SadGuard: Dynamic Code Analysis + Supply Chain Detection Attack
An AI-powered, self-hosted GitHub bot designed to detect and mitigate supply chain attacks in pull requests. SadGuard combines intelligent code analysis with executable behavior monitoring to secure your software pipeline.
SadGuard was inspired by the growing threat of supply chain attacks, such as the recent high-profile incident involving xz-utils. These attacks exploit trust in open-source contributions, embedding vulnerabilities that can have widespread consequences.
SadGuard was inspired by the rising threat of supply chain attacks, leveraging advanced AI to secure software pipelines against malicious contributions in pull requests. It uses intelligent code diff analysis, sandboxed executable behaviour monitoring, and entropy scanning of binaries to detect and mitigate malicious patterns before deployment.
Designed as a self-hosted tool, SadGuard provides proactive defense by embedding itself into the CI/CD process. It intelligently identifies vulnerabilities, flags obfuscation, and monitors suspicious runtime behavior. The modular architecture allows for future expansion, including support for additional LLMs and scoring systems for prioritized response.
SadGuard supports integration with GitHub via webhooks and offers seamless local deployment for complete data control. It combines intelligent detection with runtime observation to secure software pipelines while maintaining operational privacy. Built with a focus on detecting and preventing supply chain compromises, it helps harden software repositories against modern threats.
Features
-
Code Diff Analysis with AI
- Leverages state-of-the-art LLMs to analyze pull request code diffs for vulnerabilities and suspicious patterns.
- Automatically adds insightful comments to PR threads, aiding reviewers in identifying potential threats.
-
Sandboxed Executable Analysis
- Isolates executable files for runtime behavior analysis.
- Logs spawned processes to look for suspicious activity.
-
Entropy Analysis
- Scans binary files for high-entropy data, which may indicate obfuscation or embedded secrets.
-
Self-Hosted Solution
- Complete control of your security infrastructure. SadGuard runs locally, keeping sensitive data within your environment.
Why SadGuard?
- Proactive Defense: Detects vulnerabilities and malicious patterns in pull requests before they reach production.
- AI-Powered Insights: Makes code reviews faster and more effective with intelligent comments.
- Self-Hosted Security: Ensures your sensitive data stays within your infrastructure.