Note AGHAST is in beta and may have unexpected bugs. We follow semantic versioning — breaking changes to APIs, CLI flags, configuration formats, and output schemas will only occur in minor version bumps (0.x.0) until we reach 1.0.
You know what your key code security concerns are. But how do you check for them in a way that is automatable, repeatable and scalable? If generic SAST is doing this for you, feel free to stop reading now 😀.
For the rest of us, AGHAST is an open-source framework that lets you define and check for these concerns. It blends the advantages of static discovery and AI-powered analysis to efficiently find code-specific and company-specific security issues.
Define your checks, which repositories they relate to, and get accurate and structured results (JSON or SARIF).
What AGHAST Does
- You can read more about this tool on our product page.
- There is a brief introduction video here.
- For a conceptual walkthrough of how each check type works, see How It Works.
- Alternatively, there are examples of several check types in Trying It Out with video explanations of in this YouTube playlist.
To cut to the chase, AGHAST uses three core mechanisms:
- Repository-wide AI analysis — let the LLM analyze the whole repo against your security check instructions
- Targeted checks — a pluggable discovery method (Semgrep rules, OpenAnt code units, or external SARIF findings) identifies specific code locations, then AI analyzes each independently. This is the sweet spot for most use cases
- Static checks — a discovery method (e.g., Semgrep) finds issues mapped directly to results with no AI involvement, for when a traditional static rule is all you need
The beauty of the approach is what you don't need:
- You don't need to modify the code
- You don't need to build something into the codebase
- You don't need to write code in the language of the codebase
All you need is:
- Access to the codebase
- An understanding of the problem you are trying to discover
- The ability to write some simple rules
There are almost certainly other ways of achieving this, but to our mind, this approach is both straightforward and deterministic.
Prerequisites
- Node.js 20+
- Semgrep Community Edition (LGPL-2.1, optional) — only needed for checks that use Semgrep discovery
- OpenAnt (Apache-2.0, optional) + Python 3.11+ — only needed for checks that use OpenAnt discovery
- Anthropic API key — for AI-based checks (not needed for static checks)
Quick Start
See the Getting Started guide to install aghast and Trying It Out to run your first scan.
Example Output
Results are structured JSON (or SARIF) with per-check status and detailed issues:
{
"checks": [
{ "checkId": "aghast-api-authz", "checkName": "API Authorization Check", "status": "FAIL", "issuesFound": 1 },
{ "checkId": "aghast-sql-injection", "checkName": "SQL Injection Prevention", "status": "PASS", "issuesFound": 0 }
],
"issues": [
{
"checkId": "aghast-api-authz",
"checkName": "API Authorization Check",
"file": "src/api/users.ts",
"startLine": 45,
"endLine": 52,
"description": "Missing authorization check on DELETE endpoint.",
"codeSnippet": "router.delete('/users/:id', async (req, res) => {"
}
],
"summary": {
"totalChecks": 2,
"passedChecks": 1,
"failedChecks": 1,
"flaggedChecks": 0,
"errorChecks": 0,
"totalIssues": 1
}
}Documentation
- How It Works — conceptual overview of the three check types
- Getting Started — installation, setup, and first scan
- Trying It Out — example checks walkthrough and first scan guide
- Scanning — scan command options, environment variables, output formats
- Creating Checks — scaffolding new security checks
- Configuration Reference — check schemas, check types, runtime config
- Development — setup, building, testing, releasing
Contributing
Use GitHub Discussions for questions and ideas, and GitHub Issues for bug reports and feature requests. We are not currently accepting pull requests. See CONTRIBUTING.md for the current contribution policy.
License
This project is licensed under the GNU Affero General Public License v3.0 or later.
Copyright (C) 2026 Bounce Consulting Ltd.