| --- |
| title: SwarmAudit |
| emoji: 🚀 |
| colorFrom: blue |
| colorTo: indigo |
| sdk: gradio |
| sdk_version: 6.14.0 |
| app_file: app.py |
| pinned: false |
| license: mit |
| short_description: A multi-agent scanner that audits repositories |
| --- |
| |
| # SwarmAudit |
|
|
| SwarmAudit is a multi-agent production-readiness scanner for AI-generated code. |
|
|
| Paste a public GitHub repository URL and SwarmAudit clones the repo, maps source files, runs specialized static and optional LLM-enriched agents, then returns a prioritized audit report with severity filters, file references, remediation guidance, scores, and Markdown/JSON exports. |
|
|
| The project was built for the AMD Developer Hackathon Track 1: AI Agents & Agentic Workflows. It is designed to run reliably in mock/static mode for public demos and switch to AMD Developer Cloud + ROCm + vLLM + Qwen2.5-Coder when GPU credits are available. |
|
|
| ## Why It Exists |
|
|
| AI coding tools are fast, but they often miss production concerns: broken security assumptions, unsafe configuration, missing timeouts, swallowed exceptions, weak observability, dependency risk, and GPU portability issues. SwarmAudit turns those review concerns into a coordinated agent workflow. |
|
|
| The goal is not to replace linters. The goal is to give teams a fast second-pass review for code that might be functionally correct but not production-ready. |
|
|
| ## Current Status |
|
|
| Working now: |
|
|
| - Gradio dashboard with agent progress, activity log, summary cards, clickable severity filters, finding inspector, and report downloads. |
| - FastAPI backend with `/health`, `/llm/health`, and `/audit`. |
| - GitHub repo cloning with file limits and Windows-safe temp paths. |
| - Static multi-agent audit path that works without GPU access. |
| - Optional vLLM/Qwen enrichment behind config. |
| - LLM Diagnostics tab for `/v1/models` and chat-completion checks. |
| - Benchmark tab for latency checks against mock or vLLM backends. |
| - Markdown and JSON report export. |
| - Hugging Face Spaces entrypoint through root `app.py`. |
| - AMD/vLLM runbook for credit-safe MI300X testing. |
|
|
| Validated during development: |
|
|
| - Hugging Face Space running in mock/static mode. |
| - AMD Developer Cloud GPU instance with ROCm visible through `rocm-smi`. |
| - vLLM serving `Qwen/Qwen2.5-Coder-32B-Instruct` through an OpenAI-compatible `/v1` API. |
| - SwarmAudit Diagnostics and Benchmark tabs connected successfully to the AMD-hosted vLLM endpoint. |
|
|
| ## Agent Workflow |
|
|
| ```text |
| GitHub URL |
| -> Crawler Agent |
| -> Chunker |
| -> Parallel Analysis Agents |
| Security |
| Performance |
| Quality |
| Docs |
| Config |
| Dependency |
| Error Handling |
| Observability |
| CUDA-to-ROCm |
| -> Synthesizer |
| -> Scores + Roadmap + Report |
| ``` |
|
|
| ## Agents |
|
|
| - **Security Agent**: hardcoded secrets, disabled TLS verification, dynamic execution, insecure dependency version ranges. |
| - **Performance Agent**: missing HTTP timeouts, blocking work in async paths, nested loops, repeated file reads, synchronous hot-path operations. |
| - **Quality Agent**: long functions, high branch density, very short identifiers, TODO/FIXME/HACK comments, maintainability signals. |
