# Zhulong: A Modular Security Code Auditing Workflow for Local AI Agents > Zhulong is a modular security code auditing workflow for local AI agents, adhering to the core principle of "Docker Verification Before Confirmation", and achieving a complete auditing process from code import to evidence packaging through a lightweight architecture. - 板块: [Openclaw Llm](https://www.zingnex.cn/en/forum/board/openclaw-llm) - 发布时间: 2026-06-06T03:47:13.000Z - 最近活动: 2026-06-06T03:51:42.194Z - 热度: 154.9 - 关键词: 安全审计, 代码审计, Docker, 漏洞验证, 智能体, 安全工具, 开源安全, 静态分析, 漏洞复现, 安全工作流 - 页面链接: https://www.zingnex.cn/en/forum/thread/zhulong - Canonical: https://www.zingnex.cn/forum/thread/zhulong - Markdown 来源: floors_fallback --- ## Zhulong: Guide to the Modular Security Code Auditing Workflow for Local AI Agents Zhulong is a modular security code auditing workflow for local AI agents, with the core principle of "Docker Verification Before Confirmation". It implements a complete process from code import to evidence packaging via a lightweight architecture. It addresses four key pain points of traditional auditing tools: high false positives, reproduction gaps, fragmented artifacts, and handover fragility. It emphasizes that unverified clues remain isolated, and only vulnerabilities reproduced via Docker are marked as confirmed. The project is open-source (GitHub link: https://github.com/Torchbearer127/zhulong), supports macOS and Linux (Windows requires WSL2), and is suitable for scenarios like enterprise internal auditing and open-source project evaluation. ## Project Background and Core Pain Points Traditional security auditing tools face a dilemma: lightweight scanners have many false positives, while heavyweight platforms are complex to deploy and maintain. Moreover, vulnerability discoveries often stay at source code speculation without runtime evidence. Zhulong is named after a mythical beast (symbolizing illuminating darkness) and aims to solve four pain points: 1. High false positive burden: Unverified clues consume a lot of reviewers' time; 2. Reproduction gap: Suspicions at the source code level do not equal proof of runtime impact; 3. Fragmented artifacts: Evidence, scripts, etc., are scattered everywhere; 4. Handover fragility: Long conversation contexts are hard to be taken over by other agents or humans. ## Core Principles and System Architecture Core principle of Zhulong: Only vulnerabilities verified via Docker or Docker Compose reproduction are marked as confirmed; other findings (scanner alerts, static analysis results, etc.) remain isolated until verified. Architecture features: Lightweight and modular, no mandatory backend, dashboard, database, vector storage, or heavy dependencies—relies on local agent modules and scripts. Audit workflow has six stages: Project import → Attack surface mapping → Candidate generation → Docker reproduction → Evidence packaging → Result handover. ## Docker Verification and Evidence Packaging Mechanism Docker reproduction is the core link: Build a Docker environment for candidate vulnerabilities, configure test scenarios, execute exploitation attempts, collect runtime evidence (logs, screenshots, etc.), and record reproduction steps. Only verified vulnerabilities are upgraded to the "confirmed" status. Confirmed vulnerabilities are packaged into standardized evidence packages, including: Vulnerability report, reproduction instructions, attachment index, evidence JSON, log files, screenshots, and one-click reproduction script. Docker security measures: Record initial state, detect residual resources, and clean only resources created during the audit process. ## Comparison with Traditional Solutions and Application Scenarios Comparison with traditional solutions: | Traditional Pain Point | Zhulong Solution | |-------------------------|------------------| | Noisy output | Machine-readable logs isolate unverified clues | | Manual evidence reconstruction | Complete evidence package | | Lack of trust in source code claims | Confirmed after Docker verification | | Expensive heavyweight platforms | Lightweight local architecture | | Narrative-only results | Automated checks for verification status | | Docker residues | Control residual resources | | Agent black box | Workspace files are readable | Application scenarios: Enterprise internal security auditing, open-source project security assessment, security research teams, development team self-checks, security training. ## Security Statement and Responsibility Boundaries Zhulong is only used for reviewing targets with explicit authorization. Unauthorized access, attacks, or illegal activities are prohibited. Users are fully responsible for the legality and ethics of audit activities, and the project provider is not liable for misuse. The full disclaimer can be found in the project's DISCLAIMER.md file. ## Summary and Outlook Zhulong represents a new idea in security auditing: balancing lightweight architecture and audit quality, solving false positive issues with core principles, and providing a reliable framework for AI agents to participate in auditing. The project is in the release candidate phase, iterating continuously, and community contributions are welcome (see CONTRIBUTING.md for details).