DeepAudit:人人拥有的 AI 黑客战队,让漏洞挖掘触手可及。国内首个开源的代码漏洞挖掘多智能体系统。小白一键部署运行,自主协作审计 + 自动化沙箱 PoC 验证。支持 Ollama 私有部署 ,一键生成报告。支持中转站。让安全不再昂贵,让审计不再复杂。
6.6k
Stars
814
Forks
90
Open issues
15
Contributors
AI Analysis
DeepAudit is an open-source multi-agent AI system for automated code vulnerability detection and auditing, designed for DevSecOps workflows. It combines LLM-powered code analysis with sandbox PoC verification and supports private deployment via Ollama. Best suited for security teams, developers, and organizations seeking to automate security code review at scale without expensive commercial tools.
Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.
AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.
Chinese-built multi-agent AI code auditing system claims 49 CVEs found, now open-sourced under AGPL
DeepAudit is a multi-agent AI system for automated source code vulnerability discovery, built primarily for the Chinese security research community. It orchestrates LLM-based agents to audit codebases, generate proof-of-concept exploits in a sandboxed environment, and produce structured reports. It supports Ollama for private/air-gapped deployment and integrates with GitHub, GitLab, and Gitea. The project claims its closed-source predecessor discovered 49 CVEs and 6 GHSA advisories across 17 open-source projects — a credible, verifiable claim given the public CVE records cited. Target users appear to be security researchers, CTF players, and enterprise teams in China seeking an accessible, self-hostable alternative to expensive commercial SAST/pentest tooling.
Created in September 2025, the project reached version 3.0.4 within roughly nine months, suggesting rapid iteration. It self-describes as China's first open-source multi-agent code vulnerability mining system, implying earlier closed-source internal use before the public release.
The project accumulated ~6,469 stars in under nine months, appearing on Trendshift trending lists. Growth was likely driven by the Chinese security community sharing it on platforms like Weibo, Zhihu, and WeChat groups. The CVE track record of its predecessor provided credibility that differentiated it from purely demo-stage AI security tools. Star velocity has slowed to ~29/week as of late June 2026, suggesting an early viral peak followed by normalization — a common pattern for Chinese-language OSS projects.
The CVE and GHSA records cited in the README are publicly verifiable on NVD and GitHub Security Advisories, providing indirect evidence that the underlying system produces real findings. However, adoption by third-party organizations or enterprises beyond the author's own research is not verified in the available metadata. Community fork activity (802 forks) suggests meaningful hands-on usage, not just passive interest.
Appears to use a FastAPI (Python 3.11+) backend with a React 18 / TypeScript frontend, based on README badges. The multi-agent system likely uses an orchestrator-worker pattern where specialized agents handle code parsing, vulnerability pattern detection, exploit generation, and report synthesis. Ollama integration suggests the LLM layer is abstracted to support swappable local models. Sandbox PoC validation implies some form of containerized execution environment, though implementation details are not verifiable from the README alone.
Not documented in README.
Last push was June 19, 2026 — five days before the evaluation date — indicating active, ongoing development. Version 3.0.4 within nine months suggests a rapid release cadence. The 802 forks indicate community engagement beyond passive interest. Active maintenance is confirmed; growth rate is slowing but the project is not stagnant.
ADOPT IF: you are a Chinese-language security researcher or small red team who wants an accessible, self-hostable AI auditing workflow with Ollama support and don't want to pay for commercial tooling — especially if you can tolerate LLM false positives and are willing to validate findings manually. AVOID IF: you need production-grade precision with auditable false-positive rates, operate in highly regulated environments where AGPL licensing creates IP concerns, or require mature CI/CD integration rather than a standalone audit tool. MONITOR IF: you are evaluating AI-assisted code review for your security pipeline but want to see whether the CVE discovery rate holds up as the open-source version matures and receives community scrutiny.
Independent dimensions
Mainstream potential
4/10
Technical importance
7/10
Adoption evidence
4/10
- AGPL-3.0 license may deter enterprise adoption or commercial integration, limiting the contributor base needed to sustain long-term quality.
- LLM-based vulnerability detection is inherently probabilistic; false-positive rates are not documented in the README, which may frustrate users expecting SAST-level precision.
- The 49 CVE claim is attributed to a closed-source predecessor version, not necessarily the open-source release — the open-source version's real-world effectiveness remains independently unverified.
- Dependency on external LLM APIs (with relay station support) or local Ollama models means audit quality is tightly coupled to the underlying model's capability, which varies widely by user configuration.
- The project appears to be primarily maintained by a single author or small team; bus-factor risk is not assessable from available metadata but is a common concern for solo-driven Chinese OSS projects.
DeepAudit is likely to remain a significant tool within the Chinese security research community and may expand its CVE track record with the open-source version. International adoption will likely be constrained by the Chinese-first documentation and niche positioning. The project may evolve toward a SaaS offering given its apparent commercial origins.
Newsletter
Get analyses like this every Monday
Free weekly digest of the most interesting open-source discoveries.
Languages
Information
- Language
- Python
- License
- AGPL-3.0
- Last updated
- 3d ago
- Created
- 10mo ago
- Analyzed with
- anthropic/claude-haiku-4-5
Stars over time
Contributors over time
Top 100 contributors only — repos with more will plateau at 100.
Open issues
Top contributors
Similar repos
sunmh207/AI-Codereview-Gitlab
An automated code review tool for GitLab that leverages large language models...
vercel-labs/deepsec
Deepsec is an agent-powered vulnerability scanner designed to find hard-to-find...
CuriousLearnerDev/Online_tools
A unified tool marketplace and automation platform designed for cybersecurity...
| Repository | Stars | Week Δ | Language | Score | Updated |
|---|---|---|---|---|---|
|
|
6.6k | +68 | Python | 7/10 | 3d ago |
|
|
1.7k | — | Python | 7/10 | 2w ago |
|
|
5.2k | — | TypeScript | 7/10 | 7h ago |
|
|
1.1k | — | Python | 6/10 | 1d ago |
|
|
1.8k | — | Python | 7/10 | 3d ago |
|
|
2k | — | Python | 8/10 | 9h ago |
Semgrep is a widely adopted static analysis tool with a large rule library and enterprise backing. DeepAudit uses LLM agents rather than pattern-matching rules, which may surface novel vulnerabilities Semgrep misses but also introduces higher false-positive risk and LLM inference cost. Semgrep has substantially broader enterprise adoption and multilingual support.
Also a Chinese-origin AI code review tool with ~8,580 stars. Open-code-review focuses on PR-level review integration (CI/CD pipelines), while DeepAudit targets deep security auditing with autonomous agents and PoC generation. Different workflow targets rather than direct substitutes.
CodeQL offers deep semantic analysis with a mature query language and GitHub integration. It is enterprise-grade but expensive and requires significant expertise. DeepAudit's LLM approach is more accessible to non-expert users but likely less precise on complex data-flow vulnerabilities where CodeQL excels.
Scanners-Box is a curated collection of security tools (~8,945 stars), not an integrated system. DeepAudit offers an integrated agentic workflow rather than a toolbox, making it more opinionated but easier to deploy end-to-end for users who want a single solution.
DeepCode-cli (~1,293 stars) appears to be a TypeScript CLI for code analysis. DeepAudit offers a full web UI, multi-agent orchestration, and sandbox PoC validation — a more complete product surface, though with correspondingly higher deployment complexity.



