mythos-agent is an open-source AI code-review assistant focused on application security. It scans codebases, identifies likely security issues, explains its reasoning, and proposes fixes. Hosted at github.com/mythos-agent/mythos-agent, the TypeScript project has 15 GitHub stars and positions itself as a guard for code, akin to a security team reviewer. Developers run it on their repositories to catch patterns like race conditions or auth bypasses before they reach production.
The tool draws from 15 wired scanners, 28 experimental ones, and over 329 rules. It processes code in phases—reconnaissance to spot entry points, hypothesis generation, analysis with tools like Semgrep, Gitleaks, and Trivy, and reproduction of finding chains. Output ranks findings by confidence (confirmed, likely, possible) and dismisses false positives. For instance, a sample run flags a high-confidence race condition in src/payments.ts:45 and an auth bypass in src/auth.ts:78, showing 3 confirmed issues amid 15 total findings.
Core features
mythos-agent structures its reviews around security hypotheses, mimicking human analysis:
- Hunt mode: Primary command that runs full scans, generating hypotheses like concurrent payment double-charging or JWT validation gaps.
- Phased workflow: Reconnaissance identifies entry points (e.g., 12 in Express/TypeScript/PostgreSQL apps); analysis yields findings and dismissals (e.g., 22 false positives); reproduction tests chains.
- Confidence ranking: Categorizes issues as high/medium/low, with summaries like "3 confirmed | 8 likely | 4 possible".
- Variant analysis: Checks for mutations of known CVEs, beyond standard scans.
- Fix suggestions: Provides actionable changes, which users accept or reject.
Additional modes include variant analysis and hunt mode for deeper dives. It integrates established scanners while layering AI reasoning. The project ships under MIT license, requires Node >=20, and includes Discord for support. Security docs cover vulnerability disclosure SLAs, EU Cyber Resilience Act (CRA) stance, threat model, and SBOMs via CycloneDX for compliance.
Getting it running
Installation is straightforward via npm, as it's published on npmjs.com/package/mythos-agent. No global install needed for trials—use npx directly.
Run the core hunt command in your project root:
npx mythos-agent hunt
This triggers the full AI-assisted review. Expect output like:
🔐 mythos-agent hunt — AI Code-Review Assistant
✔ Phase 1: Reconnaissance — 12 entry points, express, typescript, postgresql
✔ Phase 2: Hypothesis — 8 security hypotheses generated
✔ Phase 3: Analysis — 15 findings (semgrep, gitleaks, trivy, built-in), 22 false positives dismissed
✔ Phase 4: Reproduction — 2 finding chains, 3 reproductions
For persistent use, install locally:
npm install mythos-agent
npx mythos-agent hunt
The tool detects languages and frameworks automatically (e.g., Express, TypeScript, PostgreSQL). CI workflows are available via GitHub Actions badge. Releases include Sigstore signing and LTS/EOL policies in RELEASES.md. Check Node version first—must be >=20.
Other commands exist per the README TOC: hunt mode details, variant analysis, and integrations. Full options appear with npx mythos-agent --help. Development setup follows CONTRIBUTING.md, with good-first-issues marked.
How it works under the hood
mythos-agent operates like a security reviewer walking through code. It starts with reconnaissance, cataloging entry points such as APIs or database calls. Hypothesis phase generates testable security assumptions based on patterns and CVE variants.
Analysis pulls from 15 production scanners (e.g., Semgrep for static analysis, Gitleaks for secrets, Trivy for vulnerabilities) plus 28 experimental ones, applying 329+ rules. It dismisses false positives automatically—22 in the demo—and ranks the rest. Reproduction verifies exploit chains, confirming issues like double-charging via concurrent requests.
Findings display with file paths, labels (e.g., race-condition), and confidence levels. High issues get priority, like HYPO-001 for payments. Users review suggestions inline. For teams, SECURITY.md outlines SLAs; EU CRA docs declare its role for downstream manufacturers, with OpenSSF Best Practices targeted for June 2026.
The VISION.md frames it as evolving toward full security team simulation. ROADMAP.md and a pinned H1 2026 issue detail active plans, including 🙋 help-wanted tasks.
Who this is for
Developers adding security checks to workflows benefit most—run it pre-PR for quick feedback, as in the 10-second demo GIF. Security teams use it for scalable reviews, especially with variant analysis on CVE mutations.
New contributors find entry via good-first-issues in CONTRIBUTING.md. Compliance-focused orgs, like EU CRA downstream manufacturers, leverage SBOMs, threat models, and versioning for audits. Solo devs or small teams on Node/TypeScript stacks (Express, PostgreSQL) get value from its lightweight npx start.
It's less ideal for massive monorepos without customization, as scans suit typical app sizes shown in demos. Non-JS/TS projects may see partial coverage, depending on scanner support.
Integrations and alternatives
Built-in scanners like Semgrep, Gitleaks, and Trivy mean it complements those tools without replacing them—AI adds hypothesis and reasoning layers. GitHub Actions integration supports CI/CD pipelines.
For broader ecosystems, check the integrations section in README. Discord aids real-time queries.
Alternatives include standalone scanners: Semgrep for SAST rules (fewer AI explanations), Trivy for container/vuln scans (no hypothesis phase), or Gitleaks for secrets (narrower scope). Commercial options like Snyk or SonarQube offer enterprise polish but close source and cost. Mythos-agent stands out for open-source AI at zero price, though with 15 stars, it's early-stage versus Semgrep's maturity.
Heavier tools like CodeQL demand GitHub setup; mythos-agent runs locally via npx. If you need pure static analysis without AI, stick to Semgrep alone—mythos-agent is heavier due to LLM phases.
Smaller footprint than full IDE plugins, but experimental scanners (28) may yield noisier results versus wired (15) ones.
For self-hosting fans, it's npm-native, no Docker in quick start, keeping it simple.
Roadmap eyes more scanners and rules. Visit mythos-agent.com for docs or join Discord. Source at github.com/mythos-agent/mythos-agent. Early adopters track the pinned roadmap issue for H1 2026 progress.
Comments