Google Git
Sign in
apache/tooling-agents/HEAD
commit
ea3b384c14bb5ddd82437ba7562d82e451f1f696
[log]
author
Andrew Musselman <andrew.musselman@gmail.com>
Wed Apr 22 17:14:57 2026 -0700
committer
GitHub <noreply@github.com>
Wed Apr 22 17:14:57 2026 -0700
tree
854ca5ffa63a860434afb77328a4eab935739b30
parent
acf13aa20989192ad9496cdee703a2f503144727 [diff]
Update README.md to remove obsolete guidance details

Removed outdated information about current guidance files and their organization.
1 file changed
tree: 854ca5ffa63a860434afb77328a4eab935739b30
  1. ASVS/
  2. docs/
  3. gha-review/
  4. util/
  5. .asf.yaml
  6. .gitignore
  7. LICENSE
  8. README.md
README.md

Apache Tooling Agents

Exploring AI-driven approaches to security auditing and code review

We're using this repository to discuss ideas, gather community input, and prototype approaches. Nothing here is production-ready yet.

What This Is

This repository is a space for the Apache community to explore how AI agents might help with automated security auditing and code review. We're interested in questions like:

  • How can agents help ASF projects achieve security and other compliance?
  • What existing tools work well, and where are the gaps?
  • What should we build versus adopt?

We‘re gathering input, prototyping ideas, and working toward tooling that could benefit the broader Apache ecosystem. Your participation is welcome, whether that’s joining the discussion, sharing experiences, or contributing code.

Projects

ASVS Security Audit

Automated OWASP ASVS compliance auditing for any GitHub-hosted codebase. An orchestration pipeline downloads source code, discovers the codebase architecture, runs per-requirement security analysis, and produces a consolidated report with GitHub issues. See the ASVS README for the full pipeline reference.

GitHub Actions Review

Automated scan of GitHub Actions workflows across an organization to identify security vulnerabilities in CI/CD pipelines, find publishing channels, and flag policy violations. See the GitHub Review README for agent details and check definitions.

Repository Structure

├── ASVS/                  # ASVS security audit pipeline
│   ├── agents/            # Pipeline agent code (6 agents)
│   ├── audit_guidance/    # Project-specific false positive guidance
│   └── reports/           # Audit output organized by project and commit
├── gha-review/         # GitHub Actions security review
│   ├── agents/            # Review pipeline agents (7 agents + tests)
│   └── reports/           # Review output
├── docs/                  # Platform documentation
│   ├── gofannon/          # Gofannon setup and agent development guide
│   └── how-to-contribute.md
└── util/                  # Utility scripts

Getting Involved

Community feedback is encouraged! Whether you're an ASF committer, contributor, or just interested in security tooling:

Join the Conversation

  1. Introduce yourself on the mailing list: Say hello at 📧 dev@tooling.apache.org (Subscribe by sending an email with empty subject and body to dev-subscribe@tooling.apache.org and replying to the automated response, per the ASF mailing list how-to)

  2. Share ideas or file issues: Use GitHub Issues to ask questions, suggest approaches, or start a discussion

  3. Try things out: Experiment with the tools we're evaluating and share what you learn

Contribute Code or Docs

  • How to contribute
  • Documentation helps: Add research notes or proposals to docs/
  • Evaluate tools: Try existing tooling on your project and report back

Note: Please introduce yourself on the mailing list before submitting a PR; this helps us deter spam and means your contribution won't be overlooked.

Community

License

This project is licensed under the Apache License 2.0.

Related Work

Part of the Apache Tooling Initiative. For more information about the ASF, visit https://www.apache.org/.