OWASP Project

OWASP AGHAST

AI-Guided Hybrid Application Static Testing

Find the security issues that generic scanners miss.

Get Started View on GitHub

OWASP AGHAST illustration

What is OWASP AGHAST?

OWASP AGHAST is an open-source framework that combines static code discovery with AI-powered analysis to find codebase-specific and company-specific security issues.

Generic scanners catch generic bugs. But what about your custom authorization logic? Your business-specific validation rules? The security patterns unique to your organization? OWASP AGHAST is built to answer those questions — questions that require context about how things should work, not just what is technically vulnerable.

Three Operational Modes

AGHAST is a framework for orchestrating custom security checks against your codebase. Choose the right mode for each check:

  • Static Checks

    Traditional rule-based discovery that directly maps findings without AI involvement, for when a static rule is all you need.

  • Hybrid Checks

    Static discovery tools pinpoint specific code locations, which are then independently analyzed by AI. The sweet spot for most use cases.

  • AI Scanning

    Your own LLM examines your repository against your custom security instructions, analyzing the full codebase for issues you define.

Example Questions OWASP AGHAST Can Answer

Unlike generic scanners that look for known vulnerability patterns, OWASP AGHAST helps you answer organization-specific questions such as:

  • Has our custom business verification been implemented correctly?
  • Has the company's custom authorization mechanism been used correctly and consistently?
  • Are API endpoints returning too wide a data set?
  • Are there places where our internal security patterns have been bypassed?

Key Features

  • Custom Security Rules

    Define checks tailored to your organization's specific security concerns — from custom authorization patterns to business logic validation — not just generic vulnerability classes.

  • No Codebase Modifications Required

    Works with your existing code as-is. No need to add annotations, modify source files, or build anything into your codebase.

  • Language Agnostic

    Use natural language to instruct the AI provider and a standard, language-agnostic static rule language for discovery.

  • CI Pipeline Ready

    Designed from the start for automated CI pipelines with a simple install process, text-based configuration, and a single CLI call to run.

  • Pluggable Architecture

    Supports multiple discovery methods (Semgrep, OpenAnt, SARIF) and output formats (JSON, SARIF). Swap in different LLM providers or static analysis engines as needed.

  • Flexible Configuration

    Define checks per-codebase or use a central configuration for multiple codebases. One config file can drive CI jobs across your entire organization.

Getting Started

OWASP AGHAST requires Node.js 20+. AI and hybrid checks need an agent provider — either an Anthropic API key for the default claude-code provider, or OpenCode for the opencode provider, which supports 75+ LLM providers including some free options. Hybrid and static checks use Semgrep Community Edition; OpenAnt is supported as an alternative discovery method.

Head to the Get Started page for installation, configuration, and your first check — or jump straight into the code on GitHub.

View on GitHub Read the Blog Post Ask a Question

Licensing

OWASP AGHAST is licensed under AGPL to keep it open and ensure improvements flow back to the community. For commercial licensing, professional support, or help implementing OWASP AGHAST, contact the project leaders via the OWASP project page.