Get Started

Install OWASP AGHAST, configure a check, and run your first scan.

Requirements

• Node.js 20+
• An agent provider — required for AI and Hybrid checks (not for Static checks). Either an Anthropic API key for the default claude-code provider, or OpenCode for the opencode provider, which supports 75+ LLM providers, including some free options.
• Semgrep Community Edition — required for Hybrid and Static check modes.
• OpenAnt (optional) — supported as an alternative discovery method.

Install

OWASP AGHAST is distributed via the owasp-aghast/aghast GitHub repository.

git clone https://github.com/owasp-aghast/aghast.git
cd aghast
npm install

Refer to the repository README for current install instructions, supported Node versions, and the latest CLI flags — those are kept authoritative in the repo rather than mirrored here, so they don’t drift out of date.

Three modes of operation

OWASP AGHAST supports three check modes — pick the right one for each check:

• Static Checks — direct rule-based discovery, no AI involvement. Use this when a static rule alone is sufficient.
• Hybrid Checks — static discovery pinpoints code locations, AI analyzes them. The sweet spot for most use cases.
• AI Scanning — your own LLM examines your repository against your custom security instructions, analyzing the full codebase for issues you define.

Define your first custom check

The strength of OWASP AGHAST is that checks are organization-specific, not generic vulnerability patterns. Common starting points:

• “Has our custom authorization mechanism been used correctly and consistently?”
• “Are API endpoints returning too wide a data set?”
• “Has our custom business verification been implemented correctly?”

See the examples folder in the repo for working configuration files.

Help and feedback

• Issues and feature requests: github.com/owasp-aghast/aghast/issues
• Commercial licensing or implementation support: contact the project leaders via the OWASP project page