Metis: Open-source, AI-driven tool for deep security code review

Metis is an open source tool that uses AI to help engineers run deep security reviews on code. Arm’s product security team built Metis to spot subtle flaws that are often buried in large or aging codebases where traditional tools struggle.

Metis relies on LLMs that can analyze code with semantic reasoning instead of fixed rules. Arm says this gives the tool an edge over linters and other static analysis systems that depend on signatures or pattern matching. The goal is to help engineers find issues that might otherwise slip through manual review, while also cutting down on review fatigue.

The tool uses retrieval augmented generation to pull in broader context from a codebase. This allows the model to consider related logic during a review and produce suggestions that are more accurate and easier to act on.

Metis is designed to be flexible. It supports C, C++, Python, Rust, and TypeScript through a plugin based language system that can be expanded to cover additional languages. It can also connect to different vector store backends such as PostgreSQL with pgvector and ChromaDB. Although it currently works with one language model provider, OpenAI, the structure is built to support other providers in the future.

Metis is available for free on GitHub.

Must read:

• 35 open-source security tools to power your red team, SOC, and cloud security
• GitHub CISO on security strategy and collaborating with the open-source community

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!