explaingit

exocognosis/openmythos

0PythonAudience · ops devopsComplexity · 4/5ActiveLicenseSetup · hard

TLDR

Local-only code vulnerability scanner that combines Semgrep and Bandit with a 4-bit Qwen2.5-Coder model running on Apple MLX to triage findings offline.

Mindmap

mindmap
  root((openmythos))
    Inputs
      Source code directory
      Local Qwen model
      CLI flags
    Outputs
      JSON results
      HTML report
      SARIF for GitHub
    Use Cases
      Offline security scan
      Triage Semgrep findings
      CI SARIF upload
    Tech Stack
      Python
      Semgrep
      Bandit
      MLX
      PyTorch

Things people build with this

USE CASE 1

Scan a private codebase for vulnerabilities without sending source code to any cloud service

USE CASE 2

Triage Semgrep and Bandit findings with a local LLM that suggests a patch diff

USE CASE 3

Export results as SARIF and upload them to GitHub code scanning

USE CASE 4

Run a local Gradio dashboard for an interactive review of CWE-tagged findings

Tech stack

PythonSemgrepBanditMLXPyTorchQwen2.5-CoderGradio

Getting it running

Difficulty · hard Time to first run · 1h+

First run downloads a 4.3 GB Qwen model from Hugging Face and is tuned for Apple Silicon GPUs via MLX.

MIT license, free to use, modify, and redistribute in commercial work as long as the copyright notice is kept.

In plain English

OpenMythos is a vulnerability scanner that runs entirely on your own computer. You point it at a code project on your disk and it tries to find security bugs without sending any of your source code to the cloud. The README emphasizes that nothing leaves the machine: no telemetry, no remote API calls. It is tuned for Macs with Apple Silicon chips (M1 through M4), although the basic detection step works on any computer that can run PyTorch. The scanner runs in three tiers. Tier 1 is the real bug-finding step: it runs two established open-source static analysis tools, Semgrep and Bandit, against your code using a bundled rule set that covers common weakness categories such as command injection, cross-site scripting, SQL injection, hard-coded secrets, and weak cryptography across Python, JavaScript, TypeScript, C and C++, Go, and Java. Each finding is mapped to a CWE identifier and pinned to a line number. Tier 3 is a Recurrent-Depth Transformer that ranks the findings. It loops more times on harder files and stops when its confidence stabilizes, so easy cases are cheap and ambiguous ones get more attention. Tier 2 is the language-model step. A 4-bit quantized version of Qwen2.5-Coder-7B-Instruct runs locally on the Mac GPU through Apple's MLX framework. For each high-priority finding it produces a true-or-false-positive verdict, a short explanation of why the bug might be exploitable, and a small unified-diff patch you could apply. The README is explicit that this part is fallible and should be treated as an assistant's opinion, not as ground truth. You install it by cloning the repository and running install.sh, then use the openmythos command-line tool to scan a directory. There are flags to skip the LLM step, cap how many findings get the expensive reasoning pass, and export results as JSON, HTML, or SARIF for GitHub code scanning. A local Gradio dashboard is available too. The model file is about 4.3 gigabytes and downloads from Hugging Face on first use; after that, everything runs offline. The project is MIT licensed.

Copy-paste prompts

Prompt 1
Install openmythos on my Apple Silicon Mac and scan a Python project, end to end
Prompt 2
Show me the bundled Semgrep rule set and how to add a custom rule for our internal API patterns
Prompt 3
Run a scan with the LLM step disabled and explain when that mode is preferable
Prompt 4
Wire openmythos into GitHub Actions and upload the SARIF output to code scanning
Prompt 5
Explain the Recurrent-Depth Transformer ranking step and how its confidence threshold is tuned
Open on GitHub → Explain another repo

Generated 2026-05-22 · Model: sonnet-4-6 · Verify against the repo before relying on details.