Find security pitfalls fast: heuristics + local AI (StarCoder2‑3B). Optional Trivy. Local‑first, MIT.
If you like it, please ⭐ the repo — it helps a lot!
- Highlights
- Screenshots
- System Requirements
- Installation
- Quick Start
- Usage
- Settings
- Privacy
- Architecture
- Roadmap
- FAQ
- Contributing
- License
- 💻 Clean desktop GUI (CustomTkinter): Dashboard, Scan, Results
- 🧠 Heuristic scanning (regex-based):
- Command exec:
subprocess(..., shell=True),os.system(...) - Dynamic code:
eval(...),exec(...) - Unsafe deserialization:
pickle.load(...),yaml.load(...)(without SafeLoader) - Weak crypto:
hashlib.md5,hashlib.sha1,DES - Filesystem risks:
os.remove,os.unlink,shutil.rmtree, writes viaopen(..., w|a) - Secrets (API key/secret/password/token), AWS AKIA
- Network IOCs:
requests.*(http[s]://...), rawsocket
- Command exec:
- 🤖 Optional AI explanations (local):
bigcode/starcoder2-3bvia HF Transformers
Falls back to deterministic text if AI is unavailable. - 🐳 Optional Trivy (Docker) for dependency vulnerabilities & secrets
- 📊 Dashboard: security score (severity-weighted), top risk categories, recent history (local)
- ✅ Cross-platform: Linux / Windows / macOS, Python 3.9+
- 🔓 MIT license
- Python 3.9+
- A desktop environment with Tk available
- Optional: Docker (for Trivy integration)
Tip:
- Ubuntu/Debian:
sudo apt-get install -y python3-tk - macOS (Homebrew):
brew install tcl-tk(uruchamiaj Pythona ze wskazaniem na ten Tk) - Windows: Tk zwykle wbudowany w instalator Pythona
Clone the repository:
git clone https://github.com/exiv703/neuralscan.git
cd neuralscanCreate and activate a virtual environment:
python -m venv .venv
# Linux/macOS
source .venv/bin/activate
# Windows
.venv\\Scripts\\activateUpgrade pip and install dependencies:
pip install --upgrade pip
pip install -r requirements.txtOptional — AI (PyTorch):
# Example CPU-only wheel
pip install torch --index-url https://download.pytorch.org/whl/cpupython run.py- Optional: start Docker daemon for Trivy integration (
docker info) - First AI/Trivy use may download a model/image (one-time)
- Open the app (
python run.py). - Go to “Scan” and select a file (.py, .js, .sh, Dockerfile).
- Results open automatically: findings, code snippets, explanations.
Each finding shows its source: AI Analyzer | Heuristic/Fallback | Trivy. - Dashboard → security score, top risk categories, recent history.
- AI Model: e.g.,
bigcode/starcoder2-3b(local AI explanations) - Use Trivy: enable Docker-based dependency scanning
- Minimum scan time (ms): smoother UX pacing
- AI explanation detail: short | standard | deep
- Save scan history: keeps ~30 recent scans in
data/scan_history.json
- Local-first: analysis runs on your machine.
- Network is used only to fetch the AI model or Trivy image on first use.
- Scan history is stored locally (
data/scan_history.json) and is git‑ignored.
gui/— CustomTkinter UIgui/main.py— main application (App), views, results renderinggui/theme.py— theme and color tokens
scanner.py— scanning logic (heuristics, optional AI/Trivy)
AI explains only snippets flagged by heuristics; no full‑file LLM pass by default.utils/file_handler.py— scan history I/O (data/scan_history.json, legacy migration)run.py— entry pointassets/— icons, banner, screenshots
- Better accessibility (focus order, hints)
- Theming presets (compact/comfortable)
- Lightweight animations for transitions
- Pluggable rule packs per language
Ideas or PRs welcome!
- Do I need Torch?
Only for AI explanations. Scanner works without it (deterministic fallback). - Do I need Docker?
Only for Trivy integration. Without Docker, the rest of the app still works. - Windows/macOS support?
Yes, iftkinteris available and deps install. On Linux ensurepython3-tk.
- Fork the repo
- Create a feature branch
- Make changes and test
- Open a pull request
MIT — see LICENSE.