-### 🤖 Agent 审计入口
+### Agent Audit Entry
-.png)
+
-*首页快速进入 Multi-Agent 深度审计*
+*Quick access to Multi-Agent deep audit from homepage*
+
-*首页快速进入 Multi-Agent 深度审计*
+*Quick access to Multi-Agent deep audit from homepage*
|
-📋 审计流日志 -  -实时查看 Agent 思考与执行过程 +Audit Flow Logs + +Real-time view of Agent thinking and execution process |
-🎛️ 智能仪表盘 -  -一眼掌握项目安全态势 +Smart Dashboard + +Grasp project security posture at a glance |
|
-⚡ 即时分析 -  -粘贴代码 / 上传文件,秒出结果 +Instant Analysis + +Paste code / upload files, get results in seconds |
-🗂️ 项目管理 -  -GitHub/GitLab 导入,多项目协同管理 +Project Management + +GitHub/GitLab import, multi-project collaboration |
-### 📊 专业报告
+### Professional Reports
-
+
-*一键导出 PDF / Markdown / JSON*(图中为快速模式,非Agent模式报告)
+*One-click export to PDF / Markdown / JSON* (Quick mode shown, not Agent mode report)
-👉 [查看Agent审计完整报告示例](https://lintsinghua.github.io/)
+[View Full Agent Audit Report Example](https://lintsinghua.github.io/)
---
-## ⚡ 项目概述
+## Overview
-**DeepAudit** 是一个基于 **Multi-Agent 协作架构**的下一代代码安全审计平台。它不仅仅是一个静态扫描工具,而是模拟安全专家的思维模式,通过多个智能体(**Orchestrator**, **Recon**, **Analysis**, **Verification**)的自主协作,实现对代码的深度理解、漏洞挖掘和 **自动化沙箱 PoC 验证**。
+**DeepAudit** is a next-generation code security audit platform based on **Multi-Agent collaborative architecture**. It's not just a static scanning tool, but simulates the thinking patterns of security experts through autonomous collaboration of multiple agents (**Orchestrator**, **Recon**, **Analysis**, **Verification**), achieving deep code understanding, vulnerability discovery, and **automated sandbox PoC verification**.
-我们致力于解决传统 SAST 工具的三大痛点:
-- **误报率高** — 缺乏语义理解,大量误报消耗人力
-- **业务逻辑盲点** — 无法理解跨文件调用和复杂逻辑
-- **缺乏验证手段** — 不知道漏洞是否真实可利用
+We are committed to solving three major pain points of traditional SAST tools:
+- **High false positive rate** — Lack of semantic understanding, massive false positives consume manpower
+- **Business logic blind spots** — Cannot understand cross-file calls and complex logic
+- **Lack of verification methods** — Don't know if vulnerabilities are actually exploitable
-用户只需导入项目,DeepAudit 便全自动开始工作:识别技术栈 → 分析潜在风险 → 生成脚本 → 沙箱验证 → 生成报告,最终输出一份专业审计报告。
+Users only need to import a project, and DeepAudit automatically starts working: identify tech stack → analyze potential risks → generate scripts → sandbox verification → generate report, ultimately outputting a professional audit report.
-> **核心理念**: 让 AI 像黑客一样攻击,像专家一样防御。
+> **Core Philosophy**: Let AI attack like a hacker, defend like an expert.
-## 💡 为什么选择 DeepAudit?
+## Why Choose DeepAudit?
+
-*一键导出 PDF / Markdown / JSON*(图中为快速模式,非Agent模式报告)
+*One-click export to PDF / Markdown / JSON* (Quick mode shown, not Agent mode report)
-👉 [查看Agent审计完整报告示例](https://lintsinghua.github.io/)
+[View Full Agent Audit Report Example](https://lintsinghua.github.io/)
-| 😫 传统审计的痛点 | 💡 DeepAudit 解决方案 |
+| Traditional Audit Pain Points | DeepAudit Solutions |
| :--- | :--- |
-| **人工审计效率低**
跨不上 CI/CD 代码迭代速度,拖慢发布流程 | **🤖 Multi-Agent 自主审计**
AI 自动编排审计策略,全天候自动化执行 | -| **传统工具误报多**
缺乏语义理解,每天花费大量时间清洗噪音 | **🧠 RAG 知识库增强**
结合代码语义与上下文,大幅降低误报率 | -| **数据隐私担忧**
担心核心源码泄露给云端 AI,无法满足合规要求 | **🔒 支持 Ollama 本地部署**
数据不出内网,支持 Llama3/DeepSeek 等本地模型 | -| **无法确认真实性**
外包项目漏洞多,不知道哪些漏洞真实可被利用 | **💥 沙箱 PoC 验证**
自动生成并执行攻击脚本,确认漏洞真实危害 | +| **Low manual audit efficiency**
Can't keep up with CI/CD iteration speed, slowing release process | **Multi-Agent Autonomous Audit**
AI automatically orchestrates audit strategies, 24/7 automated execution | +| **Too many false positives**
Lack of semantic understanding, spending lots of time cleaning noise daily | **RAG Knowledge Enhancement**
Combining code semantics with context, significantly reducing false positives | +| **Data privacy concerns**
Worried about core source code leaking to cloud AI, can't meet compliance requirements | **Ollama Local Deployment Support**
Data stays on-premises, supports Llama3/DeepSeek and other local models | +| **Can't confirm authenticity**
Outsourced projects have many vulnerabilities, don't know which are truly exploitable | **Sandbox PoC Verification**
Automatically generate and execute attack scripts, confirm real vulnerability impact |
---
-## 🏗️ 系统架构
+## System Architecture
-### 整体架构图
+### Architecture Diagram
-DeepAudit 采用微服务架构,核心由 Multi-Agent 引擎驱动。
+DeepAudit adopts microservices architecture, driven by the Multi-Agent engine at its core.
