Content
# Fenrir Code Audit Tool
Fenrir is a code audit tool based on the MCP protocol and AST technology, designed to address the issues of low efficiency and poor accuracy of traditional code search and analysis methods when facing large-scale, structurally complex, or even decompiled code in the fields of security research and automated code auditing.
The project takes AST (Abstract Syntax Tree) as its core, combined with the MCP protocol and advanced technologies such as go-tree-sitter, to achieve structured parsing, indexing, and efficient retrieval of source code in languages such as Java. Its main functions include: precise code segment search based on AST for classes, methods, fields, parent classes, subclasses, etc., persistent caching of AST indexes, intelligent tool registration and AI collaboration under the MCP protocol, and good compatibility with decompiled code. The innovation of the project lies in the deep integration of AST structure and AI intelligent dialogue, which greatly improves the practicality and intelligence of large models in code security analysis scenarios. The overall architecture is modular and easy to expand, making it suitable for integration into larger automated security platforms, with high engineering practical value and industry promotion prospects.
## Features
### 1. AST Abstract Syntax Tree
The core principle of this tool to implement code search function is to build an AST abstract syntax tree for the code.
### 2. Code Structure Analysis
Based on the AST syntax tree, it implements precise code segment search functions for classes, methods, attributes, parent classes, and subclasses, enabling large models to accurately search for the code segments they want. As we all know, a major pain point of using the MCP protocol is that the context sent to large models is often too long. This approach can eliminate redundant information, solve the problem of excessive context length, and facilitate more effective judgment by large models.
### 3. MCP Protocol
Empower AI using the popular MCP protocol, by providing powerful MCP tools, enabling large models to have equal dialogue with security researchers in the same code context, fully leveraging the "subjective initiative" of AI.
### 4. Efficient AST Caching Mechanism
Supports persistent caching of AST indexes, avoiding repeated parsing of source code for each analysis, greatly improving the analysis speed of large projects. The caching mechanism is configurable and supports automatic reconstruction and manual cleanup.
## Installation Instructions
### System Requirements
- Build version is Go 1.23.0 (if you encounter version issues, it is recommended to use Go 1.23.0 version to build)
- Other dependencies can be found in the go.mod file
- Incompatible issues have appeared in the new version of go-tree-sitter: undefined: Node, this is because the library code calls import "C", which means that cgo support is enabled. If you want to use cgo (such as calling some local C libraries), you need to install a C compiler that can be recognized by Go in the system, such as MinGW-w64. The problem is solved after installation.
### Installation Steps
1. Clone the repository
```bash
git clone https://github.com/yourusername/Fenrir-CodeAuditTool.git
cd Fenrir-CodeAuditTool
```
2. Install dependencies
```bash
go mod download
```
3. Build the project
```bash
go build -o fenrir
```
## Usage
First, run the exe file, or the application/server/main.go file. You can use the -i parameter in the command line to specify the code repository path, or specify the code repository path in the resources\config.yaml file (be sure to use double slashes) to start the MCP server.
Command line specification example:
.\Fenrir-CodeAuditTool.exe -i "D:\CodeAudit\Apache Sling CMS 1.1.8\apache-sling-cms-1.1.8"
Second, use Cherry Studio or other client tools to configure this MCP server, configure the large model API key, and you can start the dialogue to use. (The API key of the large model needs to be purchased by yourself).
Note: You can view the AST cache file corresponding to the code repository in the cache directory.
## Project Structure
```
Fenrir-CodeAuditTool/
├── application/ # Server startup program, including MCP tool and prompt registration
├── cache/ # AST cache file directory
├── configs/ # Configuration program
├── docs/ # Demonstration pictures
├── internal/ # AST parsing core program
├── prompts/ # Code audit prompts
├── resources/ # Configuration file
├── test/ # Test program
└── tools/ # Cache file management program
```
## Real Machine Demonstration
Select the Apache open source project Sling CMS as the project to be audited, project address: https://github.com/apache/sling-org-apache-sling-app-cms
Import maven dependencies, find the sling dependencies in the local repository, for example, my path here is: C:\Users\miaoj\.m2\repository\org\apache\sling:
<img src="docs/img1.png" alt="img1.png">
These dependencies contain the core code of Sling CMS, which needs to be decompiled and the decompiled code copied to the code repository.
After completing the above steps, specify the code repository as the project root path of Sling CMS, run the server code, start building the AST index for the code repository and save it to the cache file, and open an SSE listener:
<img src="docs/img2.png" alt="img2.png">
Use Cherry Studio as an MCP client to connect to this server. Let's have Deepseek start analyzing from the login logic LoginServlet. LoginServlet is located in the decompiled code of the dependency org.apache.sling.auth.core:
<img src="docs/img3.png" alt="img3.png">
Let's take a look at the performance of the large model:
<img src="docs/img4.png" alt="img4.png">
<img src="docs/img5.png" alt="img5.png">
<img src="docs/img6.png" alt="img6.png">
<img src="docs/img7.png" alt="img7.png">
- First, we can see that AST parsing can be performed correctly for large projects like Apache Sling CMS.
- Second, decompiled code can also be correctly parsed and found.
- Third, deepseek drew a call graph showing the process of its chain call, which reflects the powerful function of this tool to automatically chain search and analyze.
- Finally, deepseek pointed out the code segments with security risks and gave repair suggestions, completing the code audit.
## Tips
- Currently, only building AST indexes for Java code (including decompiled code) is supported
- The actual audit effect depends on the capabilities of the large model
- In actual use, the prompts should be fine-tuned purposefully
## Contribution Guide
1. Fork the project
2. Create a feature branch (`git checkout -b feature/AmazingFeature`)
3. Commit changes (`git commit -m 'Add some AmazingFeature'`)
4. Push to the branch (`git push origin feature/AmazingFeature`)
5. Create a Pull Request
## License
This project uses the Apache 2.0 license - see the [LICENSE](LICENSE) file for details
## Acknowledgements
- [Tree-sitter](https://tree-sitter.github.io/tree-sitter/) - Used for code parsing
- [Go AST](https://golang.org/pkg/go/ast/) - Go language AST support
- [Java Parser](https://github.com/smacker/go-tree-sitter-java) - Java language parsing support
## New Feature Added
<img src="img.png" alt="img.png">
Function design
Supports multiple code sources:
ZIP compressed package URL download
Git repository clone
Local path direct analysis
Automated process:
Automatically download/clone code
Automatic decompression (if it is a compressed package)
Automatically set the configuration file path
Automatically build/load AST
Return audit results
-----------------------------------
Main modifications and new features:
Server status management: Added ServerState structure to manage server status, including ready status, AST index and query engine
Conditional waiting: Use sync.Cond to implement conditional variables, allowing other tools to wait until AST initialization is complete
Dynamic initialization: If code_audit.repository_path is empty, the server waits for the user to provide a remote repository address through MCP calls after startup
Tool dependencies:
remote_code_audit: Always available, used to set up remote repositories and initialize AST
code_search and class_hierarchy: Only available after AST initialization, will wait until ready
Complete error handling: Ensure that errors are handled correctly in all situations
How to use:
Start the server (no local repository):
```bash
./fenrir
```
Provide a remote repository via the MCP client:
```json
{
"tool": "remote_code_audit",
"arguments": {
"repository_url": "zip:https://example.com/project.zip"
}
}
```
Then use other tools for code auditing:
```json
{
"tool": "code_search",
"arguments": {
"className": "LoginServlet",
"methodName": "",
"fieldName": ""
}
}
```
This design makes the server more flexible and can dynamically accept remote code repositories for auditing.
<img src="img_1.png" alt="img_1.png">
