AI-powered security scanner and penetration testing tool. Upload your codebase, optionally point it at a live deployment, and get a consolidated security report.
- Static analysis — Gitleaks, Trivy, Bearer, and optionally Snyk run in parallel
- AI code review — Multiple LLMs review your code sequentially, each building on the previous reviewer's findings
- Penetration testing — AI agents combine source code knowledge with live HTTP probing to find and verify vulnerabilities
- Consolidated report — Findings are deduplicated, cross-referenced, and scored with a Vibe Score (0-100)
git clone https://github.com/systemaddict/mini-mythos.git && cd mini-mythos
docker compose up --buildOpen http://localhost:8854 — the settings page will guide you through configuration. First build takes a few minutes.
All configuration is done from the Settings page (/setup). No files to edit.
You'll need:
- OpenRouter API key (required) — get one at openrouter.ai/keys. Set a credit limit on your key to control spending.
- AI models — pick a preset or add models manually. Model IDs are copied from openrouter.ai/models (e.g.
anthropic/claude-sonnet-4.6). - Snyk token (optional) — enables dependency scanning. Get one at app.snyk.io/account. Without it, the other 3 static tools + AI still run.
Settings are stored in data/settings.json and persist across restarts and updates.
| Preset | Models | Notes |
|---|---|---|
| Best (expensive) | Claude Opus 4.6 + GPT-5.4 | Most thorough, highest cost |
| Good (budget) | DeepSeek v3.2 + Kimi K2.5 | Good results, much cheaper |
Upload a ZIP of your code. The scanner runs static analysis tools and AI code review in parallel, then consolidates findings into a single report.
Enable "Penetration Test" alongside or instead of the security scan. Provide:
- Target URL — the public URL of the deployed application
- Test accounts (optional) — credentials for different roles (Admin, User, Guest, Manager). Each can have its own login URL if the admin panel is on a separate domain.
- Focus & notes (optional) — guide the pentest agents toward specific areas
The pentest agents read your source code to understand the application, then make live HTTP requests to find and verify vulnerabilities. When both modes are selected, security scan findings are fed to the pentest agents for context.
The easiest way to get a clean ZIP:
- From GitHub/GitLab: Use the "Download ZIP" button — this excludes
node_modules,.venv, etc. - From the command line:
git archive --format=zip --output=myproject.zip HEAD
Avoid zipping your project folder directly — it will include large directories that aren't useful for analysis.
Past scans are available from the History page. Click any scan to view its results. Delete scans you no longer need — this removes the database record and any uploaded files.
For faster iteration without Docker:
./dev.shThis starts the backend (:8000 with hot reload) and frontend (:5173 with HMR), checks for missing tools, and opens the browser. Static analysis tools are optional when running locally — the AI agents work without them.
All runtime data lives in the data/ folder:
settings.json— your configuration (API keys, model chain, etc.)local.db— scan history and resultssession.key— auto-generated session signing key
Back it up, move it, or delete it to start fresh. This folder is shared between Docker and local dev.
git pull
docker compose up --build -dYour data/ folder is untouched — only the application is rebuilt.
- Upload — ZIP of your source code
- Static analysis — 4 tools run in parallel:
- Gitleaks — secrets (API keys, tokens, passwords)
- Trivy — dependency CVEs, misconfigurations, secrets
- Bearer — data flow analysis, injection sinks, SSRF
- Snyk — dependency vulnerabilities (requires token)
- AI code review — LLM agents explore your code with tools (read files, search code) and report findings. Each subsequent model sees prior findings.
- Penetration test (optional) — AI agents combine code knowledge with live HTTP requests to test authentication, injection, XSS, SSRF, and authorization
- Consolidation — findings are deduplicated and scored
- Report — consolidated findings by severity with a Vibe Score
This project is inspired by SecurelyVibe and Keygraph.