跨不上 CI/CD 代码迭代速度,拖慢发布流程 | **🤖 Multi-Agent 自主审计**
AI 自动编排审计策略,全天候自动化执行 | -| **传统工具误报多**
缺乏语义理解,每天花费大量时间清洗噪音 | **🧠 RAG 知识库增强**
结合代码语义与上下文,大幅降低误报率 | -| **数据隐私担忧**
担心核心源码泄露给云端 AI,无法满足合规要求 | **🔒 支持 Ollama 本地部署**
数据不出内网,支持 Llama3/DeepSeek 等本地模型 | -| **无法确认真实性**
外包项目漏洞多,不知道哪些漏洞真实可被利用 | **💥 沙箱 PoC 验证**
自动生成并执行攻击脚本,确认漏洞真实危害 | +| **Low manual audit efficiency**
Can't keep up with CI/CD iteration speed, slowing release process | **Multi-Agent Autonomous Audit**
AI automatically orchestrates audit strategies, 24/7 automated execution | +| **Too many false positives**
Lack of semantic understanding, spending lots of time cleaning noise daily | **RAG Knowledge Enhancement**
Combining code semantics with context, significantly reducing false positives | +| **Data privacy concerns**
Worried about core source code leaking to cloud AI, can't meet compliance requirements | **Ollama Local Deployment Support**
Data stays on-premises, supports Llama3/DeepSeek and other local models | +| **Can't confirm authenticity**
Outsourced projects have many vulnerabilities, don't know which are truly exploitable | **Sandbox PoC Verification**
Automatically generate and execute attack scripts, confirm real vulnerability impact |
-
+
-### 🔄 审计工作流
+### Audit Workflow
-| 步骤 | 阶段 | 负责 Agent | 主要动作 |
+| Step | Phase | Responsible Agent | Main Actions |
|:---:|:---:|:---:|:---|
-| 1 | **策略规划** | **Orchestrator** | 接收审计任务,分析项目类型,制定审计计划,下发任务给子 Agent |
-| 2 | **信息收集** | **Recon Agent** | 扫描项目结构,识别框架/库/API,提取攻击面(Entry Points) |
-| 3 | **漏洞挖掘** | **Analysis Agent** | 结合 RAG 知识库与 AST 分析,深度审查代码,发现潜在漏洞 |
-| 4 | **PoC 验证** | **Verification Agent** | **(关键)** 编写 PoC 脚本,在 Docker 沙箱中执行。如失败则自我修正重试 |
-| 5 | **报告生成** | **Orchestrator** | 汇总所有发现,剔除被验证为误报的漏洞,生成最终报告 |
+| 1 | **Strategy Planning** | **Orchestrator** | Receive audit task, analyze project type, formulate audit plan, dispatch tasks to sub-agents |
+| 2 | **Information Gathering** | **Recon Agent** | Scan project structure, identify frameworks/libraries/APIs, extract attack surface (Entry Points) |
+| 3 | **Vulnerability Discovery** | **Analysis Agent** | Combine RAG knowledge base with AST analysis, deep code review, discover potential vulnerabilities |
+| 4 | **PoC Verification** | **Verification Agent** | **(Critical)** Write PoC scripts, execute in Docker sandbox. Self-correct and retry if failed |
+| 5 | **Report Generation** | **Orchestrator** | Aggregate all findings, filter out verified false positives, generate final report |
-### 📂 项目代码结构
+### Project Structure
```text
DeepAudit/
-├── backend/ # Python FastAPI 后端
+├── backend/ # Python FastAPI Backend
│ ├── app/
-│ │ ├── agents/ # Multi-Agent 核心逻辑
-│ │ │ ├── orchestrator.py # 总指挥:任务编排
-│ │ │ ├── recon.py # 侦察兵:资产识别
-│ │ │ ├── analysis.py # 分析师:漏洞挖掘
-│ │ │ └── verification.py # 验证者:沙箱 PoC
-│ │ ├── core/ # 核心配置与沙箱接口
-│ │ ├── models/ # 数据库模型
-│ │ └── services/ # RAG, LLM 服务封装
-│ └── tests/ # 单元测试
-├── frontend/ # React + TypeScript 前端
+│ │ ├── agents/ # Multi-Agent Core Logic
+│ │ │ ├── orchestrator.py # Commander: Task Orchestration
+│ │ │ ├── recon.py # Scout: Asset Identification
+│ │ │ ├── analysis.py # Analyst: Vulnerability Discovery
+│ │ │ └── verification.py # Verifier: Sandbox PoC
+│ │ ├── core/ # Core Config & Sandbox Interface
+│ │ ├── models/ # Database Models
+│ │ └── services/ # RAG, LLM Service Wrappers
+│ └── tests/ # Unit Tests
+├── frontend/ # React + TypeScript Frontend
│ ├── src/
-│ │ ├── components/ # UI 组件库
-│ │ ├── pages/ # 页面路由
-│ │ └── stores/ # Zustand 状态管理
-├── docker/ # Docker 部署配置
-│ ├── sandbox/ # 安全沙箱镜像构建
-│ └── postgres/ # 数据库初始化
-└── docs/ # 详细文档
+│ │ ├── components/ # UI Component Library
+│ │ ├── pages/ # Page Routes
+│ │ └── stores/ # Zustand State Management
+├── docker/ # Docker Deployment Config
+│ ├── sandbox/ # Security Sandbox Image Build
+│ └── postgres/ # Database Initialization
+└── docs/ # Detailed Documentation
```
---
-## 🚀 快速开始
+## Quick Start
-### 方式一:一行命令部署(推荐)
+### Option 1: One-Line Deployment (Recommended)
-使用预构建的 Docker 镜像,无需克隆代码,一行命令即可启动:
+Using pre-built Docker images, no need to clone code, start with one command:
```bash
curl -fsSL https://raw.githubusercontent.com/lintsinghua/DeepAudit/v3.0.0/docker-compose.prod.yml | docker compose -f - up -d
```
-## 🇨🇳 国内加速部署(作者亲测非常无敌之快)
-
-使用南京大学镜像站加速拉取 Docker 镜像(将 `ghcr.io` 替换为 `ghcr.nju.edu.cn`):
-
-```bash
-# 国内加速版 - 使用南京大学 GHCR 镜像站
-curl -fsSL https://raw.githubusercontent.com/lintsinghua/DeepAudit/v3.0.0/docker-compose.prod.cn.yml | docker compose -f - up -d
-```
-
+
-
-
-> 💡 镜像源由 [南京大学开源镜像站](https://mirrors.nju.edu.cn/) 提供支持
-
-> 🎉 **启动成功!** 访问 http://localhost:3000 开始体验。
+> **Success!** Visit http://localhost:3000 to start exploring.
