# DeepAudit — AI Multi-Agent Code Vulnerability Scanner

> DeepAudit is an open-source multi-agent system that automates code vulnerability discovery using LLMs, with automatic sandbox-based PoC verification and one-click report generation.

## Install

Save the content below to `.claude/skills/` or append to your `CLAUDE.md`:

# DeepAudit — AI Multi-Agent Code Vulnerability Scanner

## Quick Use
```bash
git clone https://github.com/lintsinghua/DeepAudit.git && cd DeepAudit
cp .env.example .env   # configure LLM keys
docker compose up -d
# Open http://localhost:3000 to start an audit
```

## Introduction
DeepAudit coordinates multiple AI agents that collaboratively analyze source code for security vulnerabilities. Each agent focuses on a different analysis dimension — pattern matching, data flow, taint tracking — and their findings are validated through automated sandbox PoC execution before being compiled into a report.

## What DeepAudit Does
- Runs multi-agent collaborative code audits across multiple programming languages
- Automatically generates and executes Proof-of-Concept exploits in a sandboxed environment
- Produces structured security reports with severity ratings and remediation guidance
- Supports private deployment with Ollama for air-gapped environments
- Provides a React-based web dashboard for managing audits and reviewing findings

## Architecture Overview
DeepAudit is built with a Python backend and React frontend, backed by Supabase for data persistence. The orchestration layer dispatches audit tasks to specialized agents that analyze code from different security perspectives. A sandbox engine runs generated PoC code in isolated containers to confirm exploitability. Results are aggregated, deduplicated, and presented in the dashboard with exportable reports.

## Self-Hosting & Configuration
- Deploy with Docker Compose; requires Docker and at least 4 GB RAM
- Set LLM provider keys in `.env` (supports OpenAI, Google Gemini, xAI, and Ollama)
- Configure target repositories via the web UI or API
- Sandbox execution runs in isolated Docker containers with network restrictions
- Reports export as PDF or Markdown for integration with existing security workflows

## Key Features
- Multi-agent architecture with specialized security analysis roles
- Automated PoC sandbox verification reduces false positives
- Supports local LLM deployment via Ollama for sensitive codebases
- One-click report generation with structured findings
- Open source under MIT license

## Comparison with Similar Tools
- **Semgrep** — rule-based static analysis; DeepAudit adds LLM reasoning for novel vulnerability patterns
- **SonarQube** — focuses on code quality and known patterns; DeepAudit targets unknown vulnerabilities
- **CodeQL** — query-based analysis requiring expertise; DeepAudit is accessible through natural language
- **Snyk** — dependency-focused scanning; DeepAudit analyzes custom application code

## FAQ
**Q: Which programming languages are supported?**
A: DeepAudit analyzes code in Python, JavaScript, TypeScript, Go, Java, C, and C++ with extensible language support.

**Q: Can I use local LLMs instead of cloud APIs?**
A: Yes. Configure Ollama as the LLM backend for fully private, air-gapped operation.

**Q: How does the PoC sandbox prevent escape?**
A: PoC code runs in ephemeral Docker containers with no network access and restricted filesystem mounts.

**Q: Is it suitable for CI/CD integration?**
A: The API supports triggering audits programmatically, but review findings manually before acting on them.

## Sources
- https://github.com/lintsinghua/DeepAudit

---
Source: https://tokrepo.com/en/workflows/deepaudit-ai-multi-agent-code-vulnerability-scanner-a2e4368f
Author: AI Open Source