AgentGG: Open-Source SAST Scanner Leverages AI Agents for Smarter Code Analysis
AgentGG introduces an AI-driven approach to Static Analysis Security Testing (SAST), employing autonomous agents to reduce manual triage and improve accuracy in identifying code vulnerabilities.
The cybersecurity landscape is continuously evolving, and with it, the tools designed to protect software. Traditional Static Analysis Security Testing (SAST) tools have long been a staple in the developer's toolkit, but they often generate lengthy reports filled with potential issues that require significant manual effort to validate. Addressing this challenge, a new open-source project named AgentGG has emerged, offering an innovative SAST scanner that utilizes artificial intelligence agents to perform more intelligent and accurate code analysis.
AgentGG distinguishes itself from conventional SAST solutions by employing AI agents that actively read and interpret source code. Instead of merely matching patterns against known vulnerabilities, these agents trace code imports, analyze call graphs, and critically, confirm findings before reporting them. This sophisticated approach aims to drastically reduce the manual triage burden on engineers, allowing them to focus on genuine security threats rather than sifting through false positives.
The architecture of AgentGG is built around self-contained agents, each defined as a markdown file with YAML frontmatter. This frontmatter specifies preconditions, target file patterns, and the instructions the agent must follow. The tool ships with over 100 official agents, which are downloaded from the agentgg-agents repository upon the first scan. Installation is straightforward, requiring Node.js 20 or later and a single global npm command.
During a scan, AgentGG operates in distinct phases. It begins with a rapid reconnaissance pass to survey the project, building an understanding of its structure, languages, and frameworks. This initial brief then guides the subsequent agent execution. Agents run in parallel, each acting as a specialized investigator that confirms a finding by following import paths and call chains before flagging it. An optional validation pass further scrutinizes the code associated with each finding, consulting a provided pentest scope to label issues as confirmed, false-positive, or out-of-scope. Finally, a scoring pass assigns a CVSS severity rating to each validated finding.
To maintain efficiency and focus, AgentGG incorporates a "tech gating" mechanism. The initial reconnaissance pass identifies the project's technologies, and agents' preconditions are checked to determine their relevance. For instance, an agent designed for PHP will not run on a repository that clearly only contains Go code, based on checks for files like package.json or go.mod. This ensures that only pertinent agents are deployed, optimizing scan times. The tool also features built-in resume functionality, tracking scanned files to allow interrupted scans to pick up where they left off, and unchanged files incur no cost on subsequent passes.
AgentGG supports integration with various leading AI model providers, including Anthropic, OpenAI, Ollama, AWS Bedrock, and Google Vertex AI. Users can configure credentials through a setup wizard or provide them on-the-fly for CI/CD environments. The choice of model can significantly impact detection capabilities, with simpler models like Ollama being effective for common vulnerabilities such as secret keys and SQL injection, while more complex issues may require advanced "frontier" models. The project's lead maintainer, Philip Garabandic, notes that selecting the optimal model for specific bug classes remains an active area of research.
Ensuring trust and reliability, the official agent catalog undergoes manual review, similar to how Nuclei manages its templates. Agents are sourced from this curated repository, and users can maintain a separate directory for custom agents. The optional validation phase, which re-evaluates findings, can be further refined by providing a pentest scope document. This feature has demonstrated measurable improvements, with benchmarks showing AgentGG identifying more bugs and fewer false positives compared to other tools when scope context is provided.
AgentGG is available for free on GitHub under the Apache 2.0 license, offering a powerful, AI-enhanced alternative for developers and security teams looking to streamline their SAST processes and improve the accuracy of their security testing.