DEV.co
Open-Source Security · awslabs

automated-security-helper

ASH is a Python-based orchestration engine that runs multiple open-source security scanners (Bandit, Semgrep, Checkov, etc.) to find vulnerabilities in code, infrastructure, and IAM configurations. It supports local, container, and pre-commit execution modes with flexible configuration and multiple report formats.

Source: GitHub — github.com/awslabs/automated-security-helper
661
GitHub stars
86
Forks
Python
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryawslabs/automated-security-helper
Ownerawslabs
Primary languagePython
LicenseApache-2.0 — OSI-approved
Stars661
Forks86
Open issues35
Latest releasev3.5.7 (2026-07-06)
Last updated2026-07-07
Sourcehttps://github.com/awslabs/automated-security-helper

What automated-security-helper is

ASH v3 is a SAST/SCA/IaC scanner coordinator written in Python 3.10+ that manages isolated tool execution via UV package manager, standardizes output across Bandit, Semgrep, Checkov, detect-secrets, Grype, and others, and provides SARIF/JSON/HTML/Markdown/CSV export. It includes MCP integration for AI-assisted remediation and pre-commit hooks.

Quickstart

Get the automated-security-helper source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/awslabs/automated-security-helper.gitcd automated-security-helper# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Multi-scanner SAST/SCA consolidation in CI/CD

Teams using multiple AWS or polyglot codebases who need consistent, aggregated security scanning without managing individual tool integrations. Reduces configuration complexity by centralizing scanner orchestration.

Infrastructure-as-Code security scanning at scale

AWS-heavy organizations scanning Terraform, CloudFormation, and CDK templates across environments. Built-in cfn_nag, Checkov, and cdk-nag integration handles common IaC patterns without external setup.

Developer-first security with pre-commit hooks

Shift-left security embedding. Pre-commit mode runs a lightweight subset of scanners to catch issues before commit, with local mode for full scans in CI and container mode for isolated execution.

Implementation considerations

  • UV package manager must be installed for local/pre-commit modes; container mode avoids this but adds container runtime dependency. Ensure compatibility: Linux/macOS/Windows (with WSL2).
  • Scanner-specific prerequisites vary: cfn_nag needs Ruby/gem, Grype/Syft need platform-specific install, npm-audit needs Node.js. Use container mode to avoid per-scanner setup.
  • Configuration is YAML/JSON-based with CLI override support. Pre-commit mode runs a reduced scanner subset; validate that your critical checks are enabled in that profile.
  • Output standardization across tools is good for consolidation but may lose tool-specific metadata. Verify report formats (JSON, HTML, Markdown) meet your downstream tools' input requirements.
  • MCP integration enables AI-assisted remediation but requires Claude or compatible LLM client setup; optional feature, not critical for core scanning.

When to avoid it — and what to weigh

  • Need for proprietary SAST depth or compliance specialization — ASH orchestrates open-source tools; it does not add proprietary analysis. If your compliance regime requires vendor-backed SCA or specialized HIPAA/PCI scanning, consider dedicated commercial tools.
  • Require single-vendor support contracts — AWS Labs maintains ASH but does not offer commercial SLAs. For SCA or SAST with direct vendor support, evaluate Snyk, Checkmarx, or Fortify instead.
  • Minimal Python/UV ecosystem in your stack — ASH requires Python 3.10+ and UV; container mode mitigates this, but local installation adds a new dependency chain. If your environment cannot run Python tooling, container-only setups may complicate adoption.
  • Need for real-time supply-chain attack detection — ASH is a point-in-time scanner. Real-time threat intelligence, transitive dependency risk scoring, and behavioral anomaly detection are outside scope; consider continuous SCA platforms like Snyk or Dependabot.

License & commercial use

Apache-2.0 (Apache License 2.0). Permissive OSI-approved license allowing commercial use, modification, and distribution with attribution and liability/warranty disclaimer. No copyleft restrictions.

Apache-2.0 is a permissive license that permits commercial use. ASH itself can be used in proprietary workflows. However, ASH orchestrates third-party scanners (Checkov, Semgrep, Bandit, etc.); verify the licenses of those tools for your use case. Semgrep Community is free; Semgrep Pro requires a paid subscription. Checkov is open-source but has a commercial SaaS offering. No guarantee of vendor support or SLA from AWS Labs; for mission-critical compliance, consult AWS Professional Services or a security partner.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

ASH is a scanner orchestrator, not a security enforcement engine. It runs open-source tools that may have supply-chain or false-positive/false-negative risks. Output is only as good as underlying scanners (Bandit, Semgrep, Checkov, etc.); review their security posture and update frequency. No mention of SBOM pinning or signed releases in the README. Tool isolation via UV reduces dependency injection risk for host environment. Secrets detection via detect-secrets is included but not a replacement for vault or secret scanning in CI. For compliance-critical scans, pair with manual review and dedicated SAST/SCA vendors if required.

Alternatives to consider

Snyk (SCA + SAST + IaC)

Commercial, vendor-backed SCA with advanced supply-chain intelligence, real-time threat data, and compliance specialization. Preferred if you need SLA and proprietary analysis. Higher cost than open-source orchestration.

Checkmarx (SAST-focused)

Enterprise SAST platform with deep code analysis, compliance frameworks (CWE/OWASP), and integration breadth. Better for large teams requiring proprietary scanning depth. ASH's Semgrep is lighter-weight.

Trivy (lightweight IaC/SCA single tool)

Single, fast open-source scanner for images, IaC, and vulnerabilities. If you only need one or two scan types, Trivy is simpler. ASH adds orchestration value for multi-scanner environments.

Software development agency

Build on automated-security-helper with DEV.co software developers

Try ASH for free with uvx or container mode. No vendor lock-in, Apache-2.0 license, and active AWS Labs maintenance. Perfect for AWS teams scaling multi-scanner security.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

automated-security-helper FAQ

Does ASH replace manual security review?
No. The README explicitly states ASH is not a replacement for human review or team/customer security standards. It is a tool to catch common issues early; governance and architecture review remain essential.
Can I use ASH in a pipeline with no Python installed?
Yes, container mode runs ASH in an OCI container (Docker, Podman, Finch) without requiring Python on the host. Local and pre-commit modes require Python 3.10+ and UV.
What if a scanner (Semgrep, Checkov) has licensing restrictions for my use case?
ASH orchestrates but does not bundle proprietary scanners. Verify each tool's license independently. Semgrep Community is free; Pro is paid. Checkov is open-source. Ensure compliance with your legal team.
How do I integrate ASH into GitHub Actions?
Use local or container mode in a workflow step. Local mode requires `runs-on: ubuntu-latest` with Python 3.10+. Container mode works on any runner with OCI support. SARIF output integrates with GitHub Code Scanning.

Work with a software development agency

Need help beyond evaluating automated-security-helper? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.

Consolidate Your Security Scanning

Try ASH for free with uvx or container mode. No vendor lock-in, Apache-2.0 license, and active AWS Labs maintenance. Perfect for AWS teams scaling multi-scanner security.