Pluto is a powerful CLI tool that uses AI to detect security vulnerabilities in your code.
Features β’ Installation β’ Usage β’ Examples β’ Contributing
- π‘οΈ Package Security Scanning - Scan packages before installation
- π¦ Safe Installation -
pluto pip installandpluto npm install - π AI-Powered Analysis - Detect malicious code in packages
β οΈ Risk Assessment - Warning for dangerous packages- π Security Reports - Detailed vulnerability breakdown
# Safely install Python packages
pluto pip install requests
# Safely install NPM packages
pluto npm install express- π€ Multiple AI Providers: Claude, OpenAI, Ollama (local)
- π Flexible Input: Analyze files, directories, or GitHub repositories
- π Multiple Report Formats: Terminal, PDF, JSON, Markdown
- π Privacy-First: Local analysis with Ollama support
- π― Severity Filtering: Focus on CRITICAL, HIGH, MEDIUM, or LOW issues
- π Multi-Language Support: Python, JavaScript, Java, C/C++, Go, Rust, PHP, Ruby, and more
- β‘ Real-time Progress: Live updates showing what AI is analyzing
- π¨ Beautiful UI: Modern orange theme with animated elements
Pluto detects:
- π SQL Injection
- π XSS (Cross-Site Scripting)
- π Authentication/Authorization flaws
- π Hardcoded secrets & credentials
- π‘οΈ Insecure cryptography
- π Path traversal
- β‘ Command injection
- π CSRF vulnerabilities
- π¦ Insecure dependencies
- And many more...
pip install pluto-aipip install --upgrade pluto-aigit clone https://github.com/0xSaikat/pluto-ai.git
cd pluto-ai
pip install -e .When you run Pluto for the first time, you'll be guided through an interactive setup:
plutoThe setup wizard will help you:
- Choose your AI provider (Claude, OpenAI, or Ollama)
- Select the best model for your needs
- Configure API keys (if using cloud providers)
- Verify your installation
# First run - interactive setup
pluto
# Analyze a single file
pluto scan -code app.py
# Analyze entire directory with progress tracking
pluto scan -dir ./src
# Analyze GitHub repository
pluto scan -git https://github.com/user/repo
# Generate PDF report
pluto scan -code app.py --report pdf --output security_audit
# Use specific provider
pluto scan -code app.py --provider ollama --model phi
# Filter by severity
pluto scan -dir ./src --min-severity HIGH
# Reset configuration
pluto --resetOptions:
-code, --code-file PATH Analyze a single code file
-dir, --directory PATH Analyze entire directory
-git, --git-repo TEXT Analyze GitHub repository
--provider [claude|openai|ollama] AI provider
--model TEXT Model name
--report [terminal|pdf|json|markdown] Report format
--output TEXT Output file name
--min-severity [LOW|MEDIUM|HIGH|CRITICAL] Minimum severity
--no-progress Disable progress bar
--no-banner Skip animated banner
--reset Reset configuration
--help Show help message
pluto scan -code myapp.pypluto scan -dir ./backend --report pdf --output project_auditpluto scan -git https://github.com/user/vulnerable-app --report jsonpluto scan -code sensitive_code.py --provider ollama --model phipluto scan -dir ./src --report json --output results.json --min-severity HIGH --no-banner --no-progresspluto scan -dir ./app --min-severity CRITICAL --report markdown --output critical_issues- Terminal: Colorful real-time output with severity highlighting and progress tracking
- PDF: Professional report with logo, charts, severity breakdown, and detailed findings
- JSON: Machine-readable format perfect for automation and CI/CD pipelines
- Markdown: Documentation-friendly format for GitHub issues and wikis
Python β’ JavaScript β’ TypeScript β’ Java β’ C/C++ β’ Go β’ Rust β’ PHP β’ Ruby β’ Swift β’ Kotlin
# Get API key from: https://console.anthropic.com/
export ANTHROPIC_API_KEY='sk-ant-...'
pluto scan -code app.py --provider claude# Get API key from: https://platform.openai.com/api-keys
export OPENAI_API_KEY='sk-...'
pluto scan -code app.py --provider openai# Install from: https://ollama.ai
ollama pull phi
ollama serve
pluto scan -code app.py --provider ollama --model phiSee exactly what AI is analyzing:
β app.py [ββββββββββββββββββββββββββββββ] 45% (00:03)
ββ Checking for SQL injection...
Helpful error messages guide you through fixing issues:
β οΈ ERROR: Authentication Failed
Your API key is invalid or expired.
To fix this:
1. Get a new API key from: https://console.anthropic.com/
2. Run: pluto --reset
3. Or set: export ANTHROPIC_API_KEY='your-new-key'
Beautiful wizard guides you through configuration:
Step 1: Select AI Provider
π€ [1] Claude (Anthropic) - Best quality
π§ [2] OpenAI (GPT) - High quality
π [3] Ollama (Local) - Free & private
Pluto saves your preferences at ~/.pluto/config.json:
{
"provider": "claude",
"model": "claude-sonnet-4-20250514",
"api_key": "sk-ant-...",
"setup_complete": true
}Contributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
See CHANGELOG.md for a list of changes.
0xSaikat
- Website: pluto.hackbit.org
- GitHub: @0xSaikat
- Twitter: @0xSaikat
- Powered by Claude (Anthropic), OpenAI, and Ollama
- Built with β€οΈ for the security community
- Special thanks to all contributors and users
Pluto is a security analysis tool intended for educational and legitimate security testing purposes only. Always ensure you have permission before scanning code or repositories you don't own.
This project is licensed under the MIT License - see the LICENSE file for details.
By the Hackers for the Hackers!
β Star us on GitHub β it helps!