---
-### 方式二:克隆代码部署
+### Option 2: Clone and Deploy
-适合需要自定义配置或二次开发的用户:
+Suitable for users who need custom configuration or secondary development:
```bash
-# 1. 克隆项目
+# 1. Clone project
git clone https://github.com/lintsinghua/DeepAudit.git && cd DeepAudit
-# 2. 配置环境变量
+# 2. Configure environment variables
cp backend/env.example backend/.env
-# 编辑 backend/.env 填入你的 LLM API Key
+# Edit backend/.env and fill in your LLM API Key
-# 3. 一键启动
+# 3. One-click start
docker compose up -d
```
-> 首次启动会自动构建沙箱镜像,可能需要几分钟。
+> First startup will automatically build the sandbox image, which may take a few minutes.
---
-## 🔧 源码开发指南
+## Development Guide
-适合开发者进行二次开发调试。
+For developers doing secondary development and debugging.
-### 环境要求
+### Requirements
- Python 3.11+
- Node.js 20+
- PostgreSQL 15+
-- Docker (用于沙箱)
+- Docker (for sandbox)
-### 1. 后端启动
+### 1. Backend Setup
```bash
cd backend
-# 使用 uv 管理环境(推荐)
+# Use uv for environment management (recommended)
uv sync
source .venv/bin/activate
-# 启动 API 服务
+# Start API service
uvicorn app.main:app --reload
```
-### 2. 前端启动
+### 2. Frontend Setup
```bash
cd frontend
@@ -252,63 +229,59 @@ pnpm install
pnpm dev
```
-### 3. 沙箱环境
+### 3. Sandbox Environment
-开发模式下需要本地 Docker 拉取沙箱镜像:
+Development mode requires pulling the sandbox image locally:
```bash
-# 标准拉取
docker pull ghcr.io/lintsinghua/deepaudit-sandbox:latest
-
-# 国内加速(南京大学镜像站)
-docker pull ghcr.nju.edu.cn/lintsinghua/deepaudit-sandbox:latest
```
---
-## 🤖 Multi-Agent 智能审计
+## Multi-Agent Intelligent Audit
-### 支持的漏洞类型
+### Supported Vulnerability Types
手动拉取镜像(如需单独拉取)(点击展开)
- -```bash -# 前端镜像 -docker pull ghcr.nju.edu.cn/lintsinghua/deepaudit-frontend:latest - -# 后端镜像 -docker pull ghcr.nju.edu.cn/lintsinghua/deepaudit-backend:latest - -# 沙箱镜像 -docker pull ghcr.nju.edu.cn/lintsinghua/deepaudit-sandbox:latest -``` -| -| 漏洞类型 | 描述 | +| Vulnerability Type | Description | |---------|------| -| `sql_injection` | SQL 注入 | -| `xss` | 跨站脚本攻击 | -| `command_injection` | 命令注入 | -| `path_traversal` | 路径遍历 | -| `ssrf` | 服务端请求伪造 | -| `xxe` | XML 外部实体注入 | +| `sql_injection` | SQL Injection | +| `xss` | Cross-Site Scripting | +| `command_injection` | Command Injection | +| `path_traversal` | Path Traversal | +| `ssrf` | Server-Side Request Forgery | +| `xxe` | XML External Entity Injection | | -| 漏洞类型 | 描述 | +| Vulnerability Type | Description | |---------|------| -| `insecure_deserialization` | 不安全反序列化 | -| `hardcoded_secret` | 硬编码密钥 | -| `weak_crypto` | 弱加密算法 | -| `authentication_bypass` | 认证绕过 | -| `authorization_bypass` | 授权绕过 | -| `idor` | 不安全直接对象引用 | +| `insecure_deserialization` | Insecure Deserialization | +| `hardcoded_secret` | Hardcoded Secrets | +| `weak_crypto` | Weak Cryptography | +| `authentication_bypass` | Authentication Bypass | +| `authorization_bypass` | Authorization Bypass | +| `idor` | Insecure Direct Object Reference | |
-🌍 国际平台+International Platforms
OpenAI GPT-4o / GPT-4 |
-🇨🇳 国内平台+Chinese Platforms
-通义千问 Qwen |
-🏠 本地部署+Local Deployment
Ollama |
-**欢迎大家来和我交流探讨!无论是技术问题、功能建议还是合作意向,都期待与你沟通~**
+**Feel free to reach out for technical discussions, feature suggestions, or collaboration opportunities!**
-| 联系方式 | |
+| Contact | |
|:---:|:---:|
-| 📧 **邮箱** | **lintsinghua@qq.com** |
-| 🐙 **GitHub** | [@lintsinghua](https://github.com/lintsinghua) |
+| **Email** | **lintsinghua@qq.com** |
+| **GitHub** | [@lintsinghua](https://github.com/lintsinghua) |
-## 📄 许可证
+## License
-本项目采用 [AGPL-3.0 License](LICENSE) 开源。
+This project is open-sourced under the [AGPL-3.0 License](LICENSE).
