amihit

command module
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 2, 2026 License: MIT Imports: 5 Imported by: 0

README

amihit

Am I Hit? -- CVE Impact Analyzer

Go Release

Other scanners tell you what's vulnerable. amihit tells you what's exploitable.

The only open-source tool that runs the full chain: CVE detection, function reachability, taint analysis, exposure mapping, and exploitability verdict -- across codebases, websites, networks, and containers.

The Problem

CVE scanners generate noise. A typical scan returns hundreds of alerts, but 90%+ are not actually exploitable in your environment. The vulnerable function is never called, user input never reaches it, or the endpoint isn't exposed to the network.

Teams waste hours triaging alerts that don't matter while real risks hide in the pile.

How amihit Is Different

amihit runs a verdict engine on every CVE it finds. Instead of stopping at "you have a vulnerable dependency," it answers the question that actually matters: can an attacker exploit this?

CVE Detected
  |
  v
Reachability Analysis ---- Is the vulnerable function called by your code?
  |
  v
Taint Analysis ----------- Does user-controlled input reach it?
  |
  v
Exposure Mapping --------- Is it reachable from the network/internet?
  |
  v
Exploitability Verdict
  |
  +---> EXPLOITABLE -- Fix immediately
  +---> REACHABLE ---- Investigate
  +---> NOISE -------- Ignore safely

Every finding gets a verdict. No more guessing.

Quick Start

Install

Go install:

go install github.com/Sentinel-Atlas/amihit@latest

Binary download:

Download the latest release from GitHub Releases. Binaries are available for Linux, macOS, and Windows (amd64 and arm64).

# Linux / macOS
tar xzf amihit_*_linux_amd64.tar.gz
sudo mv amihit /usr/local/bin/

# Windows — extract the zip and add to PATH

Build from source:

git clone https://github.com/Sentinel-Atlas/amihit.git
cd amihit
make build
Basic Usage
amihit scan .
amihit cve CVE-2026-31337

Scan Types

Codebase

Detects dependencies across 7 ecosystems, matches them against CVE databases, then runs reachability, taint, and exposure analysis to produce a verdict.

amihit scan .
amihit scan /path/to/project
amihit scan . --severity critical,high
Website

Fingerprints server technologies, JavaScript libraries, CMS platforms, security headers, and TLS configuration. Matches detected versions against CVE databases.

amihit scan https://example.com
Network

Port scanning, service fingerprinting via banner grabbing, and CVE matching for discovered services. Optionally checks for default credentials on common services.

amihit scan 192.168.1.0/24
amihit scan 10.0.0.5
amihit scan 192.168.1.0/24 --creds
Container

Automatically runs when Dockerfiles are found in the target directory. Parses Dockerfiles, identifies base images, detects misconfigurations, and checks for image-level CVEs.

amihit scan . --full
Full Scan

Combines codebase, container, website, and network scanning in a single pass.

amihit scan . --full

Output Formats

Five output formats are available via the --output flag.

Terminal (default) -- color-coded verdicts with call sites, input flows, exposure paths, and fix versions:

amihit scan .

JSON -- structured output for scripting and dashboards:

amihit scan . --output json

SARIF -- standard format for GitHub Code Scanning, VS Code SARIF Viewer, and other security tools:

amihit scan . --output sarif > results.sarif

CycloneDX -- SBOM with embedded vulnerability data:

amihit scan . --output cyclonedx > sbom.cdx.json

SPDX -- software bill of materials:

amihit scan . --output spdx > sbom.spdx.json

CI/CD Integration

Fail on Severity

Use --fail-on to break the build when findings match a severity threshold. Exit code 2 signals a policy violation.

amihit scan . --fail-on critical,high
Exit Codes
Code Meaning
0 Scan completed, no policy violations
1 Scan error
2 Policy violation (--fail-on triggered)
130 Interrupted (Ctrl+C)
GitHub Actions
- name: Install amihit
  run: go install github.com/Sentinel-Atlas/amihit@latest

- name: CVE Scan
  run: amihit scan . --output sarif --fail-on critical,high > results.sarif

- name: Upload SARIF
  if: always()
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif
GitLab CI
security_scan:
  script:
    - go install github.com/Sentinel-Atlas/amihit@latest
    - amihit scan . --fail-on critical,high --output json > amihit-report.json
  artifacts:
    reports:
      security: amihit-report.json

CVE Lookup

Look up specific CVEs, check them against your codebase, or query recent disclosures.