| - **Docs Agent**: README gaps, missing install/run/test guidance, public Python symbols without docstrings. |
| - **Config Agent**: production-dangerous defaults such as debug mode, open CORS, disabled TLS checks, weak secrets, unsafe config patterns. |
| - **Dependency Agent**: parses manifests and optionally queries OSV.dev for CVE data when enabled. |
| - **Error Handling Agent**: swallowed exceptions, missing timeouts, missing retry/fallback behavior, resilience gaps. |
| - **Observability Agent**: `print` logging, sensitive data in logs, missing health checks, missing metrics/tracing signals. |
| - **CUDA-to-ROCm Agent**: flags CUDA/NVIDIA-specific assumptions such as `torch.cuda`, `.cuda()`, `pynvml`, `nvidia-smi`, `cudaMalloc`, and `cudaMemcpy`, then suggests ROCm/generic alternatives. |
| - **Synthesizer Agent**: deduplicates findings, ranks by severity, computes scores, groups categories, and builds the remediation roadmap. |
|
|
| ## Report Output |
|
|
| Each audit report includes: |
|
|
| - Repository URL |
| - scanned/skipped file counts |
| - severity summary |
| - total/displayed/hidden finding counts |
| - agent finding counts |
| - category summary |
| - security score |
| - production readiness score |
| - remediation roadmap: |
| - This Week |
| - Next Sprint |
| - Backlog |
| - structured findings with: |
| - title |
| - severity |
| - file path and line range |
| - explanation |
| - why it matters |
| - suggested fix |
| - agent source |
| - category |
| - confidence when available |
| - Markdown export |
| - JSON export |
|
|
| The UI displays a prioritized subset for readability while preserving full totals in the structured report. |
|
|
| ## AMD + Qwen Integration |
|
|
| SwarmAudit uses Qwen through an OpenAI-compatible vLLM endpoint. The app does not install or run vLLM directly; it calls vLLM over HTTP. |
|
|
| The AMD path improves the project by allowing the same agent workflow to use a stronger code model on AMD GPU infrastructure: |
|
|
| - AMD Developer Cloud provides the GPU runtime. |
| - ROCm exposes AMD GPU acceleration. |
| - vLLM serves Qwen2.5-Coder as an OpenAI-compatible API. |
| - SwarmAudit uses that endpoint for Diagnostics, Benchmark, and optional LLM enrichment. |
| - Static agents remain the reliable fallback if the endpoint is unavailable. |
|
|
| Default public/demo mode stays cheap and reliable: |
|
|
| ```text |
| LLM_PROVIDER=mock |
| ENABLE_LLM_ENRICHMENT=false |
| ``` |
|
|
| Credit-safe AMD test mode: |
|
|
| ```text |
| LLM_PROVIDER=vllm |
| LLM_BASE_URL=http://YOUR_VLLM_ENDPOINT/v1 |
| LLM_API_KEY=swarm-audit-demo-key |
| LLM_MODEL=Qwen/Qwen2.5-Coder-32B-Instruct |
| ENABLE_LLM_ENRICHMENT=true |
| MAX_FILES=100 |
| MAX_FILE_SIZE_KB=150 |
| MAX_CHARS_PER_CHUNK=8000 |
| MAX_LLM_CHUNKS=2 |
| ``` |
|
|
| See [`AMD_VLLM_RUNBOOK.md`](AMD_VLLM_RUNBOOK.md) for the exact AMD setup and shutdown checklist. |
|
|
| ## Hugging Face Spaces |
|
|
| SwarmAudit is deployable as a Gradio Space using the root `app.py`. |
|
|
| Recommended public Space settings: |
|
|
| - SDK: Gradio |
| - Hardware: CPU basic |
| - App file: `app.py` |
| - Environment: |
|
|
| ```text |
| LLM_PROVIDER=mock |
| ENABLE_LLM_ENRICHMENT=false |
| ENABLE_DEPENDENCY_CVE_LOOKUP=false |
| ``` |
|
|
