Tharos LogoTharos
DocumentationAPI AnalysisChangelog

Security Engine

Deep dive into the Tharos AST and AI analysis engines.

Security Engine

Tharos uses a hybrid analysis approach to provide both speed and depth. It combines a fast Go-based AST (Abstract Syntax Tree) scanner with high-level AI semantic reasoning.

AST-Based Scanning

The core of Tharos is a high-performance lexer and parser written in Go. This engine traverses your source code in milliseconds to identify dangerous patterns.

Detection Capabilities

  • SQL Injection: Detects direct string interpolation into SQL commands, including support for complex template literals.
  • Hardcoded Secrets: Uses entropy analysis and pattern matching to catch real secrets (e.g., API keys) while ignoring safe variable names.
  • XSS Vulnerabilities: Flags dangerous DOM sinks like innerHTML, document.write, and React's dangerouslySetInnerHTML.
  • Insecure Routes: Proactively identifies sensitive administrative or debug endpoints that lack authentication.

Custom Security Rules (Regex-Based)

While Tharos comes with powerful built-in AST rules, you can extend its capabilities using custom regex patterns in your tharos.yaml config. This allows you to enforce project-specific security policies.

security:
  rules:
    - pattern: "eval\\("
      message: "Code injection risk: eval() detected"
      severity: "block"
    - pattern: "(?i)(api[_-]?key|secret).*=.*['\"].*['\"]"
      message: "Potential hardcoded credential detected"
      severity: "block"

These rules run in parallel with the AST engine and support the // tharos-security-ignore directive for easy suppression.

Tharos vs. General Scanners (Semgrep, etc.)

While tools like Semgrep are excellent for general-purpose static analysis and CI/CD linting, Tharos is purpose-built as a Git Hook Security Scanner.

🎯 Key Differentiators

  • Workflow Gating: Tharos is designed to run locally during the pre-commit phase, acting as the final gate before code is shared.
  • AI-Powered Semantic Understanding: Unlike regex or simple AST pattern matching, Tharos uses LLMs to understand the intent of the code, significantly reducing false positives in complex logic.
  • Self-Healing Integration: Single-command setup (tharos init) that automatically manages your local git hooks.

🚫 Intelligent Commit Blocking

Tharos enforces quality gates directly in your local development workflow. It prevents high-risk code from ever being committed if it detects:

  • Critical Leaks: Hardcoded secrets, API keys, or private certificates.
  • Injection Risks: Direct SQLi or XSS patterns in production-bound files.
  • Policy Violations: Failure to meet compliance standards (OWASP, SOC2).

📊 SARIF Export (Enterprise)

Integrate Tharos into GitHub Advanced Security, GitLab, or any SARIF-compatible tool.

# Generate a standard SARIF report
tharos analyze . --format sarif > results.sarif

Smart Risk Scoring

Tharos uses AI to calculate a Risk Score (0-100) for every finding. This allows you to differentiate between a minor code smell and a mission-critical vulnerability.

Configuration

You can control which AI insights are surfaced by setting the min_risk_score in your tharos.yaml:

ai:
  min_risk_score: 60 # Only show insights with risk score >= 60

This ensures that your development workflow remains focused on the most impactful security issues.

Premium CLI Dashboard

Tharos features a high-fidelity terminal UI designed for high-stakes decision making.

  • Structured Tables: Clear separation of severity, location, and findings.
  • Commit Verdict: A definitive PASS or BLOCK banner based on your project's security policy.
  • AI Context: Beautifully rendered markdown recommendations and suggested fixes directly in your terminal.

AI Semantic Analysis

While the AST engine catches obvious patterns, the AI engine understands context. By leveraging models like Gemini 1.5 Pro and Llama 3 (via Groq), Tharos can:

  1. Calculate Risk Scores: Goes beyond "True/False" to provide a confidence level and risk probability for every finding.
  2. Contextualize Vulnerabilities: Distinguishes between a "test" password in a mock file and a real hardcoded credential in a production config.
  3. Generate Fixes: Provides drop-in code replacements that resolve the security issue while maintaining your project's coding style.

Magic Fixes

Tharos doesn't just find issues; it fixes them. Our "Magic Fix" technology can automatically rewrite insecure code patterns into safe alternatives.

🎮 Interactive Mode

The most powerful way to use Magic Fixes is through Interactive Mode. This allows you to review each finding and choose to fix it, have the AI explain the risk, or skip it.

# Start an interactive fix session
tharos analyze . --interactive

⚡ Batch Fixes

You can also apply all available fixes at once using the --fix flag.

# Apply all fixes automatically
tharos analyze . --fix

In the Playground, you can click the MAGIC FIX button to see this technology in action in real-time.

Supported Languages

Tharos provides comprehensive semantic analysis for:

  • Go: Native AST parsing for SQL injection (fmt.Sprintf) and dangerous concurrency.
  • Python: Deep security scanning for shell injection (os.system, subprocess) and command execution.
  • TypeScript/JavaScript: Full AST coverage for React, Node.js, and general web APIs.
  • Next.js: Framework-aware security gating.

Last updated on

Vulnerability Examples

Real-world examples of vulnerabilities Tharos can detect and fix.

Interactive Magic Fixes

AI-powered automated remediation for security findings.

On this page

Security Engine
AST-Based Scanning
Detection Capabilities
Custom Security Rules (Regex-Based)
Tharos vs. General Scanners (Semgrep, etc.)
🎯 Key Differentiators
🚫 Intelligent Commit Blocking
📊 SARIF Export (Enterprise)
Smart Risk Scoring
Configuration
Premium CLI Dashboard
AI Semantic Analysis
Magic Fixes
🎮 Interactive Mode
⚡ Batch Fixes
Supported Languages