AI-powered vulnerability scanner and auto-fixer for Node.js and Python projects using LangChain + Snyk/pip-audit.
- Discovers Node.js and Python projects (finds
package.jsonandpyproject.tomlfiles) - Installs dependencies and runs tests using appropriate package managers
- Scans for vulnerabilities using Snyk (Node.js) or pip-audit (Python/uv projects)
- Fixes vulnerable dependencies automatically
- Validates fixes by re-running tests
- Python 3.13+ (Note: GitHub Action currently uses Python 3.12 - this may need updating)
- uv (Python package installer and resolver)
- OpenAI-compatible LLM API (tested with LiteLLM + Claude Sonnet)
- For Node.js projects: Snyk CLI installed and authenticated, Node.js ecosystem tools (npm, yarn, pnpm, bun)
- For Python projects: pip-audit (installed via uvx automatically)
This tool is designed to run exclusively as a GitHub Action. It requires the GITHUB_WORKSPACE environment variable and
is not intended for local CLI usage.
Before using this tool, you need to create and configure a GitHub App:
-
Create a GitHub App in your organization or personal account
- Go to Settings → Developer settings → GitHub Apps → New GitHub App
- Set required permissions:
- Contents: Write (to modify files)
- Pull requests: Write (to create PRs)
- Metadata: Read (basic repository access)
-
Install the GitHub App on repositories where you want to use the vulnerability scanner
Add this GitHub Action to your repository workflow:
name: Vulnerability Eating Agent
on:
schedule:
- cron: '0 2 * * 1' # Weekly on Monday at 2 AM
workflow_dispatch:
jobs:
scan-and-fix:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Vulnerability Eating Agent
uses: spring-media/vulnerability-eating-agent@main
with:
path: "/the/root/path/to/your/project"
api_token: "your-api-key"
api_endpoint: "https://litellm.com/v1/"
bedrock_model_reference: "claude-4-sonnet-20240229"
private_key: "your-github-app-private-key"
app_installation_id: "your-github-installation-id"
repository_name: "your-org/your-repo"
app_id: "your-github-app-id"
snyk_token: "your-snyk-api-token"
github_auto_merge: "true"
github_npm_token: "your-github-npm-token"
requirements_output_file_name: "requirements.txt"The agent will:
- Create
vea.jsonwith project metadata in the target directory - Attempt to fix vulnerabilities by updating
package.json(Node.js) orpyproject.toml(Python) - For Python projects: Generate
requirements.txtfrom uv and scan with pip-audit - Never modify lock files directly
- Rollback changes if tests fail
- Create a pull request with the fixes via GitHub App integration
- LangChain ReAct Agent with file management and shell tools
- LLM Integration via OpenAI-compatible APIs (tested with LiteLLM + Claude, easily extensible)
- Vulnerability Detection:
- Node.js projects: Snyk
- Python projects: pip-audit (since Snyk doesn't support uv yet)
- Package Management:
- Node.js: npm, yarn, pnpm, bun
- Python: uv for dependency management and virtual environments
- Multi-stage prompts for discovery → install → scan → fix
While this tool is designed to run as a GitHub Action, you can set it up locally for development and testing.
- Python 3.13+
- uv (Python package installer and resolver)
- Node.js and npm
- Git
-
Clone the repository
git clone https://github.com/spring-media/vulnerability-eating-agent.git cd vulnerability-eating-agent -
Install Python dependencies
# Using uv (recommended) pip install uv uv sync # Alternative: using pip pip install -e .
-
Install Node.js tools
# Install package managers npm install -g yarn pnpm # Install Snyk CLI npm install -g snyk snyk auth # Follow prompts to authenticate
The tool requires the GITHUB_WORKSPACE environment variable to be set:
export GITHUB_WORKSPACE="/path/to/your/test/workspace"All configuration is passed as command-line parameters:
# Navigate to your test workspace
cd /path/to/test/workspace
export GITHUB_WORKSPACE=$(pwd)
# Run the vulnerability eating agent using uv
uv run vea controller \
--path "/the/root/path/to/your/project" \
--api-token "your-api-key" \
--api-endpoint "https://litellm.com/v1/" \
--bedrock-model-reference "claude-4-sonnet-20240229" \
--private-key "your-github-app-private-key" \
--app-installation-id "your-github-installation-id" \
--repository-name "your-org/your-repo" \
--app-id "your-github-app-id" \
--github-user-name "Vulnerability Eating Agent" \
--github-user-email-address "[email protected]" \
--github-auto-merge "true" \
--requirements-output-file-name "requirements.txt"--path: Root path to scan (default: ".")--api-token: Your LLM API token (required)--api-endpoint: LLM API endpoint--bedrock-model-reference: Model reference (required)--private-key: GitHub App private key (required)--app-installation-id: GitHub App installation ID (required)--repository-name: Repository name in format "org/repo" (required)--app-id: GitHub App ID (required)--github-user-name: GitHub user name (default: "Vulnerability Eating Agent")--github-user-email-address: GitHub user email (default: "[email protected]")--github-auto-merge: Enable auto-merge for pull requests (default: "F")--requirements-output-file-name: Output file name for uv requirements (default: "requirements.txt")
-
Test project discovery
- Create directories with
package.jsonfiles (Node.js projects) - Create directories with
pyproject.tomlfiles (Python projects) - Verify the tool finds all supported projects
- Create directories with
-
Test vulnerability scanning
- Node.js projects: Use projects with known vulnerabilities and check Snyk integration
- Python projects: Use projects with known vulnerabilities and check pip-audit integration
-
Test AI fixes
- Node.js: Monitor how the AI agent modifies
package.json - Python: Monitor how the AI agent modifies
pyproject.tomland handles uv workflows - Verify rollback functionality when tests fail
- Node.js: Monitor how the AI agent modifies