CLI ToolsMay 12, 2026·2 min read

OpenAnt — Verified Vuln Pipeline CLI (Go + Python)

OpenAnt is a defensive vulnerability discovery CLI: it parses a repo, analyzes findings, and runs verification steps so security output is evidence-backed.

Agent ready

Safe staging for this asset

This asset is staged first. The copied prompt tells the agent to inspect the staged files and ask before activating scripts, MCP config, or global config.

Stage only · 17/100Policy: stage
Agent surface
Any MCP/CLI agent
Kind
CLI Tool
Install
Stage only
Trust
Trust: Established
Entrypoint
Asset
Safe staging command
npx -y tokrepo@latest install e5430558-d51c-51a0-b969-a73f63fca6eb --target codex

Stages files first; activation requires review of the staged README and plan.

Intro

OpenAnt is a defensive vulnerability discovery CLI: it parses a repo, analyzes findings, and runs verification steps so security output is evidence-backed.

  • Best for: Teams who want a repeatable, evidence-first security pipeline instead of one-off assistant output
  • Works with: Go 1.25+ for the CLI; Python 3.11+ runtime; Anthropic API key required for analyze/verify/scan (per README)
  • Setup time: 15–30 minutes

Practical Notes

  • GitHub: 545 stars · 82 forks; pushed 2026-05-12 (verified via GitHub API).
  • README documents a full pipeline: parse → enhance → analyze → verify → report, plus one-shot scan --verify.
  • The CLI stores config under ~/.config/openant/ (0600 perms) and project data under ~/.openant/ (per README).

Main

How to use OpenAnt effectively (and safely):

  1. Treat it like a pipeline. Don’t skip straight to a report—run parse and enhance first so later steps have context.
  2. Make verification a gate, not a footnote. Anything that fails verify should be labeled “hypothesis” and triaged separately.
  3. Standardize language flags (-l go / -l python) and pin a commit (--commit <sha>) when you want reproducibility.
  4. Use project switch to manage multiple repos and keep a clean artifact trail per project.

The goal isn’t “more findings”; it’s fewer false positives and stronger evidence for the findings you keep.

FAQ

Q: Is it offensive or defensive? A: Defensive/research. The README’s legal notice says to scan only code you own or have permission to test.

Q: Why both Go and Python? A: Per README: the Go binary is the CLI front-end, while parsing/analysis/reporting code runs on Python 3.11+.

Q: What’s the fastest run mode? A: Use openant scan --verify for the full pipeline in one command once you’ve initialized the project.

🙏

Source & Thanks

Source: https://github.com/knostic/OpenAnt > License: Apache-2.0 > GitHub stars: 545 · forks: 82

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets