Analysis updated 2026-06-24
Scan a private codebase for vulnerabilities without sending source code to any cloud service
Triage Semgrep and Bandit findings with a local LLM that suggests a patch diff
Export results as SARIF and upload them to GitHub code scanning
Run a local Gradio dashboard for an interactive review of CWE-tagged findings
| exocognosis/openmythos | 0xhassaan/nn-from-scratch | a-little-hoof/dsr | |
|---|---|---|---|
| Stars | 0 | 0 | 0 |
| Language | Python | Python | Python |
| Setup difficulty | hard | moderate | hard |
| Complexity | 4/5 | 4/5 | 5/5 |
| Audience | ops devops | developer | researcher |
Figures from each repo's GitHub metadata at analysis time.
First run downloads a 4.3 GB Qwen model from Hugging Face and is tuned for Apple Silicon GPUs via MLX.
OpenMythos is a vulnerability scanner that runs entirely on your own computer. You point it at a code project on your disk and it tries to find security bugs without sending any of your source code to the cloud. The README emphasizes that nothing leaves the machine: no telemetry, no remote API calls. It is tuned for Macs with Apple Silicon chips (M1 through M4), although the basic detection step works on any computer that can run PyTorch. The scanner runs in three tiers. Tier 1 is the real bug-finding step: it runs two established open-source static analysis tools, Semgrep and Bandit, against your code using a bundled rule set that covers common weakness categories such as command injection, cross-site scripting, SQL injection, hard-coded secrets, and weak cryptography across Python, JavaScript, TypeScript, C and C++, Go, and Java. Each finding is mapped to a CWE identifier and pinned to a line number. Tier 3 is a Recurrent-Depth Transformer that ranks the findings. It loops more times on harder files and stops when its confidence stabilizes, so easy cases are cheap and ambiguous ones get more attention. Tier 2 is the language-model step. A 4-bit quantized version of Qwen2.5-Coder-7B-Instruct runs locally on the Mac GPU through Apple's MLX framework. For each high-priority finding it produces a true-or-false-positive verdict, a short explanation of why the bug might be exploitable, and a small unified-diff patch you could apply. The README is explicit that this part is fallible and should be treated as an assistant's opinion, not as ground truth. You install it by cloning the repository and running install.sh, then use the openmythos command-line tool to scan a directory. There are flags to skip the LLM step, cap how many findings get the expensive reasoning pass, and export results as JSON, HTML, or SARIF for GitHub code scanning. A local Gradio dashboard is available too. The model file is about 4.3 gigabytes and downloads from Hugging Face on first use, after that, everything runs offline. The project is MIT licensed.
Local-only code vulnerability scanner that combines Semgrep and Bandit with a 4-bit Qwen2.5-Coder model running on Apple MLX to triage findings offline.
Mainly Python. The stack also includes Python, Semgrep, Bandit.
MIT license, free to use, modify, and redistribute in commercial work as long as the copyright notice is kept.
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.