DeepAudit — AI Multi-Agent Code Vulnerability Scanner

Introduction

DeepAudit coordinates multiple AI agents that collaboratively analyze source code for security vulnerabilities. Each agent focuses on a different analysis dimension — pattern matching, data flow, taint tracking — and their findings are validated through automated sandbox PoC execution before being compiled into a report.

What DeepAudit Does

• Runs multi-agent collaborative code audits across multiple programming languages
• Automatically generates and executes Proof-of-Concept exploits in a sandboxed environment
• Produces structured security reports with severity ratings and remediation guidance
• Supports private deployment with Ollama for air-gapped environments
• Provides a React-based web dashboard for managing audits and reviewing findings

Architecture Overview

DeepAudit is built with a Python backend and React frontend, backed by Supabase for data persistence. The orchestration layer dispatches audit tasks to specialized agents that analyze code from different security perspectives. A sandbox engine runs generated PoC code in isolated containers to confirm exploitability. Results are aggregated, deduplicated, and presented in the dashboard with exportable reports.

Self-Hosting & Configuration

• Deploy with Docker Compose; requires Docker and at least 4 GB RAM
• Set LLM provider keys in .env (supports OpenAI, Google Gemini, xAI, and Ollama)
• Configure target repositories via the web UI or API
• Sandbox execution runs in isolated Docker containers with network restrictions
• Reports export as PDF or Markdown for integration with existing security workflows

Key Features

• Multi-agent architecture with specialized security analysis roles
• Automated PoC sandbox verification reduces false positives
• Supports local LLM deployment via Ollama for sensitive codebases
• One-click report generation with structured findings
• Open source under MIT license

Comparison with Similar Tools

• Semgrep — rule-based static analysis; DeepAudit adds LLM reasoning for novel vulnerability patterns
• SonarQube — focuses on code quality and known patterns; DeepAudit targets unknown vulnerabilities
• CodeQL — query-based analysis requiring expertise; DeepAudit is accessible through natural language
• Snyk — dependency-focused scanning; DeepAudit analyzes custom application code

FAQ

Q: Which programming languages are supported? A: DeepAudit analyzes code in Python, JavaScript, TypeScript, Go, Java, C, and C++ with extensible language support.

Q: Can I use local LLMs instead of cloud APIs? A: Yes. Configure Ollama as the LLM backend for fully private, air-gapped operation.

Q: How does the PoC sandbox prevent escape? A: PoC code runs in ephemeral Docker containers with no network access and restricted filesystem mounts.

Q: Is it suitable for CI/CD integration? A: The API supports triggering audits programmatically, but review findings manually before acting on them.

Sources

• https://github.com/lintsinghua/DeepAudit