The Ambient, Zero-Exfiltration Security Engine for Application Code & Supply Chains.
SAST Β Β·Β SCA Β Β·Β Secrets Β Β·Β Dataflow Reachability Β Β·Β Deterministic Auto-Remediation Β Β·Β Supply-Chain Guard
Traditional application security tooling forces engineering teams into lose-lose trade-offs:
- Cloud Scanners demand that you upload proprietary source code to multi-tenant servers, violating zero-trust IP boundaries.
- Linter Plugins only catch superficial regex patterns, completely missing interprocedural taint flows.
- Legacy Platforms block pull requests with thousands of low-priority info alerts, creating extreme alert fatigue.
Sicario solves this. Built entirely on a native Rust foundation with embedded tree-sitter grammars, Sicario scans codebases at blistering edge speeds, computes multi-hop taint reachability locally, applies guaranteed deterministic patches directly to the AST, and enforces an Absolute Zero-Exfiltration Guarantee.
Whether running a continuous audit locally or publishing results to the enterprise dashboard, your source code never leaves your perimeter.
- Sicario computes a unique cryptographic identity (
fileHashvia SHA-256) for scanned targets alongside parsed metadata. - Payloads sent to the dashboard exclusively emit file coordinates, severity flags, and rule fingerprintsβexplicitly stripping raw source code snippets, developer comments, and execution traces.
Sicario embeds highly optimized tree-sitter parsers directly into a single portable binary, delivering production-ready Static Application Security Testing (SAST) across 9 programming languages without external runtime environments (No Node.js, Python, or JVM setups required):
- Core Web/Backend: JavaScript, TypeScript, Python, Go, Rust, Java
- Enterprise Expansion: Ruby, PHP, C#
Most modern AI agents attempt probabilistic code generation that breaks builds or hallucinates logic. Sicario utilizes a Deterministic Template Registry paired with abstract syntax tree rewrites (e.g., rewriting vulnerable string concatenations into safe parameterized SQL queries).
- Features automatic line-level backups and instant single-command rollbacks (
sicario fix --revert <patch_id>). - Includes an opt-in local AI agent for complex structural refactoring that connects to any OpenAI-compatible local LLM β Ollama, llama.cpp, LM Studio, or a custom server β with a zero-exfiltration guarantee (no code or tokens ever leave your machine).
Engineered for ultimate developer adoption, Sicario avoids blocking workflows with noise:
- Smart Viewport Thresholding: When interactive console outputs exceed a set fatigue threshold (e.g., 25 findings), Sicario automatically truncates visibility to the top 10 most critical, actionable items accompanied by a concise brutalist summary footer.
- Pre-Commit Hook Intercept Mode (
--hook-mode): Integrates directly into Git hooks to suppress verbose outputs entirely. If High or Critical vulnerabilities are introduced, it simply pauses the commit with a minimalist prompt:Accepting auto-stages fixed files viaπ Sicario Intercept: 2 Critical Vulnerabilities found (e.g., SQL Injection in /api/auth.ts) Our local engine has generated a secure, verified patch. Apply fix and continue commit? [Y/n]git addand exits cleanly.
- Secrets Detection: Multi-provider regex and entropy checks powered by fast one-way hashing to eliminate credentials in code or Git histories.
- SCA & Supply Chain Guard: Deep offline scanning of dependency lockfiles (
package.json,Cargo.toml,requirements.txt) mapped against local OSV.dev cache databases. The Guard module monitorsnode_modules/for runtime behavioral anomalies (dynamic code evaluation, obfuscated payloads). - License Compliance: Automated copyleft dependency identification categorized into clear organizational risk tiers.
macOS / Linux
curl -fsSL https://usesicario.xyz/install.sh | sh
Windows (PowerShell)
irm https://usesicario.xyz/install.ps1 | iex
# 1. Ambient Local Auditing
sicario scan .
# 2. Targeted Diff Scanning (Ideal for rapid local pre-push checks)
sicario scan --staged
# 3. Connect to the Enterprise Cloud Dashboard (Zero-Exfiltration Guaranteed)
sicario login
sicario scan . --publish
# 4. Standard CI/CD Output Interfacing
sicario scan . --format sarif --output results.sarif
# 5. Apply Safe Deterministic Remediation Patches
sicario fix src/database.js --rule js/sql-injection
# 6. Agentic Remediation: Auto-Fix and Open Pull Request
sicario fix --auto-pr
# 7. Install the Minimalist Intercept Git Hook
sicario hook auto-fix
# 8. Launch the Fully Interactive Terminal User Interface (TUI)
sicario tui
# 9. Local AI Fix β Auto-Detect (Ollama on localhost:11434)
sicario fix src/database.js --agent local
# 10. Local AI Fix β Specific Model (any model served on localhost:11434)
sicario fix src/database.js --agent local-qwen2.5-coder:7b
# 11. Local AI Fix β Bring Your Own Server (any OpenAI-compatible endpoint)
$env:SICARIO_LLM_ENDPOINT = "http://localhost:1234/v1/chat/completions" # LM Studio, etc.
