whatisgithub

What is crysa?

zoroo2626/crysa — explained in plain English

Analysis updated 2026-05-18

0PythonAudience · developerComplexity · 3/5Setup · easy

In one sentence

Crysa is a command line security scanner that uses an LLM to reason about code like a bug bounty hunter, catching logic flaws regex-based scanners miss.

Mindmap

mindmap
  root((Crysa))
    What it does
      LLM code security review
      Finds logic vulnerabilities
      Explains and fixes findings
    Tech stack
      Python
      CLI
      MCP
    Use cases
      Scan code for auth bugs
      Watch code as agent writes it
      Fail CI on new findings
    Audience
      Developers
      Security researchers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Scan a codebase for logic-level security bugs an AI coding agent introduced.

USE CASE 2

Watch a project directory and re-scan automatically as code changes.

USE CASE 3

Fail a CI pipeline when new security findings appear in a pull request.

USE CASE 4

Generate a detailed proof-of-concept writeup for a specific vulnerability.

What is it built with?

PythonCLIMCPSARIF

How does it compare?

zoroo2626/crysa0xhassaan/nn-from-scratch3ks/embedoc
Stars00
LanguagePythonPythonPython
Last pushed2023-06-08
MaintenanceDormant
Setup difficultyeasymoderatehard
Complexity3/54/51/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Requires an OpenAI-compatible API key, no Docker or database needed.

No license information is stated in the README.

So what is it?

Crysa is a command line tool built to catch security problems in code, but it takes a different approach than typical scanning tools. Rather than matching known bad patterns with regular expressions, it sends your code to a large language model and asks it to reason about the code the way a human bug bounty hunter would, thinking about what an attacker could actually do with it. The README explains that this matters because AI coding assistants can write functional code quickly while still missing subtle logic mistakes, such as forgetting to check whether a user actually owns the item they are updating, or accepting more fields in a request than the developer intended. These are the kinds of bugs a traditional pattern based scanner tends to miss, since they require understanding what the code is supposed to do rather than just its syntax. Before reviewing files, Crysa first builds an internal snapshot of the project, learning what web framework is used, how authentication works, what routes exist, and what user roles are defined, so its later reasoning about each file has real context. Installation is a simple pip install, with no Docker container or database required, and it can connect to any API service that follows the OpenAI request format. Once installed, a user can scan a whole folder or a single file, watch a folder continuously while an AI coding agent is actively writing code, or scan just the changes in a git diff before committing. Results can be shown directly in the terminal, saved as JSON, or exported in the SARIF format used by GitHub's code scanning feature, which makes it usable inside a continuous integration pipeline. There is also a mode that runs Crysa as an MCP server so AI coding tools like Claude Code or Cursor can call it directly, and a command that generates a detailed writeup and proof of concept for any single finding.

Copy-paste prompts

Prompt 1
Install Crysa and run crysa init to set it up for my project.
Prompt 2
Scan my ./src directory with Crysa and only show HIGH and CRITICAL findings.
Prompt 3
Set up Crysa to watch my project while my AI coding agent writes code.
Prompt 4
Show me how to run Crysa as an MCP server for Claude Code or Cursor.

Frequently asked questions

What is crysa?

Crysa is a command line security scanner that uses an LLM to reason about code like a bug bounty hunter, catching logic flaws regex-based scanners miss.

What language is crysa written in?

Mainly Python. The stack also includes Python, CLI, MCP.

What license does crysa use?

No license information is stated in the README.

How hard is crysa to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is crysa for?

Mainly developer.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.