代码审计工具
AI Skill Hub 强烈推荐:代码审计工具 是一款优质的Agent工作流。AI 综合评分 8.0 分,在同类工具中表现稳健。如果你正在寻找可靠的Agent工作流解决方案,这是一个值得深入了解的选择。
📚 深度解析
代码审计工具 工作流的设计遵循"最小配置,最大复用"原则:核心逻辑已经封装好,用户只需配置自己的 API Key 和业务参数即可快速上手。工作流内置错误处理和重试机制,在网络波动或 API 限速等情况下仍能稳定运行,适合作为生产环境的自动化基础设施。
在实际部署时,建议先在测试环境中运行 3-5 次,验证各个环节的输出结果符合预期,再部署到生产环境。AI Skill Hub 评分 8.0 分,是同类 Agent 工作流中的精选推荐。
📋 工具概览
代码审计工具 是一套完整的 AI Agent 自动化工作流方案。通过可视化的节点编排,将复杂的多步骤任务拆解为清晰的自动化流程,实现全程无人值守的智能处理。支持与数百种外部服务和 API 无缝集成,适合构建数据处理管线、业务自动化和 AI 辅助决策系统。
📖 中文文档
代码审计工具 是一套完整的 AI Agent 自动化工作流方案。通过可视化的节点编排,将复杂的多步骤任务拆解为清晰的自动化流程,实现全程无人值守的智能处理。支持与数百种外部服务和 API 无缝集成,适合构建数据处理管线、业务自动化和 AI 辅助决策系统。
- 可视化 Agent 工作流编排,无需编写复杂代码
- 支持多步骤自动化任务链,实现全流程无人值守
- 与外部 API、数据库和第三方服务无缝集成
- 内置错误处理与自动重试机制,保障稳定运行
- 提供可复用的自动化模板,快速在同类场景部署
- 自动化日常重复性工作,将精力集中于创造性任务
- 构建数据采集 → 处理 → 输出的完整自动化管线
- 实现跨平台、跨系统的数据流转和业务协同
# 克隆仓库 git clone https://github.com/TheMorpheus407/RepoLens cd RepoLens # 查看安装说明 cat README.md # 按 README 完成环境依赖安装后即可使用
- 访问 GitHub 仓库获取工作流文件
- 在对应平台(Dify / Flowise / Make 等)中找到「导入工作流」功能
- 上传工作流文件
- 按照提示配置必要的环境变量和 API Key
- 运行测试确认流程正常后投入使用
# 查看帮助 repolens --help # 基本运行 repolens [options] <input> # 详细使用说明请查阅文档 # https://github.com/TheMorpheus407/RepoLens
# repolens 配置说明 # 查看配置选项 repolens --config-example > config.yml # 常见配置项 # output_dir: ./output # log_level: info # workers: 4 # 环境变量(覆盖配置文件) export REPOLENS_CONFIG="/path/to/config.yml"
RepoLens
Multi-lens code audit tool. Runs 336 specialist lenses across 33 domains against any git repository, live server, Android APK, or product specification and creates remote issues for real findings or backlog work. Think automated code review, agent-driven pentesting, tool-driven static/dynamic analysis, infrastructure auditing, Android auditing, and spec-to-backlog planning — all with deep specialization.
[!IMPORTANT] RepoLens runs AI agents with shell access against your repository, and a full audit can cost hundreds of dollars in API charges. It is NOT a sandboxed security tool, comes with NO warranty, and you use it entirely at your own risk. Read Warnings & Limits before your first run — especially the cost and security sections.
