agentaudit 3.9.11 → 3.9.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +23 -1
- package/cli.mjs +2 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -454,10 +454,32 @@ Or use without installing: `npx agentaudit`
|
|
|
454
454
|
### Do I need an API key?
|
|
455
455
|
|
|
456
456
|
- **Quick scan** (`scan`): No API key needed — runs locally with regex
|
|
457
|
-
- **Deep audit** (`audit`): Needs
|
|
457
|
+
- **Deep audit** (`audit`): Needs an LLM API key (see below)
|
|
458
458
|
- **Registry lookup** (`lookup`): No key needed for reading; key needed for uploading reports
|
|
459
459
|
- **MCP server**: No extra key needed — uses the host editor's LLM
|
|
460
460
|
|
|
461
|
+
### Setting up your LLM key for deep audits
|
|
462
|
+
|
|
463
|
+
The `audit` command supports **Anthropic (Claude)** and **OpenAI (GPT-4o)**. Set one of these environment variables:
|
|
464
|
+
|
|
465
|
+
```bash
|
|
466
|
+
# Linux / macOS
|
|
467
|
+
export ANTHROPIC_API_KEY=sk-ant-... # Recommended
|
|
468
|
+
export OPENAI_API_KEY=sk-... # Alternative
|
|
469
|
+
|
|
470
|
+
# Windows (PowerShell)
|
|
471
|
+
$env:ANTHROPIC_API_KEY = "sk-ant-..."
|
|
472
|
+
$env:OPENAI_API_KEY = "sk-..."
|
|
473
|
+
|
|
474
|
+
# Windows (CMD)
|
|
475
|
+
set ANTHROPIC_API_KEY=sk-ant-...
|
|
476
|
+
set OPENAI_API_KEY=sk-...
|
|
477
|
+
```
|
|
478
|
+
|
|
479
|
+
**Priority:** If both are set, Anthropic is used. The active provider is shown during the audit.
|
|
480
|
+
|
|
481
|
+
**Troubleshooting:** If you see `API error: Incorrect API key`, double-check your key is valid and has credits. Use `--debug` to see the full API response.
|
|
482
|
+
|
|
461
483
|
### What data is sent externally?
|
|
462
484
|
|
|
463
485
|
- **Registry lookups**: Package name/slug is sent to `agentaudit.dev` to check for existing audits
|
package/cli.mjs
CHANGED
|
@@ -1309,6 +1309,7 @@ async function auditRepo(url) {
|
|
|
1309
1309
|
// Check for API keys to determine which LLM to use
|
|
1310
1310
|
const anthropicKey = process.env.ANTHROPIC_API_KEY;
|
|
1311
1311
|
const openaiKey = process.env.OPENAI_API_KEY;
|
|
1312
|
+
const activeProvider = anthropicKey ? 'Anthropic (Claude)' : openaiKey ? 'OpenAI (GPT-4o)' : null;
|
|
1312
1313
|
|
|
1313
1314
|
if (!anthropicKey && !openaiKey) {
|
|
1314
1315
|
// No LLM API key — clear explanation
|
|
@@ -1373,7 +1374,7 @@ async function auditRepo(url) {
|
|
|
1373
1374
|
}
|
|
1374
1375
|
|
|
1375
1376
|
// We have an API key — run LLM audit
|
|
1376
|
-
process.stdout.write(` ${c.dim}[4/4]${c.reset} Running LLM analysis...`);
|
|
1377
|
+
process.stdout.write(` ${c.dim}[4/4]${c.reset} Running LLM analysis ${c.dim}(${activeProvider})${c.reset}...`);
|
|
1377
1378
|
|
|
1378
1379
|
const systemPrompt = auditPrompt || 'You are a security auditor. Analyze the code and report findings as JSON.';
|
|
1379
1380
|
const userMessage = [
|