adversarial-sast / README.md
Ferr0's picture
repo-audit: detection via HF Inference (Qwen3-Coder-480B), 7B keeps refutation
3255f2b verified
|
Raw
History Blame Contribute Delete
2.94 kB
---
title: Adversarial SAST
emoji: 🛡️
colorFrom: red
colorTo: gray
sdk: gradio
sdk_version: "6.19.0"
python_version: "3.12"
app_file: app.py
pinned: true
license: mit
short_description: Adversarial SAST false positives die on screen
---
# 🛡️ Adversarial SAST — the false positive dies on screen
LLM security review has one fatal flaw: **noise**. Ask a model to "find the vulnerabilities" and it
flags SQL injections on already-parameterized queries, XSS on dead code, bugs that aren't reachable.
The real findings drown in false positives, and you learn to ignore all of them.
This Space fixes that with a **two-stage adversarial pass**:
1. **Detect** — a code model lists candidate vulnerabilities, deliberately broad.
2. **Refute** — for *each* candidate, a skeptical pass tries to **break it**: is there a concrete
input that exploits it, or is it neutralized (validated input, dead code, a guard)?
> **What survives the attack is real.** Confirmed findings come with a proof-of-concept; everything
> refuted is dropped.
## The toggle is the demo
**Verify OFF** shows the raw detector — a long list, false positives included. **Verify ON** runs the
refutation and the noise dies on screen. The default example hides one false positive (a `SELECT`
built from a value already cast to `int`) right next to a real bug (a shell command built from raw
input): only the real one survives, with its PoC.
## How it works
- **Snippet tab** — [Qwen2.5-Coder-7B-Instruct](https://huggingface.co/Qwen/Qwen2.5-Coder-7B-Instruct)
on **ZeroGPU** (H200), with [Outlines](https://github.com/dottxt-ai/outlines) constraining the
output to a JSON schema (`Candidate` / `Verdict`) — always machine-readable.
- **Whole-repo, split by model size, both via HF Inference** — detection on
[Qwen3-Coder-480B-A35B-Instruct](https://huggingface.co/Qwen/Qwen3-Coder-480B-A35B-Instruct): a
whole-file view follows a long source→sink data-flow (an injection can be ~200 lines from its
sink) the small model misses. Refutation on **Qwen2.5-Coder-32B** over a **bounded, line-numbered
window** around each candidate: it must *credit* real sanitization (prepared statements, allow-lists,
casts) to drop false positives — a 7B refuter can't and confirms almost everything — while not being
fooled by `file_exists`/`isset` guards (which don't stop an LFI). Both stages off-GPU, so a whole-repo
scan has no length limit.
Paste any snippet, pick the language, audit. All example code is fictional and **intentionally
vulnerable** — it's the test set. This is a **defensive / educational** demo, not a production scanner.
## About
Built by **[Ferr0](https://huggingface.co/Ferr0)** — infra-minded AI: local LLM inference,
structured generation & tool-calling, offline RAG, defensive AI security.
More at **[pixelium.win](https://pixelium.win)** · **[GitHub](https://github.com/ferr079)**.
License: MIT.