Feature — discover missing capabilities
./repolens.sh --project ~/my-app --agent codex --mode feature --domain testing
Prerequisites
| Tool | Required | Purpose | Install |
|---|---|---|---|
bash | Yes (4.0+) | Shell runtime — associative arrays, read -ra, other 4.x features are used throughout | Linux distributions ship 4.0+ already. macOS ships 3.2 by default (GPLv3 avoidance) — upgrade via brew install bash. RepoLens aborts at startup on older bash with an upgrade hint. |
git | Yes | Repo validation, cloning | OS package manager (apt install git, brew install git, nix-env -i git) |
jq | Yes | JSON config parsing | OS package manager (apt install jq, brew install jq, nix-env -i jq) |
timeout (coreutils) | Yes | Per-invocation agent timeout watchdog with SIGKILL escalation grace (see REPOLENS_AGENT_TIMEOUT* and REPOLENS_AGENT_KILL_GRACE below) | Ships in GNU coreutils. Pre-installed on Linux/NixOS. On macOS: brew install coreutils. |
gh, tea, or fj | Yes (unless --local) | Remote forge operations for labels and issue queries | See [Supported forges](#supported-forges) for detection, install links, and auth commands |
| Agent CLI | Yes (at least one) | Run analysis agents | See [Supported Agent CLIs](#supported-agent-clis) below for install + auth per CLI |
docker + docker compose | Only for --hosted | DAST scanning environment | OS package manager |
Required Flags
| Flag | Description |
|---|---|
--project <path\|url> | Local path, APK file, or remote Git URL (cloned read-only if URL) |
--agent <agent> | claude \| codex \| spark \| sparc \| opencode \| opencode/<model> |
Getting Started
Deploy — audit a live server (read-only)
./repolens.sh --project /srv/myapp --agent claude --mode deploy --parallel --max-issues 5
Deploy — force live-server lenses even if Android files are present
./repolens.sh --project /srv/myapp --agent claude --mode deploy --deploy-target server
Remote deploy — audit a server from your workstation
./repolens.sh --project ~/myapp --agent claude --mode deploy \ --remote ubuntu@198.51.100.10 \ --remote-key ~/.ssh/server_deploy \ --remote-label "Production app server" \ --max-issues 1
Deploy — audit a remote server target over SSH
./repolens.sh --project /srv/myapp --agent claude --mode deploy --remote ubuntu@host.example.com:2222 --remote-key ~/.ssh/id_ed25519
Deploy — audit an Android APK target
./repolens.sh --project ~/my-app/app/build/outputs/apk/debug/app-debug.apk --agent claude --mode deploy
Deploy — audit an Android source tree when no APK is built yet
./repolens.sh --project ~/my-android-app --agent claude --mode deploy --deploy-target android
Remote deploy mode
Remote deploy mode lets you run deploy-mode server lenses from your workstation while inspecting a server over SSH. Use it only for server targets; it is rejected with --hosted and Android deploy targets.
Remote SSH runs with BatchMode=yes, so the connection must not require an interactive password prompt. Load the key before starting RepoLens, for example with ssh-add ~/.ssh/server_deploy, or pass an unlocked key with --remote-key <path>. RepoLens writes the remote preflight output for each run under logs/<run-id>/.remote/preflight.log.
Remote deploy uses OpenSSH ControlMaster so the run performs one TCP connection and authentication, then multiplexes agent SSH commands over the control socket. The master connection persists for 600 seconds after the last command, which reduces repeated authentication and connection setup during long deploy runs.
For the first run against a remote host, start with --max-issues 1 and avoid --parallel; if you do enable parallel execution, keep it to --parallel --max-parallel 1 until the transcript confirms commands are wrapped correctly and the target handles the SSH load. --max-issues 1 keeps the first pass short, and --max-parallel 1 prevents several lenses from competing for the same remote target while you validate the setup.
Forge actions still happen on the operator workstation. gh, tea, or fj issue creation, label setup, and issue lookups run locally against the configured forge account; only deploy-target investigation commands are wrapped over SSH.
Let live-server deploy investigations run longer without changing audit runs
REPOLENS_AGENT_TIMEOUT_DEPLOY=2400 ./repolens.sh --project /srv/myapp --agent claude --mode deploy
Quickstart
```bash
Mode Examples
```bash
Example invocations
```bash
Optional Flags
| Flag | Description | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|
--mode <mode> | audit (default) \ | feature \ | bugfix \ | bugreport \ | discover \ | deploy \ | custom \ | opensource \ | content \ | greenfield |
