsedEntry structs require it). This new tool file only sets source, so CI/rendering will likely fail to deserialize the YAML. Add a homepage: URL (can be the project website or reuse the GitHub repo URL if there isn’t a separate homepage).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is VulnHawk?
I built VulnHawk to bridge the gap between pattern-matching SAST tools (Semgrep, CodeQL) and manual code review. Traditional scanners are great at finding known vulnerability patterns, but they struggle with business logic flaws -- things like inconsistent authorization across related endpoints, or subtle IDOR issues where object ownership checks are applied in some handlers but not others.
VulnHawk uses LLMs to actually understand what the code is doing: it cross-references auth patterns across endpoints, traces data flows through business logic, and flags inconsistencies that a regex-based approach would never catch.
Languages
Python, JavaScript/TypeScript, Go, Java, PHP, Ruby
Distribution
pip install vulnhawk(PyPI)Why add it here?
There are plenty of SAST tools on this list already, but very few that use AI to reason about code semantics rather than matching syntax patterns. VulnHawk fills that niche -- it is specifically designed to catch the classes of vulnerabilities that slip through conventional static analysis.
Checklist
data/tools/vulnhawk.yml