whatisgithub

What is ai-deep-sast?

cisco-open/ai-deep-sast — explained in plain English

Analysis updated 2026-05-18

20PythonAudience · ops devopsComplexity · 4/5Setup · hard

In one sentence

A code security scanner from Cisco that combines the Semgrep rule engine with AI models to find and explain vulnerabilities.

Mindmap

mindmap
  root((ai-deep-sast))
    What it does
      AI-assisted security scanning
      Static analysis
    Tech stack
      Semgrep
      Python
      tree-sitter
    Use cases
      Fast CI scan
      Deep PR analysis
      Secret detection
    Audience
      DevOps and security teams

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Run a fast AI-assisted security scan on every code push in CI.

USE CASE 2

Run a deep whole-codebase AI security analysis on pull requests.

USE CASE 3

Generate a structured vulnerability report with severity and a suggested code fix.

USE CASE 4

Detect hardcoded passwords and API keys in configuration files.

What is it built with?

PythonSemgrepDockertree-sitter

How does it compare?

cisco-open/ai-deep-sastalex72-py/aria-termuxanime0t4ku/gentleman
Stars202020
LanguagePythonPythonPython
Setup difficultyhardmoderatemoderate
Complexity4/52/52/5
Audienceops devopsdevelopergeneral

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1h+

Deep scans can take 30 minutes to 14 hours, fast local scans are optimized for Apple Silicon.

So what is it?

AI Deep SAST is a security scanning tool from Cisco's open-source team that checks code for vulnerabilities. SAST stands for Static Application Security Testing, meaning it analyzes code without running it. This tool combines a rule-based scanner called Semgrep with AI language models to go beyond what pattern matching alone can catch. It offers two scan modes. The fast scan runs Semgrep to find potential issues, then uses a smaller local AI model (an 8-billion-parameter model called Foundation-Sec-8B that runs on your machine) to evaluate each finding and decide whether it is a real problem. This takes about five minutes. The deep scan indexes the entire codebase using a code-parsing library called tree-sitter, then sends the results to a larger cloud AI model such as GPT-4o or Claude for a whole-codebase analysis. That process can take anywhere from 30 minutes to 14 hours depending on codebase size and configuration. For each vulnerability it finds, the tool produces a structured report covering the type of vulnerability, how severe it is, what an attacker could do with it, how it affects the business, and how to fix it with corrected example code. It also scans configuration files for hardcoded passwords and API keys. Reports can be saved as Markdown, JSON, or JUnit XML (a format compatible with CI/CD tools like Jenkins). The tool is designed to plug into a continuous integration pipeline. The fast Semgrep pass runs on every code push, the AI analysis runs only on pull requests or when manually triggered, keeping routine commits fast. It is written in Python and supports Docker for reproducible environments. Local fast scans are optimized for Apple Silicon Macs but also support NVIDIA GPUs. A full test suite of over 240 tests is included.

Copy-paste prompts

Prompt 1
Set up AI Deep SAST's fast scan mode to run on every push in my CI pipeline.
Prompt 2
Configure AI Deep SAST's deep scan to analyze my whole codebase using Claude or GPT-4o.
Prompt 3
Explain the vulnerability report AI Deep SAST generated for my project and how to fix each issue.

Frequently asked questions

What is ai-deep-sast?

A code security scanner from Cisco that combines the Semgrep rule engine with AI models to find and explain vulnerabilities.

What language is ai-deep-sast written in?

Mainly Python. The stack also includes Python, Semgrep, Docker.

How hard is ai-deep-sast to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is ai-deep-sast for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.