A manual-trigger audit agent for your codebase.

Whitebox source analysis, CVE detection, and reverse verification — LLM-assisted, git-diff aware, and entirely local. Built for teams that want to keep their code, their dependencies, and their audit trail under one roof.

Install Source on GitHub

Three pillars

Whitebox source analysis

semgrep + gitleaks + an LLM business-change description. First run builds a baseline of endpoints and sensitive operations; subsequent runs are git-diff aware and auto-escalate when sensitive areas change.

CVE detection

A local SQLite CVE database fed from NVD, OSV, and CISA KEV. SBOM extraction across your project, version-range matching, and per-CVE LLM reachability annotation so you can triage what actually reaches your code paths.

Reverse verification

Declare intended endpoints, layers, and capabilities in intent.yaml; umibit’s verify pipeline (whitebox → blackbox → vulnmine) flags anything implemented that wasn’t declared, and anything declared that wasn’t implemented.

Install

pip install -e .
export ANTHROPIC_API_KEY=...        # required for LLM steps
export NVD_API_KEY=...              # optional, raises NVD rate limit

External tools required on PATH: semgrep (pip install semgrep) and gitleaks (brew install gitleaks).

Usage

# 1. Init
umibit init my-app --path /path/to/repo

# 2. Whitebox — auto first-run vs incremental
umibit run code my-app
umibit run backdoor my-app
umibit run business my-app
umibit run flow my-app

# 3. CVE
umibit cve update                 # NVD + OSV + KEV
umibit cve scan my-app            # SBOM vs local DB
umibit cve watch --interval 3600  # background refresh

# 4. Verify
umibit verify spec init my-app
umibit verify run my-app

# 5. Report + triage
umibit report my-app
umibit report my-app --diff <run_a> <run_b>
umibit triage <finding_id> --status false_positive --project my-app

Active probes (dast, authz, server) require --i-have-authorization. All state lives under ./.umibit/; the CVE cache is shared across projects.

About the name

海 (umi) — Japanese for sea. Add bit and you get “the byte in the depths”: somewhere in the vast surface area of a codebase, a vulnerability is drifting; umibit is what you send down to find it.

umibit is part of the hanabit (+bit, “petal-byte”) brand family. Where hanabit is bright, small, and outward, umibit is wide, deep, and inward — the sea to its flower. Together they map a natural pair: the surface you show and the depth you secure.

License

umibit ships under two licenses. Pick the one that fits.

Open source — AGPL-3.0-or-later

Free. See LICENSE for the full text. Use it for anything, including in your own organization, in CI, in research, in your own open source projects. Standard AGPL terms apply.

Commercial

For anyone who wants to:

A separate paid commercial license is available. See the commercial license terms or email [email protected].

Same dual-license model as GitLab, MongoDB (early), and Sentry. Contributions require the DCO sign-off and an inbound license grant per CONTRIBUTING.md. The name “umibit” and its mark are protected by the project trademark policy; the AGPL covers the source code, not the brand.

For security vulnerabilities, please email [email protected] rather than opening a public issue.