the LLM vulnerability scanner
8.4k
Stars
1.1k
Forks
358
Open issues
30
Contributors
AI Analysis
garak is an LLM vulnerability scanner that probes large language models for security weaknesses including hallucination, data leakage, prompt injection, jailbreaks, and toxicity generation. It's a specialized red-teaming tool designed for security researchers, LLM developers, and organizations deploying generative AI systems who need systematic vulnerability assessment—not a general-purpose tool for casual LLM evaluation.
Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.
AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.
NVIDIA's garak brings nmap-style vulnerability scanning to LLMs, probing for jailbreaks, toxicity, and prompt injection
garak is an open-source LLM security assessment tool that systematically probes language models for weaknesses: prompt injection, jailbreaks, hallucination, data leakage, toxicity, and more. It targets AI/ML engineers, security researchers, red-teamers, and compliance teams responsible for deploying LLMs in production. With 8,200+ stars, an academic paper (arXiv:2406.11036), CI across three OS platforms, and support for OpenAI, HuggingFace, AWS Bedrock, LiteLLM, and llama.cpp, it has established itself as the most visible dedicated LLM vulnerability scanner in the open-source ecosystem.
Created in May 2023 at the early peak of LLM deployment anxiety, garak was initially a research-oriented tool before NVIDIA formally adopted it. It has since grown into a structured framework with documented probes, detectors, and generators, and presented at DEF CON.
Growth was driven by the intersection of two trends: rapid enterprise LLM adoption and growing regulatory/compliance pressure around AI safety. DEF CON presentation, NVIDIA branding, and an academic paper gave it credibility beyond hobbyist tooling. The 92 stars in the last 7 days (as of June 2026) suggest continued steady interest rather than explosive viral growth.
garak has an arXiv paper, was presented at DEF CON, and is maintained under the official NVIDIA GitHub organization, suggesting institutional backing. PyPI download badges are displayed but absolute numbers are not cited in the README excerpt. Discord and community presence indicate active users, but documented production deployments at named organizations are not visible from available metadata. Adoption appears real but scale is not independently verified.
Appears to follow a plugin-style modular architecture with distinct layers for generators (model connectors), probes (attack vectors), and detectors (evaluators). This separation likely makes it extensible — adding a new LLM provider or probe type should not require touching core logic. REST API support and LiteLLM integration suggest broad connector coverage. Based on README, CLI is the primary interface.
CI workflows are documented for Linux, Windows, and macOS via GitHub Actions badges. This indicates tests exist across all three platforms, which is a meaningful maintenance signal. Exact coverage percentage is not documented in README.
Last push was June 24, 2026 — two days before the evaluation date. This indicates active, ongoing development. CI badges for three platforms suggest disciplined engineering practice. The project has a dedicated docs site (docs.garak.ai), a Discord community, and a Twitter presence, all suggesting sustained organizational investment rather than passive maintenance.
ADOPT IF: you are red-teaming LLMs before deployment, need systematic coverage of known attack classes (jailbreaks, prompt injection, toxicity), and want a CLI-driven, model-agnostic tool with active NVIDIA backing and a growing probe library. AVOID IF: you need runtime protection for a live production system (use a guardrails tool instead), or require enterprise SLA support — garak is open-source with community support only. MONITOR IF: you are building an AI governance or compliance workflow and want to track whether garak matures into a benchmark standard accepted by auditors and regulators.
Independent dimensions
Mainstream potential
7/10
Technical importance
8/10
Adoption evidence
5/10
- Probe coverage may lag behind novel jailbreak and attack techniques — adversarial LLM attacks evolve faster than most security tools can track.
- False confidence risk: passing garak's probe suite does not guarantee safety; it only tests what garak knows about. Organizations may over-interpret clean results.
- Dependency on NVIDIA's continued organizational commitment — if internal priorities shift, the pace of development could slow materially.
- No evidence in available metadata of standardized scoring or certification that compliance teams or regulators currently accept, limiting use in formal audit workflows.
- Scanning large models via commercial APIs can be costly; garak's exhaustive probe approach may generate significant API spend without fine-grained cost controls visible in the README.
garak is likely to become the de facto open-source baseline for LLM pre-deployment security assessments, especially as AI regulation matures. It may expand into CI/CD pipeline integration and broader agentic system testing over the next 12–18 months.
Newsletter
Get analyses like this every Monday
Free weekly digest of the most interesting open-source discoveries.
Languages
Information
- Website
- https://discord.gg/uVch4puUCs
- Language
- Python
- License
- Apache-2.0
- Last updated
- 2d ago
- Created
- 39mo ago
- Analyzed with
- anthropic/claude-haiku-4-5
Stars over time
Contributors over time
Top 100 contributors only — repos with more will plateau at 100.
Top contributors
Similar repos
Lazarus-AI/clearwing
Clearwing is a dual-mode offensive-security tool for autonomous vulnerability...
meta-llama/PurpleLlama
Purple Llama is Meta's umbrella project for tools and evaluations to assess and...
| Repository | Stars | Week Δ | Language | Score | Updated |
|---|---|---|---|---|---|
|
|
8.4k | +84 | Python | 8/10 | 2d ago |
|
|
3.2k | — | Python | 4/10 | 2d ago |
|
|
1k | — | Python | 8/10 | 19h ago |
|
|
4.3k | — | Python | 7/10 | 1w ago |
|
|
1.2k | — | Python | 7/10 | 4mo ago |
|
|
1.1k | — | Python | 8/10 | 12h ago |
llm-guard focuses on runtime guardrails and input/output filtering for deployed systems, while garak is a pre-deployment red-teaming and assessment tool. They are complementary rather than competing — garak finds the holes, llm-guard tries to patch them in production.
PurpleLlama is Meta's broader AI safety toolset including CyberSec Eval benchmarks. It targets similar concerns but is more benchmark-oriented and tied to Meta's model ecosystem. garak is more practitioner-facing, CLI-driven, and model-agnostic.
Microsoft's Python Risk Identification Toolkit for Generative AI covers similar red-teaming territory. Both are serious institutional efforts; garak has more public visibility and community tooling, PyRIT has deep integration with Azure AI. Head-to-head evidence is limited.
Giskard offers LLM testing and evaluation including vulnerability detection, but wraps it in a broader MLOps/testing platform. garak is narrower and more security-focused, closer to a dedicated offensive tool than a general QA framework.
This is a curated list/resource rather than a tool. Not a direct competitor but reflects the research community's activity in adjacent space. garak is an executable tool, not documentation.

