:: What it is

Thresher is a security research project and CLI that pulls an unfamiliar codebase into a hardened sandbox, runs static scanners, asks AI analysts to inspect the code, then has adversarial reviewers challenge the findings.

The output is meant to help decide whether a repo is safe to use, needs caution, or should be avoided.

:: Why it exists

Modern builders import enormous amounts of code on trust. Popularity is not the same thing as safety.

Static tools catch known classes of risk, while agentic review can reason about context and novelty. Thresher exists to put both views in one repeatable pipeline.

:: How it works

A scan clones source without running install scripts, resolves dependencies, runs scanner modules, lets independent analyst personas inspect the repo, and synthesizes a final report.

The sandbox is defense in depth: host isolation, VM/container boundaries, egress controls, and report artifacts that can be inspected without trusting the target project.

:: Tools

toolchain Python | uv | static scanners | AI analyst agents | sandboxing | SBOM reporting

:: Links

open thresher.sh

open GitHub repo