We're open-sourcing Sighthound today, our rules-based static security scanner. What makes it special is that it's coded in rust and uses tree-sitter as it's AST making it very fast and easily extensible.
Why build another scanner in 2026? We wanted to improve some of our detection outcomes but noticed the current open source scanners like Semgrep/Opengrep we're capped by a bunch of adoption limitations such as being written in OCaml, requiring a lot of work to add a language parser, and the rulesets were licensed differently and required paid offerings. It also felt that licensing was moving backwards rather than forward.
We wanted something that was very fast, was easily extensible and had a great set of rules that we could use. This led us to using Rust and Tree-sitter since they are both fast and have great community adoption making extending Sighthound natural.
We wanted it to focus on source-code vulnerability classes like Sql Injection, and Xss. We haven't yet done any secrets scanning as there are a lot of great options in the market at the moment. Right now, Sighthound supports Python, JS/TS, Java, Go, C#, HTML, PHP and Ruby.
We still have a lot of work to do so, we'd love for your feedback, and contributions in however they come from adding new languages, new rules or bug fixes.
OpenAI building security tooling is the natural next step after AI-powered code generation, if AI writes the code, AI will need to find and fix the bugs in it too. The interesting question is whether this stays infra-focused or moves toward application-layer security.
Interesting approach, catching vulns at commit time before CI runs saves cycles. The challenge is always false positive rate at that stage and the AI inference time. How fast is the review? I saw the demo video and it seems you cut to the results.
Delaying vulnerability disclosure for political reasons undermines the entire coordinated disclosure model. If researchers learn that findings get buried when inconvenient, they stop reporting through official channels.
The Corgea team has found a High vulnerability in Axios using our security research agent. This 0-day affects millions of globally. The cost of finding this vulnerability was <$10 and 15 mins of time. It didn't use Mythos or Fable but rather GPT-5.4 which is a fraction of the cost of these systems.
Hi there, I'm Ahmad, CEO at Corgea, and the author of the white paper. We do actually use LLMs to find the vulnerabilities AND triage findings. For the majority of our scanning, we don't use traditional static analysis. At the core of our engine is the LLM reading the line of code to find CWEs in them.
Very interesting. Thanks for sharing the insights!
Would've it made more sense to separate this testing out to a different instance of your product? This would've probably helped distinguish between real and bounty users.