--bug-report <file\|text> | Required for --mode bugreport. Path to a text file or inline symptom text (read verbatim). Env fallback: REPOLENS_BUG_REPORT_PATH. 100 KB max for file mode. | |||||||||
--change <statement> | Change impact statement (implies --mode custom) | |||||||||
--source <file> | Source material (PDF, text, markdown) for content creation or reference | |||||||||
--logs <path> | Runtime log file or directory for the logs domain (path string only — agent reads it) | |||||||||
--focus <lens-id> | Run a single lens (e.g., injection, dead-code) | |||||||||
--lens <lens-id> | Alias for --focus | |||||||||
--domain <domain-id> | Run all lenses in one domain (e.g., security) | |||||||||
--relevant-domains <csv> | Comma-separated allowlist of domain ids — the "missing middle" between --focus (1 lens) and full fan-out. The mode-filtered lens list is intersected with this allowlist; unknown or wrong-mode ids abort startup with the offending token named. Whitespace and empty tokens in the CSV are tolerated. Bypassed when --focus or --domain is set (those win). Composes with --scope-by-keywords (AND semantics) and with the triage-side relevant-domains filter. Example: --relevant-domains concurrency,database. | |||||||||
--scope-by-keywords | Deterministic, LLM-free pruning for --mode bugreport: case-insensitive substring-match the bug-report text against each domain's optional keywords field in config/domains.json. Domains without a keywords field are always kept (back-compat). A zero-match result falls through with no pruning so the lens list never goes empty. Only effective in --mode bugreport (no-op in every other mode). Env fallback: REPOLENS_SCOPE_BY_KEYWORDS=1. | |||||||||
--parallel | Run lenses in parallel (one agent process per lens) | |||||||||
--max-parallel <n> | Max concurrent agents in parallel mode (default: 8) | |||||||||
--resume <run-id> | Resume a previous interrupted run | |||||||||
--spec <file> | Spec/PRD/roadmap to guide analysis (any text file, max 100 KB). Required for --mode greenfield; greenfield treats it as product-owner intent for backlog planning. | |||||||||
--max-issues <n> | Stop after creating _n_ total issues | |||||||||
--min-severity <level> | Only file findings at or above critical, high, medium, or low. Filtered findings are counted in summary.json and reported in final stdout when the count is non-zero. No effect in non-severity modes such as discover, feature, custom, and greenfield. Env fallback: REPOLENS_MIN_SEVERITY. | |||||||||
--depth <n> | DONE streak depth per lens. Defaults to 3 for audit, feature, and bugfix; defaults to 1 for all other modes. Must be between 1 and 19 | |||||||||
--rounds <n> | Validated cross-lens round count for multi-round orchestration. Defaults to 1 except bugreport, which defaults to 3. Only bugreport accepts values above 1; audit, feature, bugfix, custom, deploy, opensource, content, discover, and greenfield are locked to 1. --rounds >= 4 requires --i-know-this-is-expensive. The resolved value is shown by --dry-run and sizes the logs/<run-id>/rounds/round-N/ artifact layout | |||||||||
--strategy <name> | Bugreport round-1 dispatch strategy: fanout (default — every lens runs in round 1, identical to today's --mode bugreport) \ | waves (a narrow set of triage-seeded GENERIC investigators dispatch in round 1; subsequent rounds use the existing role-aware dispatch). waves requires --mode bugreport and rejects with a clear error on any other mode. The resolved value is shown by --dry-run under --mode bugreport. Env fallback: REPOLENS_STRATEGY. Wave width is controlled by REPOLENS_WAVE_WIDTH (default 7, clamped to 1..50). | ||||||||
--local | Write findings as local markdown files instead of creating remote issues. No forge CLI required | |||||||||
--output <path> | Output directory for local markdown files (requires --local, default: logs/<run-id>/rounds/round-1/lens-outputs/) | |||||||||
--forge <provider> | Override forge auto-detection: gh for GitHub, tea for Gitea, fj for Forgejo/Codeberg. Codeberg is auto-detected; use this for self-hosted Gitea/Forgejo remotes whose hostname is not auto-detected. Self-hosted Forgejo needs an HTTPS or SSH origin remote so RepoLens can pass fj -H <host> | |||||||||
--hosted | Spin up Docker Compose for DAST scanning (used with toolgate domain) | |||||||||
--remote <ssh-target> | Remote deploy server target. Accepts host, host:port, user@host, or user@host:port; only valid with --mode deploy server targets; incompatible with --hosted and Android deploy targets. The target is validated, exported to deploy agents, shown in --dry-run, and repeated in deploy authorization and normal run confirmation prompts. | |||||||||
