DEV.co
Open-Source Security · larlarua

AutoCVE

AutoCVE is an open-source Python platform that automates CVE discovery in source code using multi-agent AI orchestration. It combines static scanning, source code analysis, and dynamic verification to generate ready-to-submit CVE reports, with claims of 30 CVEs found in a 7-day trial across 14 projects.

Source: GitHub — github.com/larlarua/AutoCVE
1.1k
GitHub stars
71
Forks
Python
Primary language
AGPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorylarlarua/AutoCVE
Ownerlarlarua
Primary languagePython
LicenseAGPL-3.0 — OSI-approved
Stars1.1k
Forks71
Open issues13
Latest releasev1.0.4 (2026-07-04)
Last updated2026-07-04
Sourcehttps://github.com/larlarua/AutoCVE

What AutoCVE is

Built on FastAPI (backend), React (frontend), and PostgreSQL, AutoCVE implements a multi-agent ReAct loop architecture (Orchestrator, Recon, Scan, Triage, Finding, Verification agents) for coordinated vulnerability discovery. Supports three audit modes: enhanced scanning, intelligent audit (CVE-focused), and comprehensive audit; integrates LLM-based agents with manual Skills configuration for extensibility.

Quickstart

Get the AutoCVE source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/larlarua/AutoCVE.gitcd AutoCVE# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

CVE Research & Responsible Disclosure

Organizations conducting structured vulnerability research on known projects can use AutoCVE to automate the discovery-to-report pipeline, reducing time from vulnerability identification to CVE submission.

Security Auditing of Custom or Private Codebases

Engineering teams can deploy AutoCVE on internal source code repositories to perform automated, multi-stage audits combining SAST scanning with AI-driven deep analysis, with full audit trail and interactive refinement.

Penetration Testing & Bug Bounty Programs

Security researchers can integrate AutoCVE into engagement workflows to systematically scan multiple targets, filter false positives via triage agents, and accelerate high-value finding generation for bounty submissions.

Implementation considerations

  • LLM API Dependency: AutoCVE is tightly coupled to LLM services for agent reasoning. Ensure stable API access (rate limits, cost, latency) and fallback strategy if provider becomes unavailable.
  • Skills & Tool Configuration: Core audit capability depends on configuring specialized Skills per Agent. Requires security expertise to define rules, integrate external tools, and tune false-positive filtering thresholds.
  • Database Schema & State Management: PostgreSQL backend stores audit trails, vulnerabilities, and session context. Plan for schema migrations, backup strategy, and capacity if running high-volume concurrent audits.
  • LLM Model Choice & Prompt Engineering: Quality of findings depends on underlying LLM capability and prompt tuning. Test with target LLMs before production; expect variations in accuracy across model versions.
  • Audit Result Validation Workflow: Generated CVE reports must be human-reviewed and independently verified before submission. Establish internal SOPs for validation, prioritization, and disclosure coordination.

When to avoid it — and what to weigh

  • Closed-source or commercial production deployments without legal review — AGPL-3.0 mandates source code disclosure for network-accessible modifications. Any closed-source derivative or SaaS offering requires careful license compliance review; consider consulting legal counsel before production deployment.
  • Expectation of AI-only autonomous security guarantees — AutoCVE is a discovery and reporting tool, not a security verification platform. It relies on LLM accuracy and tool integration; vulnerabilities must be independently validated before CVE submission or patching.
  • Low-resource or minimal infrastructure environments — Deployment requires Docker, PostgreSQL, FastAPI backend, React frontend, and LLM API access. Multi-agent orchestration is resource-intensive; not suitable for embedded, edge, or severely constrained deployments.
  • Organizations requiring traditional support and SLAs — This is a young community project (created June 2026, latest v1.0.4 July 2026). No commercial support, SLA guarantees, or established incident response process is documented. Use case should tolerate community-driven maintenance.

License & commercial use

Licensed under AGPL-3.0 (GNU Affero General Public License v3.0). This is a copyleft license requiring source code disclosure of any modifications made to the software, especially if deployed over a network. Closed-source derivatives or SaaS offerings built on AutoCVE would likely trigger disclosure obligations.

AGPL-3.0 is restrictive for commercial derivative work or SaaS offerings. Internal use (security auditing of your own code, or on-premises deployment with no external network hosting) is permissible. However, offering AutoCVE as a managed service, selling proprietary modifications, or bundling it into closed-source products is problematic without explicit license exception or legal review. Requires careful assessment before commercial deployment.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

AutoCVE is designed to find vulnerabilities but itself runs on user infrastructure. Considerations: (1) LLM inference on source code—ensure code confidentiality if using third-party LLM APIs; (2) database stores audit history and credentials—secure PostgreSQL instance against unauthorized access; (3) tool execution during scanning—verify tool safety and sandbox isolation if running untrusted input; (4) no independent security audit of AutoCVE itself is documented; (5) AGPL-3.0 requires code transparency, reducing obscurity but not eliminating risks. Treat as a development/research tool pending independent security review.

Alternatives to consider

Semgrep (LGPL-2.1, open-source SAST)

Battle-tested SAST engine with rule library; no LLM dependency. Faster, lower resource overhead, narrower scope (no report generation or multi-agent workflow). Better for organizations wanting deterministic, rule-based scanning.

Commercial SaaS platforms (Snyk, Checkmarx, Veracode)

Managed services with dedicated security team, SLAs, and vendor support. No deployment complexity. Higher cost and vendor lock-in; suitable for enterprises prioritizing support over open-source flexibility.

In-house LLM-based agents (e.g., LangChain + custom prompts)

Build custom agent workflows tailored to organization's threat model. Requires security engineering expertise but provides full control and avoids AGPL-3.0 compliance burden. Steeper learning curve.

Software development agency

Build on AutoCVE with DEV.co software developers

Deploy AutoCVE with Docker Compose and start identifying vulnerabilities in your codebase. Ensure legal compliance with AGPL-3.0 license terms before production deployment.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

AutoCVE FAQ

Can we use AutoCVE for commercial SaaS offerings?
Requires legal review. AGPL-3.0 mandates source disclosure if modified and deployed over a network. Closed-source SaaS is likely non-compliant without explicit license exception or relicensing agreement with the author.
What LLMs are supported?
Not explicitly stated in provided data. Likely supports OpenAI, Anthropic, or similar via FastAPI integration. Verify supported providers and configuration in API documentation and source code.
How accurate are the CVE findings?
Depends on LLM capability and Skills configuration. The 30 CVEs claimed in 7 days suggest reasonable effectiveness, but human validation is essential before submission. No independent benchmark is provided.
What are the infrastructure requirements?
Docker, PostgreSQL 15+, FastAPI backend (Python 3.11+), React frontend, and LLM API access. Minimum specs depend on audit volume and concurrency; multi-agent orchestration is resource-intensive.

Custom software development services

From first prototype to production, DEV.co delivers software development services around tools like AutoCVE. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.

Ready to Automate Your CVE Discovery?

Deploy AutoCVE with Docker Compose and start identifying vulnerabilities in your codebase. Ensure legal compliance with AGPL-3.0 license terms before production deployment.