Ventures

Achilles AI

Static Analysis for AI-Generated Code

A purpose-built security scanner that catches the vulnerabilities AI coding assistants introduce. 210 rules across five categories — vibe code patterns, agent security, LLM application risks, framework vulnerabilities, and cloud misconfigurations — powered by tree-sitter AST analysis, multi-hop taint flow tracking, and optional AI-assisted triage.

210 Security Rules

10 Languages

5 Rule Categories

SARIF Output

The Problem

Why AI-generated code is a security risk

Code Ships Faster Than Reviews

AI assistants generate code faster than humans can review it. Vibe coding — accepting AI suggestions with minimal scrutiny — is the new normal.

Insecure Patterns at Scale

AI optimizes for working code, not secure code. The same hardcoded secret, the same SQL concatenation, the same permissive CORS — repeated across thousands of projects.

Traditional Scanners Are Blind

Semgrep, Snyk, and CodeQL don't understand prompt templates, agent tool definitions, or LLM output handling. New attack surfaces have zero coverage.

Agent Security Is Uncharted

Autonomous agents make real-world decisions with file system access, database writes, and shell commands. No existing tool audits their permission boundaries.

Rules

Rule Categories

210 rules targeting five AI-specific vulnerability domains

Vibe Code (VC001-VC040)

40 rules for patterns commonly generated by AI coding assistants: hardcoded secrets in prompts, SQL injection via concatenation, dangerous code execution, insecure defaults, missing authentication, path traversal, insecure deserialization, and weak cryptography.

Agent Security (AS001-AS030)

30 rules for autonomous agent code: overly permissive tool definitions, unrestricted file system access, shell command execution from user input, missing audit logging, no confirmation before destructive actions, unsafe inter-agent communication, and privilege escalation vectors.

LLM App (LA001-LA040)

40 rules for production LLM applications: raw user input in system prompts, unsanitized HTML rendering, LLM-generated SQL execution, exposed API keys, missing prompt injection detection, insecure OAuth flows, deprecated SDK usage, unvalidated tool outputs, and training data exfiltration risks.

Framework Security (FS001-FS050)

50 rules across 10 frameworks: Express.js, Django, Flask, FastAPI, Spring Boot, Laravel, Rails, Next.js, NestJS, and Gin — covering debug mode exposure, missing auth guards, CORS wildcards, mass assignment, unvalidated DTOs, and actuator endpoint leaks.

Cloud Security (CS001-CS050)

50 rules across 7 platforms: AWS (15), Terraform (10), Kubernetes (6), GitHub Actions (5), GCP (5), Azure (5), Docker (4) — covering IAM over-permission, public buckets, disabled encryption, privileged containers, unpinned Actions, and misconfigured security groups.

AI-Powered Analysis

Integrate Mistral AI or local Ollama models to reduce false positives, re-rank severity based on context, and generate contextual fix suggestions. Enable with a single --ai flag — works with any supported model.

Language Server Protocol

Real-time security feedback in your editor via the Achilles AI LSP server. Inline diagnostics, code actions, and fix suggestions as you type — works with VS Code, Neovim, and any LSP-compatible editor.

Custom YAML Rules

Write custom rules in YAML — no Rust knowledge required. Define AST node types, regex patterns, ancestor context constraints, and fix suggestions. Scaffold new rules with a single command.

SARIF & GitHub Integration

Native SARIF v2.1.0 output for GitHub Security tab integration. Findings appear as inline PR annotations with severity, fix suggestions, and references. Also supports JSON and text output.

GitHub Action & CI/CD

Drop-in GitHub Action for automated scanning on every push and pull request. Also supports GitLab CI, Bitbucket Pipelines, and pre-commit hooks. Single binary — no runtime dependencies.

Capabilities

What Achilles AI delivers

210

Built-in security rules

Languages supported

AI-specific categories

Single binary — no deps

Cross-platform builds

Output formats

Tech Stack

Built With

Core Engine

Rust workspace: achilles-parsers, achilles-core, achilles-ai, achilles-lsp, achilles-cli — tree-sitter, serde, regex, YAML rule engine, taint flow analysis

Language Parsers

tree-sitter-javascript, tree-sitter-typescript, tree-sitter-python, tree-sitter-go, tree-sitter-java, tree-sitter-rust, tree-sitter-ruby, tree-sitter-php, tree-sitter-c-sharp, tree-sitter-swift

AI Integration

Mistral AI SDK, Ollama client, configurable model selection, false-positive filtering, severity re-ranking

CLI, LSP & Output

clap, colored, serde_json, SARIF v2.1.0 output, Language Server Protocol

CI/CD

GitHub Actions (CI + cross-compile release), GitLab CI, Bitbucket Pipelines, pre-commit hooks

Platforms

Linux (amd64/arm64), macOS (amd64/arm64), Windows (amd64), crates.io

Pricing

Get Started with Achilles AI

Contact our team to learn how Achilles AI can secure your AI-generated code at scale.

Request Early Access

Achilles AI is in private beta. Get early access to the scanner, contribute rules from your own engagements, and shape the roadmap.

Related Consulting Services

Need help securing AI-generated code in production? Our consulting services complement Achilles AI.

Our AI Systems Are Vulnerable

Your AI systems face unique threats—prompt injection, data poisoning, model theft. Traditional security doesn't cover these attack vectors. I help you secure your AI before attackers exploit it.

Learn More

We Want AI Agents But Don't Know How

Everyone's talking about agents. Your board wants an 'agentic AI strategy.' I help you cut through the hype, identify real use cases, and build production agents safely.

Learn More

Weekly AI Insights

The 30% Report

70% of AI pilots never reach production. Get the playbook for the 30% that does.

Unsubscribe anytime. No spam, ever.