Skip to content

LoRexxar/Kunlun-M

⭐ 2,384  ·  Python  ·  GitHub Repo

Kunlun-M is a fully open-source, long-maintained static code analysis (SAST) tool that focuses on high-accuracy vulnerability detection for PHP and JavaScript. It uniquely integrates AI Agent support (OpenClaw, Codex, Claude Code, Hermes) for automated scanning and provides a comprehensive, tool-oriented experience for security researchers.

1-Sentence Summary

Open-source SAST for PHP/JS with unique AI Agent integration for automated vulnerability discovery.

🔥 Key Capabilities & USP

  • Semantic Analysis for PHP & JavaScript: Goes beyond regex pattern matching by performing deep, context-aware scanning of PHP and JavaScript code. This solves the critical pain point of high false-positive rates in traditional SAST tools, allowing security researchers to focus on real vulnerabilities.
  • One-Click AI Agent Integration: Uniquely supports OpenClaw, Codex, Claude Code, and Hermes to automate the entire scanning workflow. This eliminates the manual overhead of running and triaging scans, enabling a "fire-and-forget" security audit that leverages LLM reasoning for deeper analysis.
  • CI/CD Ready with Exit Codes: Includes a dedicated ci_scan.py driver that outputs JSON and uses exit codes to gate builds. This solves the DevSecOps pain point of integrating security scanning into automated pipelines without brittle parsing of CLI output.
  • Specialized Plugin Ecosystem: Provides purpose-built plugins like an automated PHP deserialization chain finder and an EntranceFinder for mapping attack surfaces in large codebases. These solve niche but critical security research pain points that generic SAST tools ignore.
  • Interactive Console & Web Dashboard: Offers both a full-featured console mode for deep interactive analysis and a web dashboard with a REST API for task management. This solves the workflow pain point of switching between a terminal and a GUI, catering to both power users and team collaboration.

USP: The combination of semantic scanning for two of the most vulnerable web languages (PHP/JS) with native AI Agent orchestration makes Kunlun-M a unique bridge between traditional static analysis and modern LLM-powered security automation.

Architecture

Technical Architecture

ComponentTechnology / Detail
Core LanguagePython 3.10+ (recommended 3.13+)
DatabaseSQLite (default, local/console mode); MySQL (configurable, web mode)
Scanning EngineRule-based semantic analysis; rules stored as Python files (rules/{language}/CVI_xxxx.py)
User InterfacesCLI (direct commands), Console (interactive TUI), Web Dashboard (Flask/REST API)
AI Integration LayerPlugin-based skill system for OpenClaw, Codex, Claude Code, Hermes
CI/CD ModuleStandalone Python script (tools/ci_scan.py) with exit code gating
Plugin SystemModular Python plugins for specialized tasks (e.g., deserialization, entrance finding)

Quick Start Guide

bash
# 1. Install dependencies
pip install -r requirements.txt

# 2. Copy and configure settings
cp Kunlun_M/settings.py.bak Kunlun_M/settings.py

# 3. Initialize the database and load rules
python kunlun.py init initialize
python kunlun.py config load

# 4. Run a basic scan on a test target
python3 kunlun.py scan -t ./tests/vulnerabilities/

# 5. Export results in multiple formats
python3 kunlun.py scan -t ./tests/vulnerabilities/ -f json -o /tmp/report.json
python3 kunlun.py scan -t ./tests/vulnerabilities/ -f md -o /tmp/report.md
python3 kunlun.py scan -t ./tests/vulnerabilities/ -f html -o /tmp/report.html

# 6. Run in CI/CD mode (fails on high severity findings)
python tools/ci_scan.py --target . --output artifacts/kunlun-ci.json --fail-on high

# 7. Launch the web dashboard
python3 kunlun.py web -p 9999

# 8. Enter interactive console mode
python3 kunlun.py console

# 9. Use specialized plugins
python3 .\kunlun.py plugin php_unserialize_chain_tools -t {target_path}
python3 .\kunlun.py plugin entrance_finder -t {target_path} -l 3

Pros, Cons & Use Cases

Pros

  • Actively maintained with a long commit history, indicating a stable and evolving project.
  • High-accuracy semantic scanning reduces noise compared to simple pattern-based tools.
  • Unique AI Agent integration automates the entire analysis pipeline, a rare feature in open-source SAST.
  • Rich output ecosystem (JSON, Markdown, HTML) and a dedicated CI/CD driver make it pipeline-friendly.
  • Specialized plugins (deserialization chain finder) provide advanced capabilities for security researchers.

Cons

  • Limited language support: Primarily PHP and JavaScript; only basic support for Chrome extensions and Solidity. Not suitable for polyglot codebases.
  • Manual rule reloading: Requires explicit command (config load) after modifying rules, which can slow down iterative rule development.
  • Acknowledged philosophy: The project states it is "not advanced" compared to modern commercial tools, suggesting it may lack cutting-edge taint analysis or inter-procedural depth.
  • Python dependency: Requires Python 3.10+ and a specific environment setup, which may conflict with existing toolchains.

Who should NOT use this?

  • Teams scanning Java, C#, Go, or Python codebases: Kunlun-M's core strength is PHP and JavaScript; it will provide no value for other languages.
  • Users seeking a "set and forget" enterprise SAST: The project acknowledges it is not as advanced as commercial alternatives; teams needing deep inter-procedural analysis across large monorepos should look elsewhere.
  • Developers allergic to manual configuration: The initial setup (copying settings, initializing DB, loading rules) requires a few manual steps that may frustrate those expecting a one-command install.

Ideal Use Cases

  • PHP/JavaScript security audits: Penetration testers and security researchers performing deep source code reviews of web applications.
  • DevSecOps for PHP/JS projects: Teams wanting to gate CI/CD pipelines with a lightweight, open-source SAST that produces machine-readable output.
  • AI-augmented vulnerability research: Security engineers experimenting with LLM-driven analysis (OpenClaw, Claude Code) to automate finding complex vulnerabilities like deserialization chains.
  • Bug bounty hunting: Hunters looking for a free, powerful tool to quickly scan PHP and JS targets with minimal false positives.

Community & Activity

Kunlun-M is a well-established project with 2,384 stars, signaling strong community interest and validation. The project is actively maintained, with the last update recorded on May 9, 2026, demonstrating a commitment to ongoing development. This is not a dead or abandoned tool; it has a clear trajectory of improvement and a dedicated maintainer. The combination of a solid star count and recent commits makes it a reliable choice for your security toolchain.

Project data from GitHub API, updated in real-time