Triage at Machine Speed: Drupal AI Vulnerability Guardian
Inspired by Dries Buytaert's recent insights on AI-Driven Vulnerability Discovery, I built a tool to address one of the biggest challenges in modern open-source security: Triage at Machine Speed.
As AI makes it easier and cheaper to find potential vulnerabilities, open-source maintainers are facing an unprecedented flood of security reports. The bottleneck is no longer finding bugs, but evaluating and triaging them without burning out the human maintainers.
The Tool: Drupal AI Vulnerability Guardian
The Drupal AI Vulnerability Guardian is a prototype CLI tool designed to assist Drupal maintainers by automatically triaging potential vulnerability reports. It doesn't just find bugs; it provides the context needed to make quick decisions.
Key features include:
- Impact Assessment: Evaluation of the vulnerability's severity (Critical, High, Moderate).
- Confidence Scoring: AI-driven estimate of the report's validity to filter out false positives.
- Automated Fix Generation: Proposing actionable patches alongside the triage report.
How it Works
The tool scans Drupal module code for common patterns like SQL injection in db_query() or XSS risks in Markup::create().
./bin/vulnerability-guardian triage examples/VulnerableModule.php
Example Output:
Vulnerability #1: Critical
--------------------------
Potential SQL Injection in database query. Variable concatenated directly into query string.
Metric Value
Confidence Score 95/100
Impact Severity Critical
Maintainer Burden Moderate - Requires code validation
Proposed Fix
------------
[PATCH] Replace direct concatenation with placeholders:
$connection->query("SELECT ... WHERE uid = :uid", [":uid" => $uid]);
Supporting Maintainers
By providing a "Maintainer Burden" assessment and a high-confidence fix, we can reduce the time spent on manual verification. This aligns with Dries's vision of using AI not just to find problems, but to help the community scale its response to security disclosures.
View Code