$env:SICARIO_LLM_MODEL = "my-model"
sicario fix src/database.js --agent cloud
Sicario's AI fix agent works with any local LLM running an OpenAI-compatible API. No vendor lock-in β bring your own model, your own server, your own port.
| Approach | Command | What it does |
|---|---|---|
| Auto-detect | --agent local |
Probes 127.0.0.1:11434/api/tags (Ollama), picks best model |
| Explicit model | --agent local-qwen2.5-coder:7b |
Skips probe, uses your model name directly on port 11434 |
| Custom endpoint | --agent cloud + env vars |
Points any OpenAI-compatible server (LM Studio :1234, llama.cpp, etc.) |
All three paths enforce zero exfiltration β no source code, token data, or IP ever leaves 127.0.0.1. Ideal for air-gapped environments, offline workstations, or teams with strict data residency requirements.
# Examples
# Already running Ollama? It's one flag.
sicario fix src/api/auth.ts --agent local
# Using LM Studio on port 1234? Set the endpoint.
export SICARIO_LLM_ENDPOINT="http://127.0.0.1:1234/v1/chat/completions"
export SICARIO_LLM_MODEL="local-model"
sicario fix src/api/auth.ts --agent cloud
# Persistent config via config file
sicario config set llm_endpoint "http://127.0.0.1:8080/v1/chat/completions"
sicario config set llm_model "qwen2.5-1.5b"
sicario fix src/api/auth.ts --agent cloud
Beyond ambient developer guardrails, Sicario provides cutting-edge utility for security teams:
- Proof-of-Concept Exploit Generation (
--prove): Generates actionable, customized verification payloads (e.g., safe local verification probes for path traversal or blind SQL injection) to prove exploitability. - Git History Exorcist (
sicario exorcise): Deeply scrubs sensitive credentials embedded deep inside repository commit histories. - Shadow Pen-Tester (
sicario attack): Parses framework source files (Express, FastAPI, Flask) to extract mapped HTTP route structures and dynamically compiles API endpoint testing suites. - Natural Language Rule Compilation (
sicario rule): Instantly translates human security policy descriptions into robust YAML + AST syntax rule structures.
Sicario Skills are portable, deterministic security workflows designed for AI coding assistants (Cursor, Windsurf, Claude Code). Unlike raw tools, Skills guide AI agents through complex, multi-step security hardening tasks while maintaining local-first data integrity.
- Portable Workflows: Distributed as markdown-based guidance and MCP Prompts that AI agents can discover and execute automatically.
- Deterministic Remediation: Guides AI to use Sicario's local AST templates for fixes rather than guessing probabilistic patches.
- Ambient Hardening: Skills like
supply-chain-sentinelact as a background "security colleague" inside the IDE.
| Skill | Purpose | Key Tools |
|---|---|---|
remediate-vulnerability |
Detect, analyze, and apply deterministic local patches. | analyze_ast_security, request_remediation_patch |
project-security-audit |
Comprehensive project-wide risk assessment and roadmap. | analyze_ast_security, log_telemetry_audit |
supply-chain-sentinel |
Real-time monitoring of malicious dependency behavior. | get_rules, Poison-Pill Interceptor |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SICARIO CLI β
β β
β Tree-Sitter Parsers β Engine (SAST + SCA + Taint Tracing) β
β Secrets Scanner β Remediation Registry & Backup Mgr β
β Output Formatters β Key Management & Auth Module β
β β
β Minimalist Hook Intercepts Β· Local Cache Β· Smart Viewport β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
Metadata & SHA-256 Only
(Zero Raw Snippet Exfiltration)
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SICARIO CLOUD β
β β
β Convex Realtime Engine (RBAC, Audit Logs, Webhook Sync) β
β Enterprise Dashboard (Triage Matrix, Integrations, Policies) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Sicario rules are readable, declarative YAML files. Simply add a file to your targeted directory (sicario-cli/rules/<lang>/) or load an entire custom directory with --rules-dir:
id: "js/eval-injection"
name: "Direct Code Evaluation Injection"
severity: critical
confidence: high
language: javascript
description: "Untrusted variable directly passed to the eval() interpreter engine."
pattern: |
eval($INPUT)
cwe_id: "CWE-95"
owasp_category: "A03_Injection"
- Contributing: We welcome contributions from developers of all skill levels! See CONTRIBUTING.md to get started on expanding rule libraries, fixing edge cases, or adding custom grammars.
- Security Disclosures: Please view SECURITY.md to securely report sensitive framework vulnerabilities directly to our triage team.
- Commercial Licensing: Governed by the source-available Functional Source License 1.1 (FSL-1.1), converting automatically to Apache 2.0 after two years. Free for local developer usage, open-source auditing, and internal corporate scanning. Providing third-party hosted commercial scanning requires a commercial enterprise arrangement. Visit usesicario.xyz for deployment details.