___/| ___________/ | __________/ | ___/ _____ | ___/ \___/ \ | ___/ \ ______/ ___/ _ \______/ / __/ \__ ___----~ | ,__-~ \--~ | / _, \___/ __/ | / |_/ ~

$_/| thresher

Know if an open source package is safe — before you install it.

22 scanners. 8 AI analysts. One command. Runs locally in a hardened VM.

$ brew tap thresher-sh/thresher && brew install thresher copied!
See a real scan report →
click to copy

Open source · View on GitHub



Supply chain attacks grew 180% since 2022. Open source packages get hijacked, abandoned, or backdoored every week. The average time from compromise to exploitation: minutes, not months.

Most security tools scan your code and for known CVEs and call it done. Who’s scanning the code your code for the things that are not known?

// The problem

Every app you use is built on code written by strangers.

Modern software is assembled from thousands of open source packages — code written by strangers all over the world. Any one of those packages can be hijacked, abandoned, or built with hidden backdoors. When that happens, attackers don’t break in through the front door — they come in through the building materials.

Thresher is a free, open source tool that scans those building materials — every dependency, every layer — and tells you what’s safe and what’s not. One command, full picture.

// What you get

Security research shop in a box.

22
Scanners
CVE matching, static analysis, behavioral detection, malware signatures, secrets, IaC, license compliance. All in parallel inside a hardened VM.
8
AI Analysts
Specialized personas that reason about what scanners can't see. Malice, trust, attack surface, memory safety, dark corners.
0
Trust Assumptions
Isolated VM. Zero sudo. Hardened git clone. Sandboxed deps. Validated output boundary. Nothing escapes.
// Why not just use Snyk?

What other tools don’t do.

Snyk, Semgrep, and Socket are great tools. They scan for known CVEs in your dependency tree. But known CVEs are the easy part.

What about the IDOR that lets any user delete another user’s data? The path traversal hiding behind a startsWith() check? The hardcoded API key in a utility script? The SQL injection that bypasses the keyword blocklist via ATTACH DATABASE? These are real findings from a real Thresher scan — see the full report.

Runs locally in a hardened VM
Your code never leaves your machine. No SaaS dashboard, no account required. Everything runs inside an isolated Lima VM with zero sudo, network lockdown, and validated output boundaries.
AI analysts reason about what scanners can’t see
8 specialized AI personas examine your code for malice, trust issues, attack surface, memory corruption, dark corners, and infrastructure risks. They find the bugs that CVE databases don’t know about yet.
Adversarial verification
Every AI finding gets challenged by an independent adversarial agent before it reaches you. No hallucinated vulnerabilities. No noise. Just real findings that survive scrutiny.
Open source, one command
No vendor lock-in. No pricing tiers. No sales calls. brew install thresher and point it at a repo. You get a full security assessment in minutes.
// How it works

One command. Full assessment.

1
Pick a package
thresher scan https://github.com/org/repo
2
Wait ~10 minutes
22 scanners + 8 AI analysts run in a sealed VM
3
Get a full report
Findings, severity, remediation guidance
thresher scan
$ thresher scan https://github.com/example/repo _/| ______/ | T H R E S H E R _____/ __ | ___/ \__/ \ / v0.2.2 | thresher.sh / _ \__/ | __-~ \--~ \/ [OK] Cloning repository (hardened) [OK] Discovering hidden dependencies [OK] Resolving dependencies (3 ecosystems) [OK] Vulnerability scanners (22 tools) [OK] AI analyst panel Analyst 1: The Paranoid ............. done Analyst 2: The Behaviorist .......... done Analyst 3: The Investigator ......... done Analyst 4: Vuln Pentester ........... done Analyst 5: App Pentester ............ done Analyst 6: Memory Exploiter ......... done Analyst 7: Infra Auditor ............ done Analyst 8: The Shadowcatcher ........ done [OK] Adversarial verification [OK] Report synthesis ~~~~~~~~~~~_/|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ FINDINGS P0 CRIT HIGH MED LOW 0 2 5 12 23 Report: ./thresher-reports/example-repo-20260401/ ~~~~~~~~~~~_/|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
// 8 eyes, every angle

AI analysts with teeth.

ANALYST 01
The Paranoid
Is this code malicious?
ANALYST 02
The Behaviorist
Is there an unreported vulnerability?
ANALYST 03
The Investigator
Is this code trustworthy?
ANALYST 04
Vuln Pentester
What vulns are we inheriting?
ANALYST 05
App Pentester
How do users break in?
ANALYST 06
Memory Exploiter
Can this be corrupted at runtime?
ANALYST 07
Infra Auditor
Is this safe to deploy?
ANALYST 08
The Shadowcatcher
What is this code hiding?
// Coverage

10 watch zones. No stone left unturned.

01 Known Vulnerabilities 5 scanners
02 Code Quality 3 tools + AI
03 Infrastructure 2 tools + AI
04 Malware Signatures 3 tools
05 Dependency Behavior 6 tools + AI
06 Package Metadata 3 sources + AI
07 License Compliance 1 tool + AI
08 Repository Health AI analysts
09 Cross-Signal Analysis AI analysts
10 Dark Corners AI analysts
// Real results

Vulnerabilities found and fixed.

-
Projects Scanned and Remediated
Open source repositories analyzed and remediated with security PRs.
-
Critical Findings
Critical severity vulnerabilities discovered and fixed.
-
High Findings
High severity vulnerabilities discovered and fixed.
-
Supply Chain Fixes
Vulnerable dependencies upgraded to secure versions.
-
App Security Fixes
XSS, SQLi, IDOR, path traversal, and other application-level bugs patched.
-
CVEs Resolved
Known CVEs resolved across all scanned projects.
_/| ______/ | _____/ __ | ___/ \__/ \ / / _ \__/ | __-~ \--~ \/

What’s hiding in your dependencies?

$ brew tap thresher-sh/thresher && brew install thresher copied!
See a real scan report →