Skip to content

izzy0101010101/ai-offensive-code-review

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

35 Commits
.claude
.claude
 
 
examples
examples
 
 
screenshots
screenshots
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
CLAUDE.md
CLAUDE.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

AI Offensive Code Review Pipeline

Attack surface mapping for security testers. Point it at a codebase and get:

Service inventory · Attack surface map · Data flow analysis · Security conditions · Attack POCs

Download example report (Juice Shop)

Why This Exists

Traditional scanners flood you with severity labels and verdicts without evidence. This maps the attack surface, traces data flows, and surfaces conditions worth investigating. You get file paths, line numbers, and preconditions to validate yourself.

Requirements

  • Claude Code CLI
  • Python 3.x (standard library only, no pip install needed)
  • Target repository cloned locally

Supported Projects

Works on any language Claude can read - JavaScript, TypeScript, Python, Go, Java, Rust, C#, Ruby, PHP, and more. No language-specific configuration needed.

Best suited for:

  • Web applications with HTTP entry points
  • Microservices and backend APIs
  • Anything with identifiable attack surface (routes, handlers, data flows)

Quick Start

git clone https://github.com/izzy0101010101/ai-offensive-code-review.git
cd ai-offensive-code-review
claude
run /offensive-review /path/to/target/repo

That's it. Wait for the pipeline to complete and open ai_artifacts/report.html.

Pipeline Flow

┌──────────────────────────────────────────────────────────────────────────────────────┐
│                              run /offensive-review                                    │
└──────────────────────────────────────────────────────────────────────────────────────┘
                                          │
                                          ▼
┌──────────┐   ┌──────────┐   ┌──────────┐   ┌──────────┐   ┌──────────┐   ┌──────────┐
│ Stage 0  │──▶│ Stage 1  │──▶│ Stage 2  │──▶│ Stage 3  │──▶│ Stage 4  │──▶│ Stage 5  │
│ Overview │   │ Services │   │  Entry   │   │  State & │   │ Findings │   │  Attack  │
│          │   │  & Deps  │   │  Points  │   │  Flows   │   │ (Leads)  │   │   POCs   │
└──────────┘   └──────────┘   └──────────┘   └──────────┘   └──────────┘   └──────────┘
                                                                                │
                                                                                ▼
                                                                      ┌─────────────────┐
                                                                      │  report.html    │
                                                                      └─────────────────┘

Run Stages Individually

Command What it does
run /stage0 Application overview and architecture diagram
run /stage1 Inventory services and dependencies
run /stage2 Extract entry points (HTTP, queues, SDK)
run /stage3 Map state mutations and cross-service calls
run /stage4 Identify conditions requiring validation
run /stage5 Generate attack paths with code-specific POCs
run /generate-report Generate HTML report from all artifacts

Output Structure

ai_artifacts/
├── stage0/
│   └── overview.md         # Application overview & architecture
├── stage1/
│   ├── services.csv        # Service inventory with path aliases
│   └── dependencies.csv    # External dependencies
├── stage2/
│   └── entry_points.csv    # All entry surfaces
├── stage3/
│   └── state_and_links.csv # State operations & cross-service links
├── stage4/
│   └── findings.csv        # Conditions for human validation
├── stage5/
│   └── attack_paths.md     # Verified attack chains with POCs
└── report.html             # Interactive HTML report

Project Structure

.claude/skills/       # Pipeline commands (stage0-5, offensive-review, generate-report)
scripts/
├── generate_report.py   # Builds HTML report from all artifacts
├── validate-csv.sh      # Validates CSV structure
└── init-review.sh       # Creates ai_artifacts directories
ai_artifacts/         # Output directory (gitignored)

Report Sections

Section What It Shows
Overview Application summary and architecture diagram
Services Identified services/modules with entry files and build commands
Entry Points HTTP routes, queues, WebSockets, SDK methods - your attack surface
Data Flows State mutations, DB writes, cross-service calls - where data goes
Leads Conditions worth investigating with preconditions and code locations
Attack Paths Traced attack chains with working POCs based on actual code
Dependencies External libraries and versions per service

Limitations

  • Token-heavy on large codebases
  • Expect false positives - human validation required

Permissions

This repo includes pre-configured permissions in .claude/settings.local.json so the pipeline runs without constant approval prompts.

Included permissions:

  • All pipeline skills (stage0-5, offensive-review, generate-report)
  • python3 for report generation
  • git clone for cloning target repos

To customize, edit .claude/settings.local.json or see the Claude Code documentation.

Philosophy

This maps attack surface and gives you leads. It doesn't claim exploitability or assign severity - you validate the findings yourself.

Disclaimer

For authorized security testing and educational purposes only. Do not use on systems without permission. The authors are not responsible for misuse.

About

AI security review that maps attack surface and generates leads for humans to validate.

Resources

Readme

License

MIT license
Activity

Stars

5 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages