Security Engine

Tharos uses a hybrid analysis approach to provide both speed and depth. It combines a fast Go-based AST (Abstract Syntax Tree) scanner with high-level AI semantic reasoning.

AST-Based Scanning

The core of Tharos is a high-performance lexer and parser written in Go. This engine traverses your source code in milliseconds to identify dangerous patterns.

Detection Capabilities

• SQL Injection: Detects direct string interpolation into SQL commands, including support for complex template literals.
• Hardcoded Secrets: Uses entropy analysis and pattern matching to catch real secrets (e.g., API keys) while ignoring safe variable names.
• XSS Vulnerabilities: Flags dangerous DOM sinks like innerHTML, document.write, and React's dangerouslySetInnerHTML.
• Multi-Token Detection (v1.3.0): Uses a 10-token sliding window buffer to catch complex configurations like res.header("Access-Control-Allow-Origin", "*") where names and values are separate tokens.
• Insecure Routes: Proactively identifies sensitive administrative or debug endpoints that lack authentication.

Custom Security Rules (Regex-Based)

While Tharos comes with powerful built-in AST rules, you can extend its capabilities using custom regex patterns in your tharos.yaml config. This allows you to enforce project-specific security policies.

security:
  rules:
    - pattern: "eval\\("
      message: "Code injection risk: eval() detected"
      severity: "block"
    - pattern: "(?i)(api[_-]?key|secret).*=.*['\"].*['\"]"
      message: "Potential hardcoded credential detected"
      severity: "block"

These rules run in parallel with the AST engine and support the // tharos-security-ignore directive for easy suppression.

Tharos vs. General Scanners (Semgrep, etc.)

While tools like Semgrep are excellent for general-purpose static analysis and CI/CD linting, Tharos is purpose-built as a Git Hook Security Scanner.

🎯 Key Differentiators

• Workflow Gating: Tharos is designed to run locally during the pre-commit phase, acting as the final gate before code is shared.
• AI-Powered Semantic Understanding: Unlike regex or simple AST pattern matching, Tharos uses LLMs to understand the intent of the code, significantly reducing false positives in complex logic.
• Self-Healing Integration: Single-command setup (tharos init) that automatically manages your local git hooks.

🚫 Intelligent Commit Blocking

Tharos enforces quality gates directly in your local development workflow. It prevents high-risk code from ever being committed if it detects:

• Critical Leaks: Hardcoded secrets, API keys, or private certificates.
• Injection Risks: Direct SQLi or XSS patterns in production-bound files.
• Policy Violations: Failure to meet compliance standards (OWASP, SOC2).

📊 SARIF Export (Enterprise)

Integrate Tharos into GitHub Advanced Security, GitLab, or any SARIF-compatible tool.

# Generate a standard SARIF report
tharos analyze . --format sarif > results.sarif

Smart Risk Scoring

Tharos uses AI to calculate a Risk Score (0-100) for every finding. This allows you to differentiate between a minor code smell and a mission-critical vulnerability.

Configuration

You can control which AI insights are surfaced by setting the min_risk_score in your tharos.yaml:

ai:
  min_risk_score: 60 # Only show insights with risk score >= 60

This ensures that your development workflow remains focused on the most impactful security issues.

Premium CLI Dashboard

Tharos features a high-fidelity terminal UI designed for high-stakes decision making.

• Structured Tables: Clear separation of severity, location, and findings.
• Commit Verdict: A definitive PASS or BLOCK banner based on your project's security policy.
• AI Context: Beautifully rendered markdown recommendations and suggested fixes directly in your terminal.

AI Semantic Analysis

While the AST engine catches obvious patterns, the AI engine understands context. By leveraging models like Gemini 2.5 Flash and Llama 3 (via Groq), Tharos can:

1. Calculate Risk Scores: Goes beyond "True/False" to provide a confidence level and risk probability for every finding.
2. Contextualize Vulnerabilities: Distinguishes between a "test" password in a mock file and a real hardcoded credential in a production config.
3. Generate Fixes: Provides drop-in code replacements that resolve the security issue while maintaining your project's coding style.

Magic Fixes

Tharos doesn't just find issues; it fixes them. Our "Magic Fix" technology can automatically rewrite insecure code patterns into safe alternatives.

🎮 Interactive Mode

The most powerful way to use Magic Fixes is through the dedicated Interactive Fix Mode. This allows you to review each finding and choose to fix it, have the AI explain the risk, or skip it.

# Start an interactive fix session
tharos fix .

⚡ Batch Fixes

You can also apply all available fixes at once using the --fix flag.

# Apply all fixes automatically
tharos analyze . --fix

In the Playground, you can click the MAGIC FIX button to see this technology in action in real-time.

Supported Languages

Tharos provides deep, structural semantic analysis for modern polyglot environments:

🐹 Go Security Engine

Our native Go engine uses deep AST analysis to detect complex security flaws:

• Advanced SQLi Detection: Tracks string concatenations and fmt.Sprintf usage within database/sql queries.
• Command Injection: Flags unsafe os/exec calls where arguments are derived from variables rather than literals.
• Insecure TLS Profiles: Detects dangerous configurations like InsecureSkipVerify: true and weak cipher suites.
• Broken Cryptography: Automatically identifies legacy algorithms like MD5, SHA1, and DES.

🐍 Python Security Engine

Structural analysis for Python moves beyond regex to understand code intent:

• Insecure Deserialization: Detects dangerous pickle.loads() and unsafe yaml.load() calls.
• Surgical Command Injection: Analyzes os.system and subprocess calls for dynamic, unescaped shell arguments.
• Unsafe Evaluation: Flags use of eval() and exec() on potentially untrusted input.
• Network Safety: Detects insecure requests patterns like verify=False that expose you to MITM attacks.

⚛️ TypeScript & JavaScript

Full AST coverage for the entire frontend and backend ecosystem:

• Framework Support: Deep integration with Next.js, React, and Node.js.
• Modern Syntax: Full support for Template Literals, Optional Chaining, and Async/Await.
• XSS & DOM Safety: High-fidelity detection for dangerous sinks in web APIs.