-## 📈 项目热度
+## Star History
--- -## 致谢 +## Acknowledgements -感谢以下开源项目的支持: +Thanks to the following open-source projects for their support: [FastAPI](https://fastapi.tiangolo.com/) · [LangChain](https://langchain.com/) · [LangGraph](https://langchain-ai.github.io/langgraph/) · [ChromaDB](https://www.trychroma.com/) · [LiteLLM](https://litellm.ai/) · [Tree-sitter](https://tree-sitter.github.io/) · [Kunlun-M](https://github.com/LoRexxar/Kunlun-M) · [Strix](https://github.com/usestrix/strix) · [React](https://react.dev/) · [Vite](https://vitejs.dev/) · [Radix UI](https://www.radix-ui.com/) · [TailwindCSS](https://tailwindcss.com/) · [shadcn/ui](https://ui.shadcn.com/) --- -## ⚠️ 重要安全声明 +## Important Security Notice -### 法律合规声明 -1. 禁止**任何未经授权的漏洞测试、渗透测试或安全评估** -2. 本项目仅供网络空间安全学术研究、教学和学习使用 -3. 严禁将本项目用于任何非法目的或未经授权的安全测试 +### Legal Compliance Statement +1. **Any unauthorized vulnerability testing, penetration testing, or security assessment is prohibited** +2. This project is only for cybersecurity academic research, teaching, and learning purposes +3. It is strictly prohibited to use this project for any illegal purposes or unauthorized security testing -### 漏洞上报责任 -1. 发现任何安全漏洞时,请及时通过合法渠道上报 -2. 严禁利用发现的漏洞进行非法活动 -3. 遵守国家网络安全法律法规,维护网络空间安全 +### Vulnerability Reporting Responsibility +1. When discovering any security vulnerabilities, please report them through legitimate channels promptly +2. It is strictly prohibited to use discovered vulnerabilities for illegal activities +3. Comply with national cybersecurity laws and regulations, maintain cyberspace security -### 使用限制 -- 仅限在授权环境下用于教育和研究目的 -- 禁止用于对未授权系统进行安全测试 -- 使用者需对自身行为承担全部法律责任 +### Usage Restrictions +- Only for educational and research purposes in authorized environments +- Prohibited for security testing on unauthorized systems +- Users are fully responsible for their own actions -### 免责声明 -作者不对任何因使用本项目而导致的直接或间接损失负责,使用者需对自身行为承担全部法律责任。 +### Disclaimer +The author is not responsible for any direct or indirect losses caused by the use of this project. Users bear full legal responsibility for their own actions. --- -## 📖 详细安全政策 +## Detailed Security Policy -有关安装政策、免责声明、代码隐私、API使用安全和漏洞报告的详细信息,请参阅 [DISCLAIMER.md](DISCLAIMER.md) 和 [SECURITY.md](SECURITY.md) 文件。 +For detailed information about installation policy, disclaimer, code privacy, API usage security, and vulnerability reporting, please refer to [DISCLAIMER.md](DISCLAIMER.md) and [SECURITY.md](SECURITY.md) files. -### 快速参考 -- 🔒 **代码隐私警告**: 您的代码将被发送到所选择的LLM服务商服务器 -- 🛡️ **敏感代码处理**: 使用本地模型处理敏感代码 -- ⚠️ **合规要求**: 遵守数据保护和隐私法律法规 -- 📧 **漏洞报告**: 发现安全问题请通过合法渠道上报 +### Quick Reference +- **Code Privacy Warning**: Your code will be sent to the selected LLM provider's servers +- **Sensitive Code Handling**: Use local models for sensitive code +- **Compliance Requirements**: Comply with data protection and privacy laws +- **Vulnerability Reporting**: Report security issues through legitimate channels diff --git a/README_CN.md b/README_CN.md new file mode 100644 index 0000000..3b31b3a --- /dev/null +++ b/README_CN.md @@ -0,0 +1,454 @@ +# DeepAudit - 人人拥有的 AI 审计战队,让漏洞挖掘触手可及 🦸♂️ + +
+ 简体中文 | English +
+ +
+ 
+
+
+
+
+
+[](https://github.com/lintsinghua/DeepAudit/releases)
+[](https://www.gnu.org/licenses/agpl-3.0)
+[](https://reactjs.org/)
+[](https://www.typescriptlang.org/)
+[](https://fastapi.tiangolo.com/)
+[](https://www.python.org/)
+[](https://deepwiki.com/lintsinghua/DeepAudit)
+
+[](https://github.com/lintsinghua/DeepAudit/stargazers)
+[](https://github.com/lintsinghua/DeepAudit/network/members)
+
+
+
+
+
+
+
+ 
+
+
+---
+
+
+
+## 📸 界面预览
+
+
+
+
+### 🤖 Agent 审计入口
+
+
+
+*首页快速进入 Multi-Agent 深度审计*
+
+
+
+
+
+*首页快速进入 Multi-Agent 深度审计*
+
+|
+📋 审计流日志 + +实时查看 Agent 思考与执行过程 + |
+
+🎛️ 智能仪表盘 + +一眼掌握项目安全态势 + |
+
|
+⚡ 即时分析 + +粘贴代码 / 上传文件,秒出结果 + |
+
+🗂️ 项目管理 + +GitHub/GitLab 导入,多项目协同管理 + |
+
+
+### 📊 专业报告
+
+
+
+*一键导出 PDF / Markdown / JSON*(图中为快速模式,非Agent模式报告)
+
+👉 [查看Agent审计完整报告示例](https://lintsinghua.github.io/)
+
+
+
+---
+
+## ⚡ 项目概述
+
+**DeepAudit** 是一个基于 **Multi-Agent 协作架构**的下一代代码安全审计平台。它不仅仅是一个静态扫描工具,而是模拟安全专家的思维模式,通过多个智能体(**Orchestrator**, **Recon**, **Analysis**, **Verification**)的自主协作,实现对代码的深度理解、漏洞挖掘和 **自动化沙箱 PoC 验证**。
+
+我们致力于解决传统 SAST 工具的三大痛点:
+- **误报率高** — 缺乏语义理解,大量误报消耗人力
+- **业务逻辑盲点** — 无法理解跨文件调用和复杂逻辑
+- **缺乏验证手段** — 不知道漏洞是否真实可利用
+
+用户只需导入项目,DeepAudit 便全自动开始工作:识别技术栈 → 分析潜在风险 → 生成脚本 → 沙箱验证 → 生成报告,最终输出一份专业审计报告。
+
+> **核心理念**: 让 AI 像黑客一样攻击,像专家一样防御。
+
+## 💡 为什么选择 DeepAudit?
