// what the auditor does

Every capability of your autonomous auditor.

unpwnd doesn’t pattern-match. It reads your repository the way a senior security engineer would — list, grep, open, confirm — and only reports a vulnerability once it can trace the data flow from an untrusted source to a dangerous sink.

// capabilities

Built like an attacker. Reports like an engineer.

the engine

Agentic AI auditor

A reasoning agent explores your repo with read-only tools — list_dir, grep, read_file — confirming every data flow itself. No rules, no signatures.

evidence

Source→sink tracing

Every finding ships an ordered trace — entry point to sink — with file, line, snippet, and a note at each hop.

coverage

OWASP & CWE

Hunts the OWASP Top 10 (2021) and the CWE families behind them — injection, access control, crypto, SSRF, secrets.

remediation

Paste-ready fixes

Each finding carries a self-contained fix prompt — hand it straight to your coding agent or paste it into a PR.

safety

Read-only & ephemeral

Clones are read-only and thrown away after the audit. No write scope, no network, no shell — the auditor can only look.

triage

Severity triage

Findings are ranked critical → high → medium → low by impact × exploitability, so you fix what matters first.

Set your own cadence

Point it at a repo once, then choose a per-project audit cadence — weekly or bi-weekly — with a next-scan indicator on every repo.

See CI / CD
// mapped to the standards

Findings you can file.

Every finding is tagged with a CWE id and its OWASP category — ready for your tracker, your compliance evidence, and your auditors.

CWE-89 / A03 InjectionCWE-78 / OS CommandCWE-22 / Path TraversalCWE-798 / Hardcoded SecretsCWE-918 / SSRFCWE-502 / DeserializationA01 / Broken Access ControlA02 / Cryptographic FailuresA05 / MisconfigurationA07 / Auth Failures
// point it at a repo

See what it finds in your code.

Connect a repository and get a traced, fixable security audit back in minutes.

Features · unpwnd