--remote-key <path> | SSH private key path for --remote. The path must exist and be a regular file. If omitted, remote SSH uses normal SSH key resolution. | |||||||||
--remote-label <text> | Human-readable label for the remote target. When provided, confirmation prompts show the label and a separate Raw target: ... line with the exact SSH target. Multi-word labels can be quoted or passed as adjacent words before the next option. | |||||||||
--deploy-target <target> | Deploy target resolver: --deploy-target auto\|server\|android, with auto as the default. Only valid with --mode deploy. auto opportunistically selects Android only for a direct APK, discovered APK, or shallow Android source marker (gradlew, build.gradle, build.gradle.kts, app/build.gradle, or app/build.gradle.kts); otherwise it preserves live-server deploy behavior. server skips Android detection and build handling. Only explicit --deploy-target android receives the no-source/no-APK Android exit when no APK or shallow marker exists. | |||||||||
--build-android-apk | In Android deploy mode, allow the optional source build fallback to run ./gradlew assembleDebug when no APK is already resolved. The fallback is gated behind deploy authorization and the normal run confirmation, and is never executed during --dry-run. | |||||||||
--max-cost <amount> | Warn if the **minimum cost estimate** exceeds this dollar amount (e.g., --max-cost 10). The estimate is a lower bound — real runs typically cost 2–5× more due to tool-call churn and iteration non-convergence. Budget accordingly. | |||||||||
--cross-link <mode> | Synthesizer cross-link strategy: off \ | comment \ | suggest-reopen. Controls whether the synthesizer links related findings across lenses/domains in the synthesized output. Defaults to comment for bugreport, off for every other mode. Env fallback: REPOLENS_CROSS_LINK. | |||||||
--i-know-this-is-expensive | Cost-acknowledgement gate required for --rounds >= 4. Does not bypass the REPOLENS_MAX_ROUNDS hard ceiling (default 5). Equivalent to passing --max-cost <budget> together with --yes. | |||||||||
--dry-run | Validate config and show which lenses would run, then exit (no agents executed) | |||||||||
--yes, -y | Skip confirmation prompt (for CI/automation) | |||||||||
--version | Show version and sponsor information, then exit | |||||||||
--about | Show tool description and sponsor information, then exit | |||||||||
-h, --help | Show help |
Environment Variables
Agent timeouts are resolved per invocation with this precedence: REPOLENS_AGENT_TIMEOUT_<AGENT> > REPOLENS_AGENT_TIMEOUT > REPOLENS_AGENT_TIMEOUT_<MODE> > the mode default. REPOLENS_LENS_MAX_WALL caps the whole lens loop and each invocation is limited to the smaller of the resolved agent timeout and the remaining lens budget. Worst-case agent wall time per lens is bounded by min(resolved agent timeout * MAX_ITERATIONS_PER_LENS, REPOLENS_LENS_MAX_WALL) before rate-limit sleep and non-agent I/O; for a global override, that is min(REPOLENS_AGENT_TIMEOUT * MAX_ITERATIONS_PER_LENS, REPOLENS_LENS_MAX_WALL). With the 1800s default and MAX_ITERATIONS_PER_LENS=20, the raw cap is 30 min * 20 = 10 hours before the default 3600s wall budget applies. Use an agent-specific variable when one backend needs a different cap, or a mode-specific variable when only one workflow needs a different per-invocation cap:
```bash
3. Authenticate your forge CLI (if not already done; not needed for --local)
gh auth login # GitHub tea login add # Gitea fj -H codeberg.org auth login # Codeberg; use your Forgejo host for self-hosted instances
CLI Reference
Usage: repolens.sh --project <path|url> --agent <agent> [OPTIONS]
repolens.sh status [run-id] [OPTIONS]
repolens.sh clean [OPTIONS]Full bugreport pipeline — symptom-driven multi-round investigation
./repolens.sh --project ~/my-app --agent claude --mode bugreport --bug-report ~/bug.txt ```
高质量的代码审计工具,值得使用
⚡ 核心功能
- 可视化 Agent 工作流编排,无需编写复杂代码
- 支持多步骤自动化任务链,实现全流程无人值守
- 与外部 API、数据库和第三方服务无缝集成
- 内置错误处理与自动重试机制,保障稳定运行
- 提供可复用的自动化模板,快速在同类场景部署
👥 适合人群
🎯 使用场景
- 自动化日常重复性工作,将精力集中于创造性任务
- 构建数据采集 → 处理 → 输出的完整自动化管线
- 实现跨平台、跨系统的数据流转和业务协同
⚖️ 优点与不足
- +Apache-2.0 协议,可免费商用
- +大幅减少重复性人工操作
- +可视化流程,清晰直观
- +可扩展性强,支持复杂场景
- −初始配置和调试需投入一定时间
- −强依赖外部服务的稳定性
- −复杂场景需具备一定技术基础
AI Skill Hub 为第三方内容聚合平台,本页面信息基于公开数据整理,不对工具功能和质量作任何法律背书。
建议在沙箱或测试环境中充分验证后,再部署至生产环境,并做好必要的安全评估。
✅ Apache 2.0 — 宽松开源协议,可商用,需保留版权声明和 NOTICE 文件,含专利授权条款。
🔗 相关工具推荐
❓ 常见问题 FAQ
总体来看,代码审计工具 是一款质量优秀的Agent工作流,在同类工具中具备一定竞争力。AI Skill Hub 将持续追踪其更新动态,建议收藏备用,结合自身场景选择合适时机引入使用。
| 原始名称 | RepoLens |
| Topics | 代码审计AI工作流安全测试 |
| GitHub | https://github.com/TheMorpheus407/RepoLens |
| License | Apache-2.0 |
| 语言 | Shell |
收录时间:2026-06-06 · 更新时间:2026-06-06 · License:Apache-2.0 · AI Skill Hub 不对第三方内容的准确性作法律背书。