Introducing Auditor — ICP-Backed Automated Security Audits, Patch Guidance & URL Scans for GitHub Repos

Developers
1

image
image1730×909 318 KB

Hey! :waving_hand:

I’m excited to share Auditor — a new source-available project I’ve been building: a production-ready, ICP-native security audit platform for GitHub repositories.

What is Auditor?

Auditor is a hybrid ICP application that delivers professional-grade security audits with:

  • Full repository code analysis (up to 500 files / 2.5 MB)
  • Automatic dependency vulnerability triage against OSV.dev
  • Automatic ICP project detection — when dfx.json or icp.yaml is present, the auditor applies specialized ICP-specific security guidance (anonymous access controls, upgrade persistence, cycle safety, canister best practices, etc.)
  • Powerful multi-provider AI consensus pipeline using xAI Grok 4.3, OpenAI GPT-5.5, and Anthropic Opus 4.7 working together for independent drafts, peer review, and final synthesis
  • Separate Patch Guidance generation with step-by-step remediation instructions
  • URL Security Review with target-specific profiles, WAF/perimeter clustering, ready-to-run curl reproducibility commands, and JSON export

Pricing (via Stripe):

  • Standard Audit: $45
  • Large Audit: $90
  • Patch Guidance: $35 (upsell after audit)
  • URL Security Review: $20

All results, ownership, payment state, and patch entitlements are stored on-chain in a Motoko canister. The heavy lifting (GitHub access, Stripe, AI calls) happens in a secure off-chain Node orchestrator — keeping secrets off-chain while giving users full transparency and ownership of their audit data.

Key Features

  • Internet Identity sign-in + GitHub App verification before checkout
  • On-chain audit history and entitlement tracking
  • Exportable reports: HTML, PDF, and JSON (plus patch guides in HTML/PDF)
  • Owner console for public configuration + encrypted private worker settings
  • Clean separation of trust zones (canister owns state & results; orchestrator owns secrets)
  • Built-in ICP awareness — automatically tailors the audit when it detects an Internet Computer project

image
image1672×941 485 KB

Tech Stack

Layer Technology
On-chain Motoko canister (DFX)
Frontend React + Vite + SCSS + Internet Identity
Orchestrator Node.js (stateless gateway)
Payments Stripe (Checkout + Webhooks)
GitHub GitHub App (contents read access)
AI Pipeline xAI Grok 4.3 + OpenAI GPT-5.5 + Anthropic Mythos 5 (multi-provider consensus)
Deployment ICP asset canister + any Node host (Render, Railway, etc.)

Architecture Highlights

The design deliberately splits responsibilities:

  • Canister → owns audit jobs, findings, ownership, payment state, and patch entitlements
  • Orchestrator → handles Stripe, GitHub App tokens, AI calls, and large file processing
  • Frontend → beautiful React UI with II login and report viewer

This gives you the best of both worlds: ICP durability + ownership + full power of modern AI + payment infrastructure.

Full architecture notes are in the repo: docs/architecture.md

Quick Local Setup (for developers)

1. Clone & install

git clone GitHub - dickhery/Auditor · GitHub

cd Auditor

npm install

cd services/orchestrator && npm install && cd ..

2. Environment (copy examples and fill in your keys)

cp .env.example .env

cp .env.local.example .env.local

cp services/orchestrator/.env.example services/orchestrator/.env

3. Deploy canisters

dfx start --background

dfx deploy

4. Start everything

npm start # frontend

In another terminal:

cd services/orchestrator && npm run dev

Detailed setup, credential guides, and deployment instructions are in the README.

License: Business Source License 1.1 (source-available — full open-source planned later).

Community Demo Request — Help Me Showcase It!

To give everyone a real, transparent demonstration of what Auditor actually produces, I’d like to run a complete public audit on a real open-source repository.

I’m specifically looking for recommendations of:

  • Open-source SNS DAO repositories
  • Other notable ICP / DFINITY ecosystem projects
  • Or any interesting public GitHub repo you think would make a great case study

What I’ll deliver publicly in this thread:

  1. Full Repository Audit (code + dependencies + ICP-specific findings)
  2. Patch Instructions / Remediation Guide
  3. URL Security Scan (with WAF clustering + reproducible curl commands)
  4. All exported reports (HTML/PDF/JSON)

How to participate:
Just reply below with:

  • The GitHub repo URL
  • A short note on why it would be interesting to audit (complexity, ICP relevance, known concerns, etc.)

I’ll pick one (or a couple) and run the full workflow (I’ll cover the cost for the demo). You’ll see the exact output quality, depth of analysis, and practical value — including how the ICP-specific guidance is applied when relevant.

Next Steps & Feedback

  • GitHub Repo: GitHub - dickhery/Auditor · GitHub
  • Star it, open issues, or submit PRs — all feedback is very welcome!
  • Especially interested in ideas for:
    • Additional ICP-specific security agents
    • UI/UX improvements
    • More export formats or integrations

What do you think? Any repos in mind for the demo? I’m looking forward to your suggestions and feedback!

Let’s make security auditing on ICP more accessible, transparent, and ICP-aware together. :rocket:

2

Richard,

Undergoing an audit process is a significant hurdle for developers of modest means. It looks like what you’re working on here will help make the process more accessible. This will give more people the confidence to deploy more ambitious apps.

Thank you for your efforts. I know you have been consistently active in the community and pushing the bounds of what is possible for caffeine apps as well.

3

I like that you’re still using dfx.

I never made the switch.

good luck with this, it looks like something great.