AutoCVE
AutoCVE is an open-source Python platform that automates CVE discovery in source code using multi-agent AI orchestration. It combines static scanning, source code analysis, and dynamic verification to generate ready-to-submit CVE reports, with claims of 30 CVEs found in a 7-day trial across 14 projects.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | larlarua/AutoCVE |
| Owner | larlarua |
| Primary language | Python |
| License | AGPL-3.0 — OSI-approved |
| Stars | 1.1k |
| Forks | 71 |
| Open issues | 13 |
| Latest release | v1.0.4 (2026-07-04) |
| Last updated | 2026-07-04 |
| Source | https://github.com/larlarua/AutoCVE |
What AutoCVE is
Built on FastAPI (backend), React (frontend), and PostgreSQL, AutoCVE implements a multi-agent ReAct loop architecture (Orchestrator, Recon, Scan, Triage, Finding, Verification agents) for coordinated vulnerability discovery. Supports three audit modes: enhanced scanning, intelligent audit (CVE-focused), and comprehensive audit; integrates LLM-based agents with manual Skills configuration for extensibility.
Get the AutoCVE source
Clone the repository and explore it locally.
git clone https://github.com/larlarua/AutoCVE.gitcd AutoCVE# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- LLM API Dependency: AutoCVE is tightly coupled to LLM services for agent reasoning. Ensure stable API access (rate limits, cost, latency) and fallback strategy if provider becomes unavailable.
- Skills & Tool Configuration: Core audit capability depends on configuring specialized Skills per Agent. Requires security expertise to define rules, integrate external tools, and tune false-positive filtering thresholds.
- Database Schema & State Management: PostgreSQL backend stores audit trails, vulnerabilities, and session context. Plan for schema migrations, backup strategy, and capacity if running high-volume concurrent audits.
- LLM Model Choice & Prompt Engineering: Quality of findings depends on underlying LLM capability and prompt tuning. Test with target LLMs before production; expect variations in accuracy across model versions.
- Audit Result Validation Workflow: Generated CVE reports must be human-reviewed and independently verified before submission. Establish internal SOPs for validation, prioritization, and disclosure coordination.
When to avoid it — and what to weigh
- Closed-source or commercial production deployments without legal review — AGPL-3.0 mandates source code disclosure for network-accessible modifications. Any closed-source derivative or SaaS offering requires careful license compliance review; consider consulting legal counsel before production deployment.
- Expectation of AI-only autonomous security guarantees — AutoCVE is a discovery and reporting tool, not a security verification platform. It relies on LLM accuracy and tool integration; vulnerabilities must be independently validated before CVE submission or patching.
- Low-resource or minimal infrastructure environments — Deployment requires Docker, PostgreSQL, FastAPI backend, React frontend, and LLM API access. Multi-agent orchestration is resource-intensive; not suitable for embedded, edge, or severely constrained deployments.
- Organizations requiring traditional support and SLAs — This is a young community project (created June 2026, latest v1.0.4 July 2026). No commercial support, SLA guarantees, or established incident response process is documented. Use case should tolerate community-driven maintenance.
License & commercial use
Licensed under AGPL-3.0 (GNU Affero General Public License v3.0). This is a copyleft license requiring source code disclosure of any modifications made to the software, especially if deployed over a network. Closed-source derivatives or SaaS offerings built on AutoCVE would likely trigger disclosure obligations.
AGPL-3.0 is restrictive for commercial derivative work or SaaS offerings. Internal use (security auditing of your own code, or on-premises deployment with no external network hosting) is permissible. However, offering AutoCVE as a managed service, selling proprietary modifications, or bundling it into closed-source products is problematic without explicit license exception or legal review. Requires careful assessment before commercial deployment.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
AutoCVE is designed to find vulnerabilities but itself runs on user infrastructure. Considerations: (1) LLM inference on source code—ensure code confidentiality if using third-party LLM APIs; (2) database stores audit history and credentials—secure PostgreSQL instance against unauthorized access; (3) tool execution during scanning—verify tool safety and sandbox isolation if running untrusted input; (4) no independent security audit of AutoCVE itself is documented; (5) AGPL-3.0 requires code transparency, reducing obscurity but not eliminating risks. Treat as a development/research tool pending independent security review.
Alternatives to consider
Semgrep (LGPL-2.1, open-source SAST)
Battle-tested SAST engine with rule library; no LLM dependency. Faster, lower resource overhead, narrower scope (no report generation or multi-agent workflow). Better for organizations wanting deterministic, rule-based scanning.
Commercial SaaS platforms (Snyk, Checkmarx, Veracode)
Managed services with dedicated security team, SLAs, and vendor support. No deployment complexity. Higher cost and vendor lock-in; suitable for enterprises prioritizing support over open-source flexibility.
In-house LLM-based agents (e.g., LangChain + custom prompts)
Build custom agent workflows tailored to organization's threat model. Requires security engineering expertise but provides full control and avoids AGPL-3.0 compliance burden. Steeper learning curve.
Build on AutoCVE with DEV.co software developers
Deploy AutoCVE with Docker Compose and start identifying vulnerabilities in your codebase. Ensure legal compliance with AGPL-3.0 license terms before production deployment.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
AutoCVE FAQ
Can we use AutoCVE for commercial SaaS offerings?
What LLMs are supported?
How accurate are the CVE findings?
What are the infrastructure requirements?
Custom software development services
From first prototype to production, DEV.co delivers software development services around tools like AutoCVE. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.
Ready to Automate Your CVE Discovery?
Deploy AutoCVE with Docker Compose and start identifying vulnerabilities in your codebase. Ensure legal compliance with AGPL-3.0 license terms before production deployment.