Open Source Security Scanner

Find vulnerabilities
before they ship.

3-phase scanning engine: fast static analysis, AI-augmented triage, and compliance enrichment. 25 CWE detectors. Full OWASP Top 10 coverage. Supply chain analysis. All running locally in your IDE — no code leaves your machine.

Download Deva IDETry Interactive Demo
Security Assessment — OpenClaw Scanner EngineSAST + SCA

Scanner Capability Report

Deva IDE — 3-Phase Security Analysis Engine

DOC-SEC-2026-001
25 CWE detectors
OWASP Top 10
Local-first
Open source
AI remediation
SEC. 1

3-Phase Scanning Pipeline

Not just regex. Not just an LLM wrapper. Deva combines deterministic analysis with AI-powered triage to minimize false positives without missing real bugs.

Phase 1

Fast Scan

Hybrid regex + tree-sitter AST + taint tracking. 25 CWE detectors, 32 pattern rules. Under 2 seconds.

Phase 2

LLM-Augmented Analysis

AI post-processor confirms or rejects findings and discovers blind spots. Reduces false positives.

Phase 3

Merge & Enrich

Deduplicate by file, line, and CWE. Map to compliance frameworks. Supply chain enrichment.

SEC. 2

CWE Detector Coverage

6 hybrid detectors use tree-sitter AST parsing and taint tracking for deep analysis. 19 pattern-based detectors catch common vulnerability signatures.

CWE
Vulnerability
Method
CWE-20
Improper Input Validation
AST + taint
CWE-22
Path Traversal
Regex
CWE-78
OS Command Injection
AST + taint
CWE-79
Cross-Site Scripting (XSS)
AST + taint
CWE-89
SQL Injection
AST + taint
CWE-94
Code Injection
Regex
CWE-119
Buffer Overflow
Regex
CWE-200
Information Exposure
Regex
CWE-259
Hardcoded Password
Regex
CWE-295
Improper Certificate Validation
Regex
CWE-306
Missing Authentication
AST + taint
CWE-327
Broken Cryptography
Regex
CWE-330
Insufficient Randomness
Regex
CWE-338
Weak PRNG
Regex
CWE-352
Cross-Site Request Forgery
Regex
CWE-400
Uncontrolled Resource Consumption
Regex
CWE-434
Unrestricted File Upload
Regex
CWE-502
Deserialization of Untrusted Data
AST + taint
CWE-601
Open Redirect
Regex
CWE-611
XML External Entity (XXE)
Regex
CWE-614
Missing Secure Cookie Flag
Regex
CWE-676
Use of Dangerous Function
Regex
CWE-798
Hardcoded Credentials
Regex
CWE-918
Server-Side Request Forgery
Regex
CWE-1321
Prototype Pollution
Regex
SEC. 3

OWASP Top 10 Coverage

A01Broken Access Control

CWE-22, CWE-306, CWE-352, CWE-601

A02Cryptographic Failures

CWE-295, CWE-327, CWE-330, CWE-338

A03Injection

CWE-20, CWE-78, CWE-79, CWE-89, CWE-94

A04Insecure Design

CWE-400, CWE-502

A05Security Misconfiguration

CWE-611, CWE-614, CWE-676

A06Vulnerable Components

SCA supply chain scanner

A07Auth Failures

CWE-259, CWE-798, CWE-306

A08Data Integrity Failures

CWE-502, CWE-434

A09Logging & Monitoring Failures

CWE-200, audit logging checks

A10SSRF

CWE-918

SEC. 4

AI-Assisted Remediation

Every finding comes with an AI-generated fix that understands your code context. One-click apply. Diff preview. The fix respects your code style, imports, and framework patterns.

Context-aware fixes that understand your codebase
One-click apply with diff preview
Explains why the code is vulnerable and why the fix works
Batch fix mode for addressing multiple findings at once
Fix generation runs locally — no code sent to the cloud

// Before: CWE-89 SQL Injection

db.query(f"SELECT * FROM users WHERE id = {user_id}")

// After: Parameterized query

db.query("SELECT * FROM users WHERE id = %s", (user_id,))

SEC. 5

Software Composition Analysis

2,800+ packages

Known-vulnerable package metadata catalog

Dependency graph

Visual dependency tree with transitive risk propagation

27,000+ CVEs

CVE records with fix versions and severity scoring

License detection

Identifies copyleft, restrictive, and unknown licenses

SEC. 6

Language Support — 22 Languages

PythonJavaScriptTypeScriptGoJavaRubyRustCC++C#PHPSwiftKotlinScalaTerraformCloudFormationDockerfileYAMLJSONShellSQLHTML
SEC. 7

14 Compliance Frameworks

Every finding is automatically mapped to all applicable compliance controls. Export audit-ready evidence in SARIF, OSCAL, JUnit, CSV, JSON, or Agent JSON.

OWASP Top 10

2021

HIPAA

Security Rule

CMMC 2.0

Level 1-3

NIST 800-171

r2 + r3

NIST 800-53

Rev 5

NIST CSF 2.0

All functions

FedRAMP

Low/Mod/High

PCI DSS

v4.0

SOC 2

Type II

SOX ITGC

IT controls

ISO 27001

2022

CWE Top 25

2024

GDPR

Art 25 & 32

CISA BOD

Secure by Design

SEC. 8

Local-First Architecture

Zero egress

No source code, findings, or telemetry ever leave your machine

Open source engine

OpenClaw scanner — inspect every detection rule yourself

6 export formats

SARIF, OSCAL, JUnit, CSV, JSON, Agent JSON

Deva IDE — devseccode.comOpen source — MIT LicensePage 1 of 1

Ship secure code. Every commit.

Deva finds vulnerabilities while you write code — not after a breach. Free, open-source, and local-first.

Download Deva IDESee All Features