What it does DeepAudit is a multi-agent AI system that audits code for security vulnerabilities, verifies findings in an automated sandbox, and generates reports. It can ingest projects from GitHub, GitLab, or Gitea, run a team of specialized agents to hunt for bugs, and export results as PDF, Markdown, or JSON. It also supports local deployment via Ollama for teams that don’t want to ship code to third-party APIs.

The interesting bit The project claims 49 CVEs and 6 GHSA advisories across 17 open-source projects — including CVSS 9.8 bugs in Dataease and H2O-3. That’s unusual for an open-source security scanner; most tools find theoretical issues, not filed vulnerabilities with official IDs. The multi-agent architecture splits work across specialized roles rather than asking one model to do everything.

Key highlights

• Multi-agent audit pipeline with visible reasoning logs
• Automated sandbox PoC verification (not just static pattern matching)
• Ollama support for fully private, air-gapped deployments
• One-click deployment targeting “小白” (beginners), though the stack is FastAPI + React + TypeScript
• Report export in PDF, Markdown, and JSON formats
• Claims verified CVE/GHSA track record with severity scores published

Caveats

• README is primarily in Chinese; English documentation exists but may lag
• The CVE table is heavy on XSS findings in a single project (O2OA), which may reflect tool focus or target selection bias
• AGPL-3.0 license; commercial use requires compliance planning

Verdict Worth evaluating for security teams doing open-source due diligence or researchers who want a reproducible AI-assisted audit pipeline. Skip if you need enterprise support guarantees or purely English-language documentation.