Free & Open Source — Live on GitHub

AI security audits.
Free. Open source.

Clone the repo. Run /audit in Claude Code. Get real security findings in minutes. Five specialized agents for different project types.

View on GitHub → Get Started

98 findings across 3 projects with 108K+ GitHub stars. This is the same methodology.

Start auditing in 60 seconds.

Three commands. No config files. No accounts. No credit card.

01

Clone the repo

$ git clone https://github.com/sergey-ko/ai-sec.git
02

Open your project in Claude Code

Navigate to the project you want to audit.

03

Run the audit

$ /audit

Select your agent type and the AI handles the rest.

ai-sec audit
$ git clone https://github.com/sergey-ko/ai-sec.git
Cloning into 'ai-sec'...
$ cd ai-sec
# Open in Claude Code and run:
$ /audit
AI-Sec Select audit agent:
1. web-app — Full-stack web applications
2. api — REST/GraphQL APIs
3. ci-cd — CI/CD pipelines & workflows
4. infra — Infrastructure & cloud configs
5. mobile — Mobile applications
$ 1
AI-Sec Running web-app audit...
Architecture analysis complete
Auth flow mapping complete
OWASP Top 10 checks complete
── FINDINGS ─────────────────────────────────
CRITICAL 2 OTP secrets + Plaid tokens in plaintext
HIGH 5 Broken access control on API
MEDIUM 8 Missing input validation
Report: ./ai-sec-report.md

Five specialized agents.

Each agent is tuned for a specific project type, with tailored OWASP checks and architecture analysis.

web-app

Web Applications

Full-stack apps (Next.js, Rails, Django, etc). Auth flows, session management, CSRF, XSS, IDOR, data exposure.

api

REST / GraphQL APIs

API endpoints, authentication, authorization, rate limiting, input validation, data serialization.

ci-cd

CI/CD Pipelines

GitHub Actions, GitLab CI, Jenkins. Secret leaks, injection, privilege escalation, supply chain.

infra

Infrastructure

Terraform, Docker, Kubernetes, cloud configs. Misconfigurations, exposed ports, IAM, network policies.

mobile

Mobile Apps

React Native, Flutter, Swift, Kotlin. Insecure storage, certificate pinning, API security, data leaks.

Real findings from real projects.

These are actual findings from our open-source audits of projects with 108K+ combined GitHub stars.

maybe-finance audit finding
# Real finding from maybe-finance (35K stars) audit:
CRITICAL OTP Secret Stored in Plaintext in Database
CVSS: 9.1 | OWASP: A02:2021 | CWE: CWE-312
Bank account credentials (routing numbers, account numbers,
API keys for financial providers) are stored in plaintext
configuration files accessible to the application runtime.
No encryption at rest, no secrets management.
Fix: Move credentials to a secrets manager (Vault, AWS
Secrets Manager). Never store financial credentials in
config files, environment variables, or source code.
CRITICAL

OTP Secret Stored in Plaintext in Database

CVSS: 9.1 OWASP: V2.8.4 CWE-312

maybe-finance (35K stars): The otp_secret column is stored as plaintext with no encryption. An attacker with database access can extract OTP secrets and generate valid TOTP codes, bypassing MFA for all users.

Fix: Add encrypts :otp_secret, deterministic: false to the User model. Rotate all existing secrets after deployment.

CRITICAL

Encryption Key Validation Commented Out in Production

CVSS: 8.8 OWASP: V8.3.1 CWE-327

Documenso (8K stars): The entire encryption key validation block is commented out. The application can start without encryption keys. Webhook endpoints can be spoofed without the secondary key.

Fix: Uncomment and enforce the validation. Add a startup check that fails hard if keys are missing or default.

Free tool finds ~60-70%.

The open-source tool is genuinely useful on its own. Want the rest? Upgrade to SaaS or book consulting.

Capability Open Source (free) SaaS (coming soon) Consulting
OWASP Top 10 checks
5 specialized agents
Full ASVS L2 (286 controls)
Deep architectural reasoning Basic Enhanced ✓ Deep
Reproduction steps
Expert review
Compliance mapping
Coverage ~60-70% ~80-90% 100%
Price Free $299/mo From $3,500
Clone the Repo → See Full Pricing

Start auditing in 60 seconds.

Clone the repo, run /audit, and see what the AI finds. No account, no config, no credit card.

$ git clone https://github.com/sergey-ko/ai-sec.git
View on GitHub → Book a Call