Agentic SAST.
White box. CI ready.
AgentGG turns agent files into agentic SAST scans. Reasoning that regex cannot do, structured output that one-shot LLM review cannot ship.
From install to first finding, in four commands.
SAST is loud.
And it cannot reason.
Traditional SAST follows rigid templates for the same handful of generic bug classes. It drowns developers in false positives, and it cannot tell whether a tainted value actually reaches a dangerous sink. If a vulnerability is specific to your product, your framework, or your org, off the shelf SAST does not see it.
AgentGG agents reason. They use tools, follow imports, and check the call graph before they flag anything. You can write agents that encode your organization, your business logic, and your past incidents, instead of the lowest common denominator of CWE patterns.
AgentGG identified five zero-days in OpenCLAW using agents auto-generated from prior CVEs and a threat model synthesized by the agent itself.
AgentGG found 5 zero-days in a popular open source project.
openclaw is one of the most popular open source projects in the world right now, with widespread news coverage. It lets AI agents receive commands from chat platforms like Slack and Discord, with operators choosing which users are allowed to message the agent.
We found 5 separate issues that let a remote attacker gain access to the system. It would accept their commands as if they came from a trusted user.
All five issues have been acknowledged and fixed by the openclaw maintainers, and each disclosure is now public on GitHub.
agents that found them92 confirmed bugs in one scan of OWASP Juice Shop.
We ran 50 agents covering the most common bug classes against the OWASP-maintained vulnerable web app. Before scanning we stripped every comment, hint file, and challenge marker that would tip the agents off about where the bugs live.
An agent registry, an orchestrator, and a CLI.
A white box scanner that runs on your full repo, or on a git diff for merge requests. Over 100 agents ship out of the box, covering security vulnerabilities, coding anti-patterns, and codebase recon. AgentGG can be integrated into CI/CD pipelines to scan every change automatically. Like Nuclei, AgentGG maintains a repository of open source templates, but instead of regex they are agents.
Diff scans
Only review the files changed in a merge request, so PR feedback stays fast and cheap.
Full-repo scans
Run every agent across the whole codebase. Good for a baseline or a nightly job.
Validate and score
A second pass confirms each finding against your scope file and rates it with a CVSS severity.
Web UI
Browse findings in a local web UI. Filter by severity, agent, or file.
Agent file in. GHSA shaped finding out.
One text file in. One markdown report out. Drop it in your agents directory or pass it inline with -t.
Run your own model. Local or hosted.
Every provider runs the whole pipeline: recon, detection, validation, and scoring. Configure once with agentgg init, or pass credentials per scan.
Managed AgentGG, coming soon.
GitHub-native scans for your team.
The CLI, hosted. Merge request reviews and full-repo scans wired into GitHub, with team-wide findings and access controls. Get notified when the platform goes live.
Running a SAST or DevSecOps platform? Email contact@agentgg.dev about integration.