Exploring AI-driven approaches to security auditing and code review
We're using this repository to discuss ideas, gather community input, and prototype approaches. Nothing here is production-ready yet.
This repository is a space for the Apache community to explore how AI agents might help with automated security auditing and code review. We're interested in questions like:
- How can agents help ASF projects achieve OWASP ASVS compliance?
- What existing tools work well, and where are the gaps?
- What should we build versus adopt?
We're gathering input, prototyping ideas, and working toward tooling that could benefit the broader Apache ecosystem. Your participation is welcome, whether that's joining the discussion, sharing experiences, or contributing code.
We're currently exploring several directions:
- ASVS Compliance Automation: Can agents help verify security requirements across codebases?
- Reducing Manual Overhead: How do we help teams maintain security without slowing development?
- Actionable Guidance: What does useful, prioritized remediation output look like?
- Reusable Patterns: What can we build once that benefits many ASF projects?
These are already available and we're assessing how well they fit our needs:
- GitHub Security Features: Dependabot, code scanning, secret scanning (already in use across ASF)
- OpenSSF Scorecard: Security health checks via CLI or GitHub Actions
- Alpha-Omega VEX: Agent-driven CVE analysis with call graphs (in pilot with Apache Solr)
- AI Alliance Gofannon: Agent builder for prototyping workflows
- Automated ASVS L1/L2 compliance verification
- Commit-level security review with agent assistance
- Prompt-based audit workflow configuration
- Integration patterns for CI/CD pipelines
We're using ASVS v5.0.0 as our reference standard, organized into categories like:
| Category | Focus Area |
|---|---|
| Server-Side Execution | Input validation, injection prevention |
| Cross-Site Scripting | Output encoding, DOM security |
| Weak Cryptography | Algorithm selection, key management |
| External Access | Network security, API protection |
| Credential Security | Authentication, session management |
| Denial of Service | Resource limits, rate limiting |
See docs/ASVS/ for our compliance tracking, research notes, and issue templates.
├── src/ # Prototypes and experimental implementations
├── docs/ # Research, proposals, and planning
│ └── ASVS/ # ASVS compliance tracking and analysis
├── util/ # Utility scripts for evaluation
└── examples/ # Sample configurations and workflows
Community feedback is encouraged! Whether you're an ASF committer, contributor, or just interested in security tooling:
-
Introduce yourself on the mailing list: Say hello at 📧 [[email protected]](mailto:[email protected] (Subscribe by sending an email with empty subject and body to [email protected] and replying to the automated response, per the ASF mailing list how-to)
-
Share ideas or file issues: Use GitHub Issues to ask questions, suggest approaches, or start a discussion
-
Try things out: Experiment with the tools we're evaluating and share what you learn
- How to contribute
- Prototypes welcome: Experimental code in
src/doesn't need to be polished - Documentation helps: Add research notes or proposals to
docs/ - Evaluate tools: Try existing tooling on your project and report back
Note: Please introduce yourself on the mailing list before submitting a PR; this helps us deter spam and means your contribution won't be overlooked.
This is tentative and will evolve based on community input.
- Gathering requirements and use cases
- Evaluating existing tools
- Identifying gaps and opportunities
- Experiment with agent-based approaches
- Build proof-of-concept integrations
- Test with real ASF codebases
- Trial with Apache Trusted Releases (ATR) and other willing projects
- Gather feedback and refine
- Determine what's worth building out further
- Mailing List: [email protected] (subscribe)
- Slack:
#tooling-discusson the ASF Slack - Issues: GitHub Issues
This project is licensed under the Apache License 2.0.
- Alpha-Omega Project: Improving OSS security
- OWASP ASVS: The security standard we're targeting
- OpenSSF Scorecard: Automated security health checks
- VEX: Automated CVE detection
- AI Alliance: Open AI innovation community
- Gofannon: Agent-building workflow
Part of the Apache Tooling Initiative. For more information about the ASF, visit https://www.apache.org/.