adversarial-sast / README.md
Ferr0's picture
repo-audit: detection via HF Inference (Qwen3-Coder-480B), 7B keeps refutation
3255f2b verified
|
Raw
History Blame Contribute Delete
2.94 kB

A newer version of the Gradio SDK is available: 6.20.0

Upgrade
metadata
title: Adversarial SAST
emoji: 🛡️
colorFrom: red
colorTo: gray
sdk: gradio
sdk_version: 6.19.0
python_version: '3.12'
app_file: app.py
pinned: true
license: mit
short_description: Adversarial SAST  false positives die on screen

🛡️ Adversarial SAST — the false positive dies on screen

LLM security review has one fatal flaw: noise. Ask a model to "find the vulnerabilities" and it flags SQL injections on already-parameterized queries, XSS on dead code, bugs that aren't reachable. The real findings drown in false positives, and you learn to ignore all of them.

This Space fixes that with a two-stage adversarial pass:

  1. Detect — a code model lists candidate vulnerabilities, deliberately broad.
  2. Refute — for each candidate, a skeptical pass tries to break it: is there a concrete input that exploits it, or is it neutralized (validated input, dead code, a guard)?

What survives the attack is real. Confirmed findings come with a proof-of-concept; everything refuted is dropped.

The toggle is the demo

Verify OFF shows the raw detector — a long list, false positives included. Verify ON runs the refutation and the noise dies on screen. The default example hides one false positive (a SELECT built from a value already cast to int) right next to a real bug (a shell command built from raw input): only the real one survives, with its PoC.

How it works

  • Snippet tabQwen2.5-Coder-7B-Instruct on ZeroGPU (H200), with Outlines constraining the output to a JSON schema (Candidate / Verdict) — always machine-readable.
  • Whole-repo, split by model size, both via HF Inference — detection on Qwen3-Coder-480B-A35B-Instruct: a whole-file view follows a long source→sink data-flow (an injection can be ~200 lines from its sink) the small model misses. Refutation on Qwen2.5-Coder-32B over a bounded, line-numbered window around each candidate: it must credit real sanitization (prepared statements, allow-lists, casts) to drop false positives — a 7B refuter can't and confirms almost everything — while not being fooled by file_exists/isset guards (which don't stop an LFI). Both stages off-GPU, so a whole-repo scan has no length limit.

Paste any snippet, pick the language, audit. All example code is fictional and intentionally vulnerable — it's the test set. This is a defensive / educational demo, not a production scanner.

About

Built by Ferr0 — infra-minded AI: local LLM inference, structured generation & tool-calling, offline RAG, defensive AI security. More at pixelium.win · GitHub.

License: MIT.