explaingit

exocognosis/openmythos

Analysis updated 2026-06-24

0PythonAudience · ops devopsComplexity · 4/5LicenseSetup · hard

TLDR

Local-only code vulnerability scanner that combines Semgrep and Bandit with a 4-bit Qwen2.5-Coder model running on Apple MLX to triage findings offline.

Mindmap

mindmap
  root((openmythos))
    Inputs
      Source code directory
      Local Qwen model
      CLI flags
    Outputs
      JSON results
      HTML report
      SARIF for GitHub
    Use Cases
      Offline security scan
      Triage Semgrep findings
      CI SARIF upload
    Tech Stack
      Python
      Semgrep
      Bandit
      MLX
      PyTorch
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Scan a private codebase for vulnerabilities without sending source code to any cloud service

USE CASE 2

Triage Semgrep and Bandit findings with a local LLM that suggests a patch diff

USE CASE 3

Export results as SARIF and upload them to GitHub code scanning

USE CASE 4

Run a local Gradio dashboard for an interactive review of CWE-tagged findings

What is it built with?

PythonSemgrepBanditMLXPyTorchQwen2.5-CoderGradio

How does it compare?

exocognosis/openmythos0xhassaan/nn-from-scratcha-little-hoof/dsr
Stars000
LanguagePythonPythonPython
Setup difficultyhardmoderatehard
Complexity4/54/55/5
Audienceops devopsdeveloperresearcher

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1h+

First run downloads a 4.3 GB Qwen model from Hugging Face and is tuned for Apple Silicon GPUs via MLX.

MIT license, free to use, modify, and redistribute in commercial work as long as the copyright notice is kept.

In plain English

OpenMythos is a vulnerability scanner that runs entirely on your own computer. You point it at a code project on your disk and it tries to find security bugs without sending any of your source code to the cloud. The README emphasizes that nothing leaves the machine: no telemetry, no remote API calls. It is tuned for Macs with Apple Silicon chips (M1 through M4), although the basic detection step works on any computer that can run PyTorch. The scanner runs in three tiers. Tier 1 is the real bug-finding step: it runs two established open-source static analysis tools, Semgrep and Bandit, against your code using a bundled rule set that covers common weakness categories such as command injection, cross-site scripting, SQL injection, hard-coded secrets, and weak cryptography across Python, JavaScript, TypeScript, C and C++, Go, and Java. Each finding is mapped to a CWE identifier and pinned to a line number. Tier 3 is a Recurrent-Depth Transformer that ranks the findings. It loops more times on harder files and stops when its confidence stabilizes, so easy cases are cheap and ambiguous ones get more attention. Tier 2 is the language-model step. A 4-bit quantized version of Qwen2.5-Coder-7B-Instruct runs locally on the Mac GPU through Apple's MLX framework. For each high-priority finding it produces a true-or-false-positive verdict, a short explanation of why the bug might be exploitable, and a small unified-diff patch you could apply. The README is explicit that this part is fallible and should be treated as an assistant's opinion, not as ground truth. You install it by cloning the repository and running install.sh, then use the openmythos command-line tool to scan a directory. There are flags to skip the LLM step, cap how many findings get the expensive reasoning pass, and export results as JSON, HTML, or SARIF for GitHub code scanning. A local Gradio dashboard is available too. The model file is about 4.3 gigabytes and downloads from Hugging Face on first use, after that, everything runs offline. The project is MIT licensed.

Copy-paste prompts

Prompt 1
Install openmythos on my Apple Silicon Mac and scan a Python project, end to end
Prompt 2
Show me the bundled Semgrep rule set and how to add a custom rule for our internal API patterns
Prompt 3
Run a scan with the LLM step disabled and explain when that mode is preferable
Prompt 4
Wire openmythos into GitHub Actions and upload the SARIF output to code scanning
Prompt 5
Explain the Recurrent-Depth Transformer ranking step and how its confidence threshold is tuned

Frequently asked questions

What is openmythos?

Local-only code vulnerability scanner that combines Semgrep and Bandit with a 4-bit Qwen2.5-Coder model running on Apple MLX to triage findings offline.

What language is openmythos written in?

Mainly Python. The stack also includes Python, Semgrep, Bandit.

What license does openmythos use?

MIT license, free to use, modify, and redistribute in commercial work as long as the copyright notice is kept.

How hard is openmythos to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is openmythos for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.