# OpenAnt — Verified Vuln Pipeline CLI (Go + Python) > OpenAnt is a defensive vulnerability discovery CLI: it parses a repo, analyzes findings, and runs verification steps so security output is evidence-backed. ## Install Copy the content below into your project: ## Quick Use ```bash git clone https://github.com/knostic/OpenAnt.git cd OpenAnt cd apps/openant-cli && make build ln -sf "$(pwd)/apps/openant-cli/bin/openant" /usr/local/bin/openant openant set-api-key openant init -l go openant scan --verify ``` ## Intro OpenAnt is a defensive vulnerability discovery CLI: it parses a repo, analyzes findings, and runs verification steps so security output is evidence-backed. - **Best for:** Teams who want a repeatable, evidence-first security pipeline instead of one-off assistant output - **Works with:** Go 1.25+ for the CLI; Python 3.11+ runtime; Anthropic API key required for analyze/verify/scan (per README) - **Setup time:** 15–30 minutes ## Practical Notes - GitHub: 545 stars · 82 forks; pushed 2026-05-12 (verified via GitHub API). - README documents a full pipeline: `parse → enhance → analyze → verify → report`, plus one-shot `scan --verify`. - The CLI stores config under `~/.config/openant/` (0600 perms) and project data under `~/.openant/` (per README). ## Main How to use OpenAnt effectively (and safely): 1. Treat it like a **pipeline**. Don’t skip straight to a report—run `parse` and `enhance` first so later steps have context. 2. Make verification a **gate**, not a footnote. Anything that fails `verify` should be labeled “hypothesis” and triaged separately. 3. Standardize language flags (`-l go` / `-l python`) and pin a commit (`--commit `) when you want reproducibility. 4. Use `project switch` to manage multiple repos and keep a clean artifact trail per project. The goal isn’t “more findings”; it’s fewer false positives and stronger evidence for the findings you keep. ### FAQ **Q: Is it offensive or defensive?** A: Defensive/research. The README’s legal notice says to scan only code you own or have permission to test. **Q: Why both Go and Python?** A: Per README: the Go binary is the CLI front-end, while parsing/analysis/reporting code runs on Python 3.11+. **Q: What’s the fastest run mode?** A: Use `openant scan --verify` for the full pipeline in one command once you’ve initialized the project. ## Source & Thanks > Source: https://github.com/knostic/OpenAnt > License: Apache-2.0 > GitHub stars: 545 · forks: 82 --- ## 快速使用 ```bash git clone https://github.com/knostic/OpenAnt.git cd OpenAnt cd apps/openant-cli && make build ln -sf "$(pwd)/apps/openant-cli/bin/openant" /usr/local/bin/openant openant set-api-key openant init -l go openant scan --verify ``` ## 简介 OpenAnt 是偏防守的漏洞分析 CLI:从代码仓库解析与增强开始,再做分析与验证,把“发现”变成可复现的证据链输出;CLI 用 Go 构建,分析/报告运行在 Python 3.11+ 上。 - **适合谁:** 想把安全分析做成“可重复流水线”的团队,而不是一次性的助手回答 - **可搭配:** CLI 需要 Go 1.25+;运行时需要 Python 3.11+;分析/验证/扫描需要 Anthropic API key(见 README) - **准备时间:** 15–30 分钟 ## 实战建议 - GitHub:545 stars · 82 forks;最近更新 2026-05-12(GitHub API 验证)。 - README 给出完整流水线:`parse → enhance → analyze → verify → report`,并提供一条命令 `scan --verify`。 - 配置与数据目录清晰:`~/.config/openant/`(0600 权限)+ `~/.openant/` 项目空间(见 README)。 ## 主要内容 更好(也更安全)地用 OpenAnt 的方式: 1. 把它当作 **流水线** 用:先 `parse` + `enhance`,让后续步骤有上下文,不要直接跳报告。 2. 把 **verify 当作闸门**:没过验证的结果先当“假设”,单独分流复核,不要直接写进结论。 3. 需要可复现时,固定语言参数(`-l go` / `-l python`)并用 `--commit ` 钉住版本。 4. 多项目管理用 `project switch`,让每个 repo 的产物与证据链分开保存。 目标不是“更多发现”,而是更少误报与更强证据。 ### FAQ **这是进攻还是防守工具?** 答:偏防守/研究。README 的法律声明要求只扫描自己拥有或已获授权的代码。 **为什么同时用 Go 和 Python?** 答:README 说明:Go 负责 CLI,解析/分析/报告等运行在 Python 3.11+ 上。 **最快的运行方式是什么?** 答:初始化后直接用 `openant scan --verify` 一条命令跑完整流水线。 ## 来源与感谢 > Source: https://github.com/knostic/OpenAnt > License: Apache-2.0 > GitHub stars: 545 · forks: 82 --- Source: https://tokrepo.com/en/workflows/openant-verified-vuln-pipeline-cli-go-python Author: Script Depot