+
+
+
+*一键导出 PDF / Markdown / JSON*(图中为快速模式,非Agent模式报告)
+
+👉 [查看Agent审计完整报告示例](https://lintsinghua.github.io/)
+
+
+
+| 😫 传统审计的痛点 | 💡 DeepAudit 解决方案 |
+| :--- | :--- |
+| **人工审计效率低**
跨不上 CI/CD 代码迭代速度,拖慢发布流程 | **🤖 Multi-Agent 自主审计**
AI 自动编排审计策略,全天候自动化执行 | +| **传统工具误报多**
缺乏语义理解,每天花费大量时间清洗噪音 | **🧠 RAG 知识库增强**
结合代码语义与上下文,大幅降低误报率 | +| **数据隐私担忧**
担心核心源码泄露给云端 AI,无法满足合规要求 | **🔒 支持 Ollama 本地部署**
数据不出内网,支持 Llama3/DeepSeek 等本地模型 | +| **无法确认真实性**
外包项目漏洞多,不知道哪些漏洞真实可被利用 | **💥 沙箱 PoC 验证**
自动生成并执行攻击脚本,确认漏洞真实危害 | + +
+
+---
+
+## 🏗️ 系统架构
+
+### 整体架构图
+
+DeepAudit 采用微服务架构,核心由 Multi-Agent 引擎驱动。
+
+跨不上 CI/CD 代码迭代速度,拖慢发布流程 | **🤖 Multi-Agent 自主审计**
AI 自动编排审计策略,全天候自动化执行 | +| **传统工具误报多**
缺乏语义理解,每天花费大量时间清洗噪音 | **🧠 RAG 知识库增强**
结合代码语义与上下文,大幅降低误报率 | +| **数据隐私担忧**
担心核心源码泄露给云端 AI,无法满足合规要求 | **🔒 支持 Ollama 本地部署**
数据不出内网,支持 Llama3/DeepSeek 等本地模型 | +| **无法确认真实性**
外包项目漏洞多,不知道哪些漏洞真实可被利用 | **💥 沙箱 PoC 验证**
自动生成并执行攻击脚本,确认漏洞真实危害 | + +
+
+
+
+### 🔄 审计工作流
+
+| 步骤 | 阶段 | 负责 Agent | 主要动作 |
+|:---:|:---:|:---:|:---|
+| 1 | **策略规划** | **Orchestrator** | 接收审计任务,分析项目类型,制定审计计划,下发任务给子 Agent |
+| 2 | **信息收集** | **Recon Agent** | 扫描项目结构,识别框架/库/API,提取攻击面(Entry Points) |
+| 3 | **漏洞挖掘** | **Analysis Agent** | 结合 RAG 知识库与 AST 分析,深度审查代码,发现潜在漏洞 |
+| 4 | **PoC 验证** | **Verification Agent** | **(关键)** 编写 PoC 脚本,在 Docker 沙箱中执行。如失败则自我修正重试 |
+| 5 | **报告生成** | **Orchestrator** | 汇总所有发现,剔除被验证为误报的漏洞,生成最终报告 |
+
+### 📂 项目代码结构
+
+```text
+DeepAudit/
+├── backend/ # Python FastAPI 后端
+│ ├── app/
+│ │ ├── agents/ # Multi-Agent 核心逻辑
+│ │ │ ├── orchestrator.py # 总指挥:任务编排
+│ │ │ ├── recon.py # 侦察兵:资产识别
+│ │ │ ├── analysis.py # 分析师:漏洞挖掘
+│ │ │ └── verification.py # 验证者:沙箱 PoC
+│ │ ├── core/ # 核心配置与沙箱接口
+│ │ ├── models/ # 数据库模型
+│ │ └── services/ # RAG, LLM 服务封装
+│ └── tests/ # 单元测试
+├── frontend/ # React + TypeScript 前端
+│ ├── src/
+│ │ ├── components/ # UI 组件库
+│ │ ├── pages/ # 页面路由
+│ │ └── stores/ # Zustand 状态管理
+├── docker/ # Docker 部署配置
+│ ├── sandbox/ # 安全沙箱镜像构建
+│ └── postgres/ # 数据库初始化
+└── docs/ # 详细文档
+```
+
+---
+
+## 🚀 快速开始
+
+### 方式一:一行命令部署(推荐)
+
+使用预构建的 Docker 镜像,无需克隆代码,一行命令即可启动:
+
+```bash
+curl -fsSL https://raw.githubusercontent.com/lintsinghua/DeepAudit/v3.0.0/docker-compose.prod.yml | docker compose -f - up -d
+```
+
+## 🇨🇳 国内加速部署(作者亲测非常无敌之快)
+
+使用南京大学镜像站加速拉取 Docker 镜像(将 `ghcr.io` 替换为 `ghcr.nju.edu.cn`):
+
+```bash
+# 国内加速版 - 使用南京大学 GHCR 镜像站
+curl -fsSL https://raw.githubusercontent.com/lintsinghua/DeepAudit/v3.0.0/docker-compose.prod.cn.yml | docker compose -f - up -d
+```
+
+
+
+
+> 💡 镜像源由 [南京大学开源镜像站](https://mirrors.nju.edu.cn/) 提供支持
+
+> 🎉 **启动成功!** 访问 http://localhost:3000 开始体验。
+
+---
+
+### 方式二:克隆代码部署
+
+适合需要自定义配置或二次开发的用户:
+
+```bash
+# 1. 克隆项目
+git clone https://github.com/lintsinghua/DeepAudit.git && cd DeepAudit
+
+# 2. 配置环境变量
+cp backend/env.example backend/.env
+# 编辑 backend/.env 填入你的 LLM API Key
+
+# 3. 一键启动
+docker compose up -d
+```
+
+> 首次启动会自动构建沙箱镜像,可能需要几分钟。
+
+---
+
+## 🔧 源码开发指南
+
+适合开发者进行二次开发调试。
+
+### 环境要求
+- Python 3.11+
+- Node.js 20+
+- PostgreSQL 15+
+- Docker (用于沙箱)
+
+### 1. 后端启动
+
+```bash
+cd backend
+# 使用 uv 管理环境(推荐)
+uv sync
+source .venv/bin/activate
+
+# 启动 API 服务
+uvicorn app.main:app --reload
+```
+
+### 2. 前端启动
+
+```bash
+cd frontend
+pnpm install
+pnpm dev
+```
+
+### 3. 沙箱环境
+
+开发模式下需要本地 Docker 拉取沙箱镜像:
+
+```bash
+# 标准拉取
+docker pull ghcr.io/lintsinghua/deepaudit-sandbox:latest
+
+# 国内加速(南京大学镜像站)
+docker pull ghcr.nju.edu.cn/lintsinghua/deepaudit-sandbox:latest
+```
+
+---
+
+## 🤖 Multi-Agent 智能审计
+
+### 支持的漏洞类型
+
+手动拉取镜像(如需单独拉取)(点击展开)
