Spaces:
Running on Zero
A newer version of the Gradio SDK is available: 6.20.0
title: Adversarial SAST
emoji: 🛡️
colorFrom: red
colorTo: gray
sdk: gradio
sdk_version: 6.19.0
python_version: '3.12'
app_file: app.py
pinned: true
license: mit
short_description: Adversarial SAST — false positives die on screen
🛡️ Adversarial SAST — the false positive dies on screen
LLM security review has one fatal flaw: noise. Ask a model to "find the vulnerabilities" and it flags SQL injections on already-parameterized queries, XSS on dead code, bugs that aren't reachable. The real findings drown in false positives, and you learn to ignore all of them.
This Space fixes that with a two-stage adversarial pass:
- Detect — a code model lists candidate vulnerabilities, deliberately broad.
- Refute — for each candidate, a skeptical pass tries to break it: is there a concrete input that exploits it, or is it neutralized (validated input, dead code, a guard)?
What survives the attack is real. Confirmed findings come with a proof-of-concept; everything refuted is dropped.
The toggle is the demo
Verify OFF shows the raw detector — a long list, false positives included. Verify ON runs the
refutation and the noise dies on screen. The default example hides one false positive (a SELECT
built from a value already cast to int) right next to a real bug (a shell command built from raw
input): only the real one survives, with its PoC.
How it works
- Snippet tab — Qwen2.5-Coder-7B-Instruct
on ZeroGPU (H200), with Outlines constraining the
output to a JSON schema (
Candidate/Verdict) — always machine-readable. - Whole-repo, split by model size, both via HF Inference — detection on
Qwen3-Coder-480B-A35B-Instruct: a
whole-file view follows a long source→sink data-flow (an injection can be ~200 lines from its
sink) the small model misses. Refutation on Qwen2.5-Coder-32B over a bounded, line-numbered
window around each candidate: it must credit real sanitization (prepared statements, allow-lists,
casts) to drop false positives — a 7B refuter can't and confirms almost everything — while not being
fooled by
file_exists/issetguards (which don't stop an LFI). Both stages off-GPU, so a whole-repo scan has no length limit.
Paste any snippet, pick the language, audit. All example code is fictional and intentionally vulnerable — it's the test set. This is a defensive / educational demo, not a production scanner.
About
Built by Ferr0 — infra-minded AI: local LLM inference, structured generation & tool-calling, offline RAG, defensive AI security. More at pixelium.win · GitHub.
License: MIT.