| Keep the public Space in mock/static mode unless a stable vLLM endpoint is available for the full judging window. Do not expose private endpoint keys in the README or UI. |
|
|
| See [`HF_SPACES_DEPLOY.md`](HF_SPACES_DEPLOY.md) for the deployment checklist. |
|
|
| ## Quick Start |
|
|
| ```bash |
| python -m venv .venv |
| .venv\Scripts\activate |
| pip install -r requirements.txt |
| ``` |
|
|
| Run the Gradio app: |
|
|
| ```bash |
| python app.py |
| ``` |
|
|
| Open the URL printed by Gradio. The app tries port `7860` first and falls back to another local Gradio port if `7860` is busy. |
|
|
| Run the FastAPI backend: |
|
|
| ```bash |
| uvicorn app.main:app --reload |
| ``` |
|
|
| If port `8000` is busy: |
|
|
| ```bash |
| uvicorn app.main:app --reload --port 8001 |
| ``` |
|
|
| Health checks: |
|
|
| ```bash |
| curl http://127.0.0.1:8000/health |
| curl http://127.0.0.1:8000/llm/health |
| ``` |
|
|
| Audit API: |
|
|
| ```bash |
| curl -X POST http://127.0.0.1:8000/audit \ |
| -H "Content-Type: application/json" \ |
| -d '{"repo_url":"https://github.com/pallets/itsdangerous"}' |
| ``` |
|
|
| Recommended first test repos: |
|
|
| ```text |
| https://github.com/pallets/itsdangerous |
| https://github.com/psf/requests |
| ``` |
|
|
| ## Configuration |
|
|
| Copy `.env.example` to `.env` for local overrides. |
|
|
| Important settings: |
|
|
| ```text |
| LLM_PROVIDER=mock |
| LLM_BASE_URL=http://localhost:9000/v1 |
| LLM_API_KEY=not-needed-for-mock |
| LLM_MODEL=Qwen/Qwen2.5-Coder-32B-Instruct |
| ENABLE_LLM_ENRICHMENT=false |
| ENABLE_DEPENDENCY_CVE_LOOKUP=false |
| MAX_LLM_CHUNKS=5 |
| LLM_TIMEOUT_SECONDS=120 |
| MAX_FILES=200 |
| MAX_FILE_SIZE_KB=250 |
| MAX_CHARS_PER_CHUNK=12000 |
| CLONE_TIMEOUT_SECONDS=60 |
| CLONE_BASE_DIR=.swarm_audit_tmp |
| ``` |
|
|
| Dependency CVE lookup is off by default so demos do not depend on network calls beyond cloning the target repo: |
|
|
| ```text |
| ENABLE_DEPENDENCY_CVE_LOOKUP=false |
| ``` |
|
|
| Enable it only when you want OSV.dev CVE checks: |
|
|
| ```text |
| ENABLE_DEPENDENCY_CVE_LOOKUP=true |
| ``` |
|
|
| ## Tests |
|
|
| ```bash |
| python -m compileall -q app tests app.py |
| python -m pytest --basetemp=.tmp_pytest -p no:cacheprovider |
| ``` |
|
|
| Current local suite: |
|
|
| ```text |
| 104 tests |
| ``` |
|
|
| ## Project Structure |
|
|
| ```text |
| app.py # Hugging Face/Gradio entrypoint |
| app/ |
| main.py # FastAPI API |
| config.py # environment settings |
| schemas.py # Pydantic models |
| agents/ |
| graph.py # orchestration |
| security_agent.py |
| performance_agent.py |
| quality_agent.py |
| docs_agent.py |
| config_agent.py |
| dependency_agent.py |
| error_handling_agent.py |
| observability_agent.py |
| cuda_migration_agent.py |
| synthesizer_agent.py |
| llm_enrichment.py |
| services/ |
| llm_client.py |
| benchmark.py |
| report_formatter.py |
| ui/ |
| gradio_app.py |
| tests/ |
| examples/ |
| ``` |
|
|
| ## Submission Notes |
|
|
| For the hackathon submission, highlight: |
|
|
| - agentic workflow with multiple specialized agents |
| - Qwen2.5-Coder integration through vLLM |
| - AMD Developer Cloud + ROCm validation |
| - Hugging Face Space deployment |
| - practical business value: production readiness for AI-generated code |
| - originality: combining security, operations, dependency, and CUDA-to-ROCm portability checks in one audit workflow |
|
|