Zhulong: A Modular Security Code Auditing Workflow for Local AI Agents

Zhulong is a modular security code auditing workflow for local AI agents, with the core principle of "Docker Verification Before Confirmation". It implements a complete process from code import to evidence packaging via a lightweight architecture. It addresses four key pain points of traditional auditing tools: high false positives, reproduction gaps, fragmented artifacts, and handover fragility. It emphasizes that unverified clues remain isolated, and only vulnerabilities reproduced via Docker are marked as confirmed. The project is open-source (GitHub link: https://github.com/Torchbearer127/zhulong), supports macOS and Linux (Windows requires WSL2), and is suitable for scenarios like enterprise internal auditing and open-source project evaluation.

Traditional security auditing tools face a dilemma: lightweight scanners have many false positives, while heavyweight platforms are complex to deploy and maintain. Moreover, vulnerability discoveries often stay at source code speculation without runtime evidence. Zhulong is named after a mythical beast (symbolizing illuminating darkness) and aims to solve four pain points:

1. High false positive burden: Unverified clues consume a lot of reviewers' time;
2. Reproduction gap: Suspicions at the source code level do not equal proof of runtime impact;
3. Fragmented artifacts: Evidence, scripts, etc., are scattered everywhere;
4. Handover fragility: Long conversation contexts are hard to be taken over by other agents or humans.

Core principle of Zhulong: Only vulnerabilities verified via Docker or Docker Compose reproduction are marked as confirmed; other findings (scanner alerts, static analysis results, etc.) remain isolated until verified. Architecture features: Lightweight and modular, no mandatory backend, dashboard, database, vector storage, or heavy dependencies—relies on local agent modules and scripts. Audit workflow has six stages: Project import → Attack surface mapping → Candidate generation → Docker reproduction → Evidence packaging → Result handover.

Docker reproduction is the core link: Build a Docker environment for candidate vulnerabilities, configure test scenarios, execute exploitation attempts, collect runtime evidence (logs, screenshots, etc.), and record reproduction steps. Only verified vulnerabilities are upgraded to the "confirmed" status. Confirmed vulnerabilities are packaged into standardized evidence packages, including: Vulnerability report, reproduction instructions, attachment index, evidence JSON, log files, screenshots, and one-click reproduction script. Docker security measures: Record initial state, detect residual resources, and clean only resources created during the audit process.

Comparison with traditional solutions:

Traditional Pain Point	Zhulong Solution
Noisy output	Machine-readable logs isolate unverified clues
Manual evidence reconstruction	Complete evidence package
Lack of trust in source code claims	Confirmed after Docker verification
Expensive heavyweight platforms	Lightweight local architecture
Narrative-only results	Automated checks for verification status
Docker residues	Control residual resources
Agent black box	Workspace files are readable

Application scenarios: Enterprise internal security auditing, open-source project security assessment, security research teams, development team self-checks, security training.

Zhulong is only used for reviewing targets with explicit authorization. Unauthorized access, attacks, or illegal activities are prohibited. Users are fully responsible for the legality and ethics of audit activities, and the project provider is not liable for misuse. The full disclaimer can be found in the project's DISCLAIMER.md file.

Zhulong represents a new idea in security auditing: balancing lightweight architecture and audit quality, solving false positive issues with core principles, and providing a reliable framework for AI agents to participate in auditing. The project is in the release candidate phase, iterating continuously, and community contributions are welcome (see CONTRIBUTING.md for details).