OpenAnt from Knostic is an open source LLM-based vulnerability discovery product that helps defenders proactively find verified security flaws while minimizing both false positives and false negatives. Stage 1 detects. Stage 2 attacks. What survives is real.
We're pretty proud of this product and are in the vulnerability disclosure process for its findings, but do keep in mind that this started as a research project, and some of its features are still in beta. We welcome contributions to make it better.
Considering the explosion of AI-discovered vulnerabilities, we hope OpenAnt will be the tool helping open source maintainers stay ahead of attackers, where they can use it themselves or submit their repo for scanning at no cost.
Then, since Knostic's focus is on protecting agents and coding assistants and not vulnerability research or application security, and we like open source, we decided to release OpenAnt under the Apache 2 license. Besides, you may have heard about Aardvark from OpenAI (now Codex Security) and Claude Code Security from Anthropic, and we have zero intention of competing with them.
For technical details, limitations, and token costs, check out this blog post: https://knostic.ai/blog/openant
To submit your repo for scanning: https://knostic.ai/blog/oss-scan
- Go
- Python
- JavaScript/TypeScript (beta)
- C/C++ (beta)
- PHP (beta)
- Ruby (beta)
Research and ideation: Nahum Korda.
Productization: Alex Raihelgaus, Daniel Geyshis.
With thanks to: Michal Kamensky, Imri Goldberg, Gadi Evron, Daniel Cuthbert. Josh Grossman, and Avi Douglen.
If you like our work, check out what we do at Knostic to defend your agents and coding assistants, prevent them from deleting your hard drive and code, and control associated supply chain risks such as MCP servers, extensions, and skills.
Build the CLI binary (requires Go 1.25+):
cd apps/openant-cli && make buildThis compiles the Go source and outputs the binary to apps/openant-cli/bin/openant.
Symlink it onto your PATH so you can run openant from anywhere:
ln -sf "$(pwd)/apps/openant-cli/bin/openant" /usr/local/bin/openantNote: run this from the repo root so $(pwd) resolves to the correct absolute path.
Set your Anthropic API key (required for analyze, verify, and scan):
openant set-api-key <your-key>The key must have access to the Claude Opus 4.6 model. Get a key at console.anthropic.com.
OpenAnt creates two directories:
~/.config/openant/— CLI configuration (config.json). Stores your API key, active project, and preferences. File permissions are restricted to0600.~/.openant/— Project data. Each initialized project gets a workspace under~/.openant/projects/<org>/<repo>/containingproject.jsonand ascans/directory with per-commit outputs.
Point OpenAnt at a repository. The -l flag (language) is required — use go or python.
# Remote — clones the repo
openant init <repo-url> -l go
# Remote — pin to a specific commit
openant init <repo-url> -l go --commit <sha>
# Local — references the directory in-place
openant init <path-to-repo> -l go --name <org/repo>This creates a project workspace and sets it as the active project. All subsequent commands operate on the active project automatically — no path arguments needed.
Each step picks up the output of the previous one from the project's scan directory:
openant parse
openant enhance
openant analyze
openant verify
openant build-output
openant report -f summaryOr run the full pipeline in one command:
openant scan --verifyThe pipeline operates on one project at a time. Running openant init sets the newly initialized project as the active one, so all subsequent commands target it by default.
If you're working with several projects, you have two options:
# Option 1: switch the active project
openant project switch org/repo
openant parse
# Option 2: target a project directly with -p
openant parse -p org/repoopenant project list # shows all projects, marks active
openant project show # details of active project
openant project switch <org/repo> # switch active projectThis project is licensed under Apache 2. See the LICENSE file for details.
This project is intended for defensive and research purposes only. OpenAnt is still in the research phase, use it carefully and at your own risk. Knostic, OpenAnt, and associated developers, researchers, and maintainers assume no responsibility whatsoever for any misuse, damage, or consequences arising from the use of this tool.
Only scan code you own or have explicit permission to test. If you discover a vulnerability in someone else's project through legitimate means, please follow coordinated vulnerability disclosure practices and report it to the maintainers before making it public.
