Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@
[![SARIF 2.1.0](https://img.shields.io/badge/output-SARIF%202.1.0-orange)](#ci--enterprise-integration)
[![License: MIT](https://img.shields.io/badge/license-MIT-lightgrey)](LICENSE)

A senior pentester's "here's what to test and how" handoff — auto-generated from your repo, for your AI agent to execute.

<!-- docguard:quality negation-load off — "no LLM / no server / no running app / not a SaaS / never touches prod" is this tool's core positioning; defining it by contrast with the scanners-and-SaaS it deliberately is NOT is intentional, not a phrasing defect. -->

> Local-first security recon that **briefs your AI coding agent**. It does the deterministic
Expand All @@ -15,6 +17,8 @@
> Gemini, Cursor) a marching-orders briefing. **Code in, artifacts out. No LLM in the tool, no
> server, no running app required.**

[![websec-validator demo](assets/demo.gif)](assets/demo.gif)

It is *not* an autonomous scanner and *not* a SaaS. It's the missing front-half: the thing that
turns a repo into a precise, fact-grounded security brief an AI agent (with a human in the loop)
can act on — an auto-filled, repo-aware version of a senior pentester's "here's what to test and
Expand Down
Binary file added assets/demo.gif
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
37 changes: 37 additions & 0 deletions assets/demo.tape
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# demo.tape — regenerates assets/demo.gif with charmbracelet/vhs.
#
# Render:
# 1. Install websec so `websec` is on PATH (e.g. `pipx install websec-validator`).
# 2. Clone the demo target: git clone --depth 1 https://github.com/erev0s/VAmPI /tmp/VAmPI
# 3. From the repo root: vhs assets/demo.tape
#
# Requires: vhs + its ttyd/ffmpeg deps (`brew install vhs`).
# VAmPI is a deliberately-vulnerable API from our proof-harness corpus, so
# scanning it is expected use. `websec run` is read-only recon (no --scan here).

Output assets/demo.gif

Set Shell "bash"
Set FontSize 20
Set Width 1200
Set Height 640
Set Theme "Catppuccin Mocha"
Set TypingSpeed 40ms
Set Framerate 24
Set Padding 20

# Clean, minimal prompt — hidden from the recording.
Hide
Type "export PS1='$ '" Enter
Type "clear" Enter
Show

# 1) Point it at a repo — deterministic recon maps the whole attack surface in ~1s.
Type "websec run /tmp/VAmPI"
Enter
Sleep 4s

# 2) The product: the marching-orders briefing your AI agent executes.
Type "head -48 websec-out/latest/AGENT-BRIEFING.md"
Enter
Sleep 6s