+ +```bash +# 前端镜像 +docker pull ghcr.nju.edu.cn/lintsinghua/deepaudit-frontend:latest + +# 后端镜像 +docker pull ghcr.nju.edu.cn/lintsinghua/deepaudit-backend:latest + +# 沙箱镜像 +docker pull ghcr.nju.edu.cn/lintsinghua/deepaudit-sandbox:latest +``` +| + +| 漏洞类型 | 描述 | +|---------|------| +| `sql_injection` | SQL 注入 | +| `xss` | 跨站脚本攻击 | +| `command_injection` | 命令注入 | +| `path_traversal` | 路径遍历 | +| `ssrf` | 服务端请求伪造 | +| `xxe` | XML 外部实体注入 | + + | ++ +| 漏洞类型 | 描述 | +|---------|------| +| `insecure_deserialization` | 不安全反序列化 | +| `hardcoded_secret` | 硬编码密钥 | +| `weak_crypto` | 弱加密算法 | +| `authentication_bypass` | 认证绕过 | +| `authorization_bypass` | 授权绕过 | +| `idor` | 不安全直接对象引用 | + + | +
+🌍 国际平台+
+OpenAI GPT-4o / GPT-4 |
+
+🇨🇳 国内平台+
+通义千问 Qwen |
+
+🏠 本地部署+
+Ollama |
+
+
+**欢迎大家来和我交流探讨!无论是技术问题、功能建议还是合作意向,都期待与你沟通~**
+
+| 联系方式 | |
+|:---:|:---:|
+| 📧 **邮箱** | **lintsinghua@qq.com** |
+| 🐙 **GitHub** | [@lintsinghua](https://github.com/lintsinghua) |
+
+
+
+## 📄 许可证
+
+本项目采用 [AGPL-3.0 License](LICENSE) 开源。
+
+## 📈 项目热度
+
+
+
+ Made with ❤️ by lintsinghua
+
+
+---
+
+## 致谢
+
+感谢以下开源项目的支持:
+
+[FastAPI](https://fastapi.tiangolo.com/) · [LangChain](https://langchain.com/) · [LangGraph](https://langchain-ai.github.io/langgraph/) · [ChromaDB](https://www.trychroma.com/) · [LiteLLM](https://litellm.ai/) · [Tree-sitter](https://tree-sitter.github.io/) · [Kunlun-M](https://github.com/LoRexxar/Kunlun-M) · [Strix](https://github.com/usestrix/strix) · [React](https://react.dev/) · [Vite](https://vitejs.dev/) · [Radix UI](https://www.radix-ui.com/) · [TailwindCSS](https://tailwindcss.com/) · [shadcn/ui](https://ui.shadcn.com/)
+
+---
+
+## ⚠️ 重要安全声明
+
+### 法律合规声明
+1. 禁止**任何未经授权的漏洞测试、渗透测试或安全评估**
+2. 本项目仅供网络空间安全学术研究、教学和学习使用
+3. 严禁将本项目用于任何非法目的或未经授权的安全测试
+
+### 漏洞上报责任
+1. 发现任何安全漏洞时,请及时通过合法渠道上报
+2. 严禁利用发现的漏洞进行非法活动
+3. 遵守国家网络安全法律法规,维护网络空间安全
+
+### 使用限制
+- 仅限在授权环境下用于教育和研究目的
+- 禁止用于对未授权系统进行安全测试
+- 使用者需对自身行为承担全部法律责任
+
+### 免责声明
+作者不对任何因使用本项目而导致的直接或间接损失负责,使用者需对自身行为承担全部法律责任。
+
+---
+
+## 📖 详细安全政策
+
+有关安装政策、免责声明、代码隐私、API使用安全和漏洞报告的详细信息,请参阅 [DISCLAIMER.md](DISCLAIMER.md) 和 [SECURITY.md](SECURITY.md) 文件。
+
+### 快速参考
+- 🔒 **代码隐私警告**: 您的代码将被发送到所选择的LLM服务商服务器
+- 🛡️ **敏感代码处理**: 使用本地模型处理敏感代码
+- ⚠️ **合规要求**: 遵守数据保护和隐私法律法规
+- 📧 **漏洞报告**: 发现安全问题请通过合法渠道上报
diff --git a/README_EN.md b/README_EN.md
deleted file mode 100644
index 0a1587b..0000000
--- a/README_EN.md
+++ /dev/null
@@ -1,427 +0,0 @@
-# DeepAudit - Your AI Security Audit Team, Making Vulnerability Discovery Accessible
-
-> Making code vulnerability discovery as easy as breathing, even beginners can find bugs
-
-- 简体中文 | English -
- -
-
-
-
-
-
-
-[](https://github.com/lintsinghua/DeepAudit/releases)
-[](https://www.gnu.org/licenses/agpl-3.0)
-[](https://reactjs.org/)
-[](https://www.typescriptlang.org/)
-[](https://fastapi.tiangolo.com/)
-[](https://www.python.org/)
-[](https://deepwiki.com/lintsinghua/DeepAudit)
-
-[](https://github.com/lintsinghua/DeepAudit/stargazers)
-[](https://github.com/lintsinghua/DeepAudit/network/members)
-
-
-
-
-
-
-
-
-
-
----
-
-
-
-## Screenshots
-
-
-
-
-### Agent Audit Entry
-
-
-
-*Quick access to Multi-Agent deep audit from homepage*
-
-
-
-
-
-*Quick access to Multi-Agent deep audit from homepage*
-
-|
-Audit Flow Logs - -Real-time view of Agent thinking and execution process - |
-
-Smart Dashboard - -Grasp project security posture at a glance - |
-
|
-Instant Analysis - -Paste code / upload files, get results in seconds - |
-
-Project Management - -GitHub/GitLab import, multi-project collaboration - |
-
-
-### Professional Reports
-
-
-
-*One-click export to PDF / Markdown / JSON* (Quick mode shown, not Agent mode report)
-
-[View Full Agent Audit Report Example](https://lintsinghua.github.io/)
-
-
-
----
-
-## Overview
-
-**DeepAudit** is a next-generation code security audit platform based on **Multi-Agent collaborative architecture**. It's not just a static scanning tool, but simulates the thinking patterns of security experts through autonomous collaboration of multiple agents (**Orchestrator**, **Recon**, **Analysis**, **Verification**), achieving deep code understanding, vulnerability discovery, and **automated sandbox PoC verification**.
