Skip to main content

Run your first code audit

Connect a repository, run a code audit assessment, read the findings, and export a report. You finish with a completed code audit and structured vulnerabilities ready for remediation.

Prerequisites

  • An AISafe account (see Create an account)
  • A GitHub or GitLab repository to audit (for private repos, install the AISafe GitHub/GitLab App)

Step 1: Connect your repository

  1. Navigate to Integrations in the AISafe dashboard.
  2. Click Connect GitHub (or Connect GitLab) and authorize AISafe to access your repositories.
  3. Select the repositories you want to make available for scanning.

If your repository is public, skip this step and provide the URL when creating the assessment.

Step 2: Create the assessment

  1. Click New Assessment in the dashboard.
  2. Enter a name (e.g. "api-gateway security audit").
  3. Select Code Audit as the assessment type.
  4. Choose your source:
    • Connected repository: select from the dropdown of repos your integration syncs.
    • Public repository URL: paste a public https://github.com/{owner}/{repo} URL.
    • Upload archive: upload a tar.gz of your codebase.
  5. You can add additional instructions to steer the agents (e.g. "focus on authentication and authorization vulnerabilities").
  6. Click Create draft.

Step 3: Start the assessment

Review the draft configuration, then click Start assessment. AISafe validates the source (clones the repo, resolves the ref), then spins up isolated sandboxes and runs the AI agents.

AISafe streams progress through stages: Understanding → Analysis → Audit → Triage → Report. Depending on the size of your codebase, the assessment completes in minutes to a few hours. You can navigate away and come back. The assessment runs in the background.

Step 4: Read the findings

The assessment completes, and you land on the findings list. Each finding shows:

  • Severity: critical, high, medium, low, or info
  • Title: a concise description of the vulnerability
  • Status: open, confirmed, false positive, accepted risk, duplicate, or fixed
  • Evidence: file locations, taint flows, code snippets, and proof-of-concept

Click any finding to see the full detail: the triage agent's reasoning, affected code locations, taint flow (source → propagators → sink), CWE/OWASP mapping, and suggested fix with code snippets.

Step 5: Triage findings

Review each finding and decide:

  • Confirm: the vulnerability is real and needs fixing
  • False positive: the reported vulnerability lacks a real exploit path (provide a reason)
  • Accepted risk: acknowledge the vulnerability and defer the fix (provide a reason)
  • Duplicate: same root cause as another finding (link the canonical finding)

Step 6: Export a report

  1. On the assessment detail page, click Generate report.
  2. AISafe compiles a PDF with an executive summary and per-finding details.
  3. Download the PDF or share the report URL with stakeholders.

You can export individual findings as issues to GitHub, Jira, or Linear (see Integrations).

Via the API

You can run a code audit through the API. The flow: create a draft, validate it, start it, then poll for completion.

# 1. Create a code audit draft against a public repo
curl -X POST https://api.aisafe.io/api/v1/assessments/drafts \
-H "Authorization: Bearer $AISAFE_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"assessment_type": "code-audit",
"name": "api-gateway security audit",
"source": {
"kind": "vcs",
"provider": "github",
"locator": {
"mode": "public",
"repository_url": "https://github.com/example/api-gateway"
}
}
}'

# 2. Validate the draft (use the id from step 1's response)
# Validation clones the repo, resolves the ref, and computes credit cost.
curl -X POST https://api.aisafe.io/api/v1/assessments/drafts/{draft_id}/validate \
-H "Authorization: Bearer $AISAFE_API_KEY"

# 3. Start the assessment once validation passes (status becomes "ready")
curl -X POST https://api.aisafe.io/api/v1/assessments/drafts/{draft_id}/start \
-H "Authorization: Bearer $AISAFE_API_KEY"

# 4. Poll for completion (use the assessment code from the start response)
# The "status" field transitions: queued → spawning → running → completed
curl https://api.aisafe.io/api/v1/assessments/{assessment_code} \
-H "Authorization: Bearer $AISAFE_API_KEY"

# 5. List findings once the assessment is completed
curl "https://api.aisafe.io/api/v1/findings?assessment_id={assessment_code}" \
-H "Authorization: Bearer $AISAFE_API_KEY"

# 6. Export findings as SARIF
curl "https://api.aisafe.io/api/v1/assessments/{assessment_code}/findings/export?format=sarif" \
-H "Authorization: Bearer $AISAFE_API_KEY" \
-o findings.sarif

The assessment code is the public ID (e.g. AIS-ADB-TLP) the start response returns. Use the same code when filtering findings and exporting.

Next steps