# Look up a CVE
amihit cve CVE-2026-31337

# Check against a specific project
amihit cve CVE-2026-31337 --target /path/to/project

# Verify a fix was applied
amihit cve CVE-2026-31337 --verify --target .

# Check multiple CVEs
amihit cve CVE-2026-1111 CVE-2026-2222

# Recent CVEs since a date
amihit cve --since 2026-03-25

# Filter by severity
amihit cve --since 2026-03-25 --severity critical,high

# JSON output
amihit cve CVE-2026-31337 --output json

CVE Data Sources

amihit aggregates data from five vulnerability databases for maximum coverage.

Source What It Provides
OSV Precise affected version ranges for open-source packages across all ecosystems. Primary source for dependency CVE matching via batch API.
NVD CVSS scores, severity ratings, CPE matching, and authoritative CVE metadata from NIST.
GHSA Curated security advisories with fix versions. Strong coverage for npm, pip, Go, Maven, and RubyGems.
CISA KEV Known Exploited Vulnerabilities catalog. CVEs confirmed to be actively exploited in the wild.
ExploitDB Public exploit database. Indicates whether a proof-of-concept or working exploit exists.

Architecture

amihit/
├── cmd/                        CLI layer (cobra)
│   ├── root.go                 Global flags, banner, help template
│   ├── scan.go                 Scan command, target type routing
│   ├── cve.go                  CVE lookup, --verify, --since
│   └── version.go              Version (injected by goreleaser)
│
├── internal/
│   ├── cache/                  Local CVE data cache (disk-backed)
│   ├── config/                 Config loading (.amihit.yaml, env vars)
│   ├── cve/                    CVE aggregator, source clients, data types
│   ├── intel/                  Cross-layer correlation engine
│   ├── matcher/                Version range matching and comparison
│   ├── output/                 Formatters: terminal, JSON, SARIF, CycloneDX, SPDX
│   ├── scanner/
│   │   ├── codebase.go         Dependency extraction orchestrator
│   │   ├── deps/               Lock file parsers (npm, pip, go.sum, pom.xml, etc.)
│   │   ├── reachability/       Call graph analysis, function reachability
│   │   ├── taint/              Taint analysis, user input tracking
│   │   ├── exposure/           Network exposure mapping
│   │   ├── container/          Dockerfile parsing, base image CVE checks
│   │   ├── network/            Port scanning, service fingerprinting
│   │   └── website/            Tech fingerprinting, headers, TLS
│   └── verdict/                Exploitability verdict engine
│
├── main.go                     Entry point, signal handling, exit codes
├── Makefile                    build, test, test-cover, lint, install
└── .goreleaser.yml             Cross-platform release builds

Configuration

Config File

Create .amihit.yaml in your project root or home directory.

nvd_api_key: ""
github_token: ""
cache_dir: ~/.amihit
cache_ttl_hrs: 24
Environment Variables
Variable Description
NVD_API_KEY NVD API key for higher rate limits (5 -> 50 requests per 30s). Free at nvd.nist.gov.
GITHUB_TOKEN GitHub personal access token for authenticated GHSA access (60 -> 5000 requests per hour).
Flags Reference
Global Flags:
  -o, --output string       Output format: terminal, json, sarif, cyclonedx, spdx (default "terminal")
      --severity strings    Filter by severity: critical, high, medium, low
      --fail-on strings     Exit code 2 if findings match severity (CI gate)
  -q, --quiet               Suppress banner and progress output
      --no-color            Disable colored output
  -v, --verbose             Verbose output for debugging

Scan Flags:
      --full                Run all scan types (codebase + containers + servers)
      --creds               Check for default/no-auth credentials on discovered services

CVE Flags:
      --target string       Target to check against (default ".")
      --verify              Verify that a CVE is patched after applying a fix
      --since string        Check all CVEs published since date (YYYY-MM-DD)

Supported Ecosystems

Ecosystem Lock Files
npm package-lock.json, yarn.lock, package.json
PyPI requirements.txt, Pipfile.lock, poetry.lock
Go go.mod, go.sum
Maven pom.xml
Cargo Cargo.lock
RubyGems Gemfile.lock
Composer composer.lock

Contributing

  1. Fork the repository
  2. Create a feature branch (git checkout -b feature/your-feature)
  3. Make changes and add tests
  4. Run make test and make lint
  5. Submit a pull request

One PR per feature or fix. Keep changes focused.

License

MIT

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
internal
ai
cache
config
cve
intel
matcher
output
rules
scanner
scanner/container
scanner/deps
scanner/exposure
scanner/network
scanner/reachability
scanner/taint
scanner/website
verdict

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.