SecuritySage: An Intelligent Code Security Audit Platform Based on Xiaomi MiMo

SecuritySage is an AI-driven intelligent code security audit platform that integrates SAST static analysis, secret detection, dependency CVE auditing, and multi-modal threat model evaluation. It leverages Xiaomi MiMo Pro and MiMo VL large models to achieve intelligent security analysis. This platform aims to address the pain points of traditional SAST tools, such as high false positive rates, weak context understanding, and outputs that are difficult to directly guide repairs. At the same time, it tackles the blind spots in open-source component CVE management caused by the complex dependencies of modern applications, demonstrating the application potential of domestic large models in the security field.

In the software development lifecycle, security auditing is often an underestimated or delayed process. Although traditional Static Application Security Testing (SAST) tools can detect potential vulnerabilities in code, they face issues like high false positive rates, weak context understanding, and outputs that are hard to directly guide repairs. Meanwhile, the dependency relationships of modern applications are becoming increasingly complex, and the management of open-source component vulnerabilities (CVE) has become a new security blind spot.

The SecuritySage project was born to solve these pain points. It is not a simple rule engine but an intelligent security assistant driven by large language models, capable of understanding code intent, evaluating vulnerability exploitability, and providing actionable repair suggestions. The project chose Xiaomi's newly released MiMo series models as the core reasoning engine, demonstrating the application potential of domestic large models in the security field.

SecuritySage provides a complete security audit workflow covering multiple stages from code submission to production deployment:

1. Overview Dashboard

The dashboard is the command center for security posture, powered by MiMo Pro. It offers security scores, vulnerability trends, quick operations, risk heatmaps, and other functions to help teams quickly grasp the overall security posture and identify high-risk areas.

2. Vulnerability Scanning

It has three notable features: intelligent reordering (sorted by exploitability), context understanding (reducing false positives), and repair suggestions (generating code examples).

3. Secret Detection

Supports multi-mode recognition of various secret formats, assesses leakage risks, and generates step-by-step guides for secret rotation.

4. Dependency Auditing

Automatically compares project dependencies with vulnerability databases, evaluates upgrade priorities and compatibility analysis.

5. Threat Model Evaluation

Utilizes MiMo VL's multi-modal capabilities to analyze uploaded threat modeling diagrams, identify threat boundaries, discover blind spots, and evaluate mitigation measures.

MiMo Model Integration

Accesses MiMo services via the OpenRouter platform, adopts a dual-model strategy (MiMo Pro for deep reasoning, MiMo VL for multi-modal input), controls the response format as JSON, and manages token budgets to adapt to free plan limits.

Graceful Degradation Mechanism

When MiMo services are unavailable, it automatically switches to local corpus mode, providing heuristic sorting, preset CVE data, threat model templates, and other functions, with clear labeling of result sources.

Frontend Technology Stack

Uses Next.js 16 App Router, TypeScript, Tailwind CSS v4, Recharts, Lucide, and other technologies.

Deployment and Configuration

Supports out-of-the-box deployment on Vercel, manages configuration items via environment variables, and has a simple deployment process.

Redefining SAST Tools

Demonstrates a new paradigm of SAST empowered by large models: adaptive learning, semantic understanding, and actionable suggestions, addressing the limitations of traditional SAST tools.

Pioneering Multi-modal Security Auditing

Introduces MiMo VL into the field of threat modeling, pioneering a new direction of AI-assisted threat modeling, which is particularly valuable for small organizations.

Application Demonstration of Domestic Large Models

Chooses Xiaomi MiMo as the core engine, verifies the capabilities of domestic models, reduces dependency risks, and contributes use cases to the MiMo application ecosystem.

Current Limitations

1. Token Limitation: The token upper limit (180-220) of the free plan restricts analysis depth; 2. Network Dependency: MiMo calls require stable network and API quotas; 3. Sample Repository: The demo repository is manually constructed, and performance in real complex repositories needs verification; 4. Multi-language Support: Mainly supports mainstream languages, with limited capabilities for niche languages.

Potential Improvement Directions

• Local Model Deployment: Supports private deployment to eliminate network dependencies; - Incremental Analysis: Only scans changed code to improve efficiency; - CI/CD Integration: Provides plugins like GitHub Actions; - Security Knowledge Base: Builds a customizable rule base; - Collaboration Features: Supports team security review processes.

SecuritySage represents a new trend in AI-driven security tools. It does not replace human security experts but allows security teams to focus on strategic work through automated preliminary analysis, intelligent priority sorting, and generating actionable suggestions. For developers, security becomes a lightweight assistant in daily development processes; for security teams, it frees them from rule maintenance to focus on risk management. As domestic large models like MiMo evolve, such tools are expected to become standard in software development, raising the security level of the industry.