-
-We are committed to solving three major pain points of traditional SAST tools:
-- **High false positive rate** — Lack of semantic understanding, massive false positives consume manpower
-- **Business logic blind spots** — Cannot understand cross-file calls and complex logic
-- **Lack of verification methods** — Don't know if vulnerabilities are actually exploitable
-
-Users only need to import a project, and DeepAudit automatically starts working: identify tech stack → analyze potential risks → generate scripts → sandbox verification → generate report, ultimately outputting a professional audit report.
-
-> **Core Philosophy**: Let AI attack like a hacker, defend like an expert.
-
-## Why Choose DeepAudit?
-
-
-
-*One-click export to PDF / Markdown / JSON* (Quick mode shown, not Agent mode report)
-
-[View Full Agent Audit Report Example](https://lintsinghua.github.io/)
-
-
-
-| Traditional Audit Pain Points | DeepAudit Solutions |
-| :--- | :--- |
-| **Low manual audit efficiency**
Can't keep up with CI/CD iteration speed, slowing release process | **Multi-Agent Autonomous Audit**
AI automatically orchestrates audit strategies, 24/7 automated execution | -| **Too many false positives**
Lack of semantic understanding, spending lots of time cleaning noise daily | **RAG Knowledge Enhancement**
Combining code semantics with context, significantly reducing false positives | -| **Data privacy concerns**
Worried about core source code leaking to cloud AI, can't meet compliance requirements | **Ollama Local Deployment Support**
Data stays on-premises, supports Llama3/DeepSeek and other local models | -| **Can't confirm authenticity**
Outsourced projects have many vulnerabilities, don't know which are truly exploitable | **Sandbox PoC Verification**
Automatically generate and execute attack scripts, confirm real vulnerability impact | - -
-
----
-
-## System Architecture
-
-### Architecture Diagram
-
-DeepAudit adopts microservices architecture, driven by the Multi-Agent engine at its core.
-
-Can't keep up with CI/CD iteration speed, slowing release process | **Multi-Agent Autonomous Audit**
AI automatically orchestrates audit strategies, 24/7 automated execution | -| **Too many false positives**
Lack of semantic understanding, spending lots of time cleaning noise daily | **RAG Knowledge Enhancement**
Combining code semantics with context, significantly reducing false positives | -| **Data privacy concerns**
Worried about core source code leaking to cloud AI, can't meet compliance requirements | **Ollama Local Deployment Support**
Data stays on-premises, supports Llama3/DeepSeek and other local models | -| **Can't confirm authenticity**
Outsourced projects have many vulnerabilities, don't know which are truly exploitable | **Sandbox PoC Verification**
Automatically generate and execute attack scripts, confirm real vulnerability impact | - -
-
-
-
-### Audit Workflow
-
-| Step | Phase | Responsible Agent | Main Actions |
-|:---:|:---:|:---:|:---|
-| 1 | **Strategy Planning** | **Orchestrator** | Receive audit task, analyze project type, formulate audit plan, dispatch tasks to sub-agents |
-| 2 | **Information Gathering** | **Recon Agent** | Scan project structure, identify frameworks/libraries/APIs, extract attack surface (Entry Points) |
-| 3 | **Vulnerability Discovery** | **Analysis Agent** | Combine RAG knowledge base with AST analysis, deep code review, discover potential vulnerabilities |
-| 4 | **PoC Verification** | **Verification Agent** | **(Critical)** Write PoC scripts, execute in Docker sandbox. Self-correct and retry if failed |
-| 5 | **Report Generation** | **Orchestrator** | Aggregate all findings, filter out verified false positives, generate final report |
-
-### Project Structure
-
-```text
-DeepAudit/
-├── backend/ # Python FastAPI Backend
-│ ├── app/
-│ │ ├── agents/ # Multi-Agent Core Logic
-│ │ │ ├── orchestrator.py # Commander: Task Orchestration
-│ │ │ ├── recon.py # Scout: Asset Identification
-│ │ │ ├── analysis.py # Analyst: Vulnerability Discovery
-│ │ │ └── verification.py # Verifier: Sandbox PoC
-│ │ ├── core/ # Core Config & Sandbox Interface
-│ │ ├── models/ # Database Models
-│ │ └── services/ # RAG, LLM Service Wrappers
-│ └── tests/ # Unit Tests
-├── frontend/ # React + TypeScript Frontend
-│ ├── src/
-│ │ ├── components/ # UI Component Library
-│ │ ├── pages/ # Page Routes
-│ │ └── stores/ # Zustand State Management
-├── docker/ # Docker Deployment Config
-│ ├── sandbox/ # Security Sandbox Image Build
-│ └── postgres/ # Database Initialization
-└── docs/ # Detailed Documentation
-```
-
----
-
-## Quick Start
-
-### Option 1: One-Line Deployment (Recommended)
-
-Using pre-built Docker images, no need to clone code, start with one command:
-
-```bash
-curl -fsSL https://raw.githubusercontent.com/lintsinghua/DeepAudit/v3.0.0/docker-compose.prod.yml | docker compose -f - up -d
-```
-
-> **Success!** Visit http://localhost:3000 to start exploring.
