automated-security-helper
ASH is a Python-based orchestration engine that runs multiple open-source security scanners (Bandit, Semgrep, Checkov, etc.) to find vulnerabilities in code, infrastructure, and IAM configurations. It supports local, container, and pre-commit execution modes with flexible configuration and multiple report formats.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | awslabs/automated-security-helper |
| Owner | awslabs |
| Primary language | Python |
| License | Apache-2.0 — OSI-approved |
| Stars | 661 |
| Forks | 86 |
| Open issues | 35 |
| Latest release | v3.5.7 (2026-07-06) |
| Last updated | 2026-07-07 |
| Source | https://github.com/awslabs/automated-security-helper |
What automated-security-helper is
ASH v3 is a SAST/SCA/IaC scanner coordinator written in Python 3.10+ that manages isolated tool execution via UV package manager, standardizes output across Bandit, Semgrep, Checkov, detect-secrets, Grype, and others, and provides SARIF/JSON/HTML/Markdown/CSV export. It includes MCP integration for AI-assisted remediation and pre-commit hooks.
Get the automated-security-helper source
Clone the repository and explore it locally.
git clone https://github.com/awslabs/automated-security-helper.gitcd automated-security-helper# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- UV package manager must be installed for local/pre-commit modes; container mode avoids this but adds container runtime dependency. Ensure compatibility: Linux/macOS/Windows (with WSL2).
- Scanner-specific prerequisites vary: cfn_nag needs Ruby/gem, Grype/Syft need platform-specific install, npm-audit needs Node.js. Use container mode to avoid per-scanner setup.
- Configuration is YAML/JSON-based with CLI override support. Pre-commit mode runs a reduced scanner subset; validate that your critical checks are enabled in that profile.
- Output standardization across tools is good for consolidation but may lose tool-specific metadata. Verify report formats (JSON, HTML, Markdown) meet your downstream tools' input requirements.
- MCP integration enables AI-assisted remediation but requires Claude or compatible LLM client setup; optional feature, not critical for core scanning.
When to avoid it — and what to weigh
- Need for proprietary SAST depth or compliance specialization — ASH orchestrates open-source tools; it does not add proprietary analysis. If your compliance regime requires vendor-backed SCA or specialized HIPAA/PCI scanning, consider dedicated commercial tools.
- Require single-vendor support contracts — AWS Labs maintains ASH but does not offer commercial SLAs. For SCA or SAST with direct vendor support, evaluate Snyk, Checkmarx, or Fortify instead.
- Minimal Python/UV ecosystem in your stack — ASH requires Python 3.10+ and UV; container mode mitigates this, but local installation adds a new dependency chain. If your environment cannot run Python tooling, container-only setups may complicate adoption.
- Need for real-time supply-chain attack detection — ASH is a point-in-time scanner. Real-time threat intelligence, transitive dependency risk scoring, and behavioral anomaly detection are outside scope; consider continuous SCA platforms like Snyk or Dependabot.
License & commercial use
Apache-2.0 (Apache License 2.0). Permissive OSI-approved license allowing commercial use, modification, and distribution with attribution and liability/warranty disclaimer. No copyleft restrictions.
Apache-2.0 is a permissive license that permits commercial use. ASH itself can be used in proprietary workflows. However, ASH orchestrates third-party scanners (Checkov, Semgrep, Bandit, etc.); verify the licenses of those tools for your use case. Semgrep Community is free; Semgrep Pro requires a paid subscription. Checkov is open-source but has a commercial SaaS offering. No guarantee of vendor support or SLA from AWS Labs; for mission-critical compliance, consult AWS Professional Services or a security partner.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
ASH is a scanner orchestrator, not a security enforcement engine. It runs open-source tools that may have supply-chain or false-positive/false-negative risks. Output is only as good as underlying scanners (Bandit, Semgrep, Checkov, etc.); review their security posture and update frequency. No mention of SBOM pinning or signed releases in the README. Tool isolation via UV reduces dependency injection risk for host environment. Secrets detection via detect-secrets is included but not a replacement for vault or secret scanning in CI. For compliance-critical scans, pair with manual review and dedicated SAST/SCA vendors if required.
Alternatives to consider
Snyk (SCA + SAST + IaC)
Commercial, vendor-backed SCA with advanced supply-chain intelligence, real-time threat data, and compliance specialization. Preferred if you need SLA and proprietary analysis. Higher cost than open-source orchestration.
Checkmarx (SAST-focused)
Enterprise SAST platform with deep code analysis, compliance frameworks (CWE/OWASP), and integration breadth. Better for large teams requiring proprietary scanning depth. ASH's Semgrep is lighter-weight.
Trivy (lightweight IaC/SCA single tool)
Single, fast open-source scanner for images, IaC, and vulnerabilities. If you only need one or two scan types, Trivy is simpler. ASH adds orchestration value for multi-scanner environments.
Build on automated-security-helper with DEV.co software developers
Try ASH for free with uvx or container mode. No vendor lock-in, Apache-2.0 license, and active AWS Labs maintenance. Perfect for AWS teams scaling multi-scanner security.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
automated-security-helper FAQ
Does ASH replace manual security review?
Can I use ASH in a pipeline with no Python installed?
What if a scanner (Semgrep, Checkov) has licensing restrictions for my use case?
How do I integrate ASH into GitHub Actions?
Work with a software development agency
Need help beyond evaluating automated-security-helper? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.
Consolidate Your Security Scanning
Try ASH for free with uvx or container mode. No vendor lock-in, Apache-2.0 license, and active AWS Labs maintenance. Perfect for AWS teams scaling multi-scanner security.