-
----
-
-### Option 2: Clone and Deploy
-
-Suitable for users who need custom configuration or secondary development:
-
-```bash
-# 1. Clone project
-git clone https://github.com/lintsinghua/DeepAudit.git && cd DeepAudit
-
-# 2. Configure environment variables
-cp backend/env.example backend/.env
-# Edit backend/.env and fill in your LLM API Key
-
-# 3. One-click start
-docker compose up -d
-```
-
-> First startup will automatically build the sandbox image, which may take a few minutes.
-
----
-
-## Development Guide
-
-For developers doing secondary development and debugging.
-
-### Requirements
-- Python 3.11+
-- Node.js 20+
-- PostgreSQL 15+
-- Docker (for sandbox)
-
-### 1. Backend Setup
-
-```bash
-cd backend
-# Use uv for environment management (recommended)
-uv sync
-source .venv/bin/activate
-
-# Start API service
-uvicorn app.main:app --reload
-```
-
-### 2. Frontend Setup
-
-```bash
-cd frontend
-pnpm install
-pnpm dev
-```
-
-### 3. Sandbox Environment
-
-Development mode requires pulling the sandbox image locally:
-
-```bash
-docker pull ghcr.io/lintsinghua/deepaudit-sandbox:latest
-```
-
----
-
-## Multi-Agent Intelligent Audit
-
-### Supported Vulnerability Types
-
-
-| - -| Vulnerability Type | Description | -|---------|------| -| `sql_injection` | SQL Injection | -| `xss` | Cross-Site Scripting | -| `command_injection` | Command Injection | -| `path_traversal` | Path Traversal | -| `ssrf` | Server-Side Request Forgery | -| `xxe` | XML External Entity Injection | - - | -- -| Vulnerability Type | Description | -|---------|------| -| `insecure_deserialization` | Insecure Deserialization | -| `hardcoded_secret` | Hardcoded Secrets | -| `weak_crypto` | Weak Cryptography | -| `authentication_bypass` | Authentication Bypass | -| `authorization_bypass` | Authorization Bypass | -| `idor` | Insecure Direct Object Reference | - - | -
-International Platforms-
-OpenAI GPT-4o / GPT-4 |
-
-Chinese Platforms-
-Qwen (Tongyi Qianwen) |
-
-Local Deployment-
-Ollama |
-
-
-**Feel free to reach out for technical discussions, feature suggestions, or collaboration opportunities!**
-
-| Contact | |
-|:---:|:---:|
-| **Email** | **lintsinghua@qq.com** |
-| **GitHub** | [@lintsinghua](https://github.com/lintsinghua) |
-
-
-
-## License
-
-This project is open-sourced under the [AGPL-3.0 License](LICENSE).
-
-## Star History
-
-
-
- Made with ❤️ by lintsinghua
-
-
----
-
-## Acknowledgements
-
-Thanks to the following open-source projects for their support:
-
-[FastAPI](https://fastapi.tiangolo.com/) · [LangChain](https://langchain.com/) · [LangGraph](https://langchain-ai.github.io/langgraph/) · [ChromaDB](https://www.trychroma.com/) · [LiteLLM](https://litellm.ai/) · [Tree-sitter](https://tree-sitter.github.io/) · [Kunlun-M](https://github.com/LoRexxar/Kunlun-M) · [Strix](https://github.com/usestrix/strix) · [React](https://react.dev/) · [Vite](https://vitejs.dev/) · [Radix UI](https://www.radix-ui.com/) · [TailwindCSS](https://tailwindcss.com/) · [shadcn/ui](https://ui.shadcn.com/)
-
----
-
-## Important Security Notice
-
-### Legal Compliance Statement
-1. **Any unauthorized vulnerability testing, penetration testing, or security assessment is prohibited**
-2. This project is only for cybersecurity academic research, teaching, and learning purposes
-3. It is strictly prohibited to use this project for any illegal purposes or unauthorized security testing
-
-### Vulnerability Reporting Responsibility
-1. When discovering any security vulnerabilities, please report them through legitimate channels promptly
-2. It is strictly prohibited to use discovered vulnerabilities for illegal activities
-3. Comply with national cybersecurity laws and regulations, maintain cyberspace security
-
-### Usage Restrictions
-- Only for educational and research purposes in authorized environments
-- Prohibited for security testing on unauthorized systems
-- Users are fully responsible for their own actions
-
-### Disclaimer
-The author is not responsible for any direct or indirect losses caused by the use of this project. Users bear full legal responsibility for their own actions.
-
----
-
-## Detailed Security Policy
-
-For detailed information about installation policy, disclaimer, code privacy, API usage security, and vulnerability reporting, please refer to [DISCLAIMER.md](DISCLAIMER.md) and [SECURITY.md](SECURITY.md) files.
-
-### Quick Reference
-- **Code Privacy Warning**: Your code will be sent to the selected LLM provider's servers
-- **Sensitive Code Handling**: Use local models for sensitive code
-- **Compliance Requirements**: Comply with data protection and privacy laws
-- **Vulnerability Reporting**: Report security issues through legitimate channels