Static analysis and bug signature detection across 49 languages, used in 500+ repos.
panic-attack is a Rust CLI tool providing static analysis, taint tracking, cross-language vulnerability detection, and CVE triage. It operates in three deployment modes: standalone binary, panicbot (gitbot-fleet CI integration), and mass-panic (org-scale batch scanning).
Key capabilities today:
-
49-language analyzer with per-file detection and 25 weak-point categories
-
miniKanren v2.0.0 logic engine (taint analysis, cross-language reasoning, search strategies)
-
Patch Bridge CVE lifecycle engine (OSV API, reachability scan, phantom dependency detection)
-
Cryptographic attestation chain (intent/evidence/seal)
-
Assemblyline batch scanning with rayon parallelism and BLAKE3 fingerprinting
-
Pre-commit hook integration (
panic-attack assailbefore every commit) -
Component Readiness Grades: D (Alpha) through B (RC) verified
-
✓ miniKanren v2.0.0 core (Term, Substitution, unification, FactDB)
-
✓ Taint analysis: source-to-sink tracking
-
✓ Cross-language analyzer: FFI boundary detection
-
✓ Search strategy: risk-weighted file prioritisation
-
✓ Forward chaining: derive new vulnerability facts from rules
-
✓ Backward queries: find files that could cause a vulnerability type
-
✓ Context-facts for false-positive suppression (10 rules active, ~8% → ~2-3% FP target; heuristics intentionally broad — tune v2.1.1)
-
✓ Hypatia integration: JSON AssailReport consumed by Elixir rules directly (Logtalk export removed 2026-04-12)
-
✓ Isabelle + Coq language support (49 languages total;
.thy→ Isabelle,.v→ Coq)
-
✓ Filesystem persistence for scan results
-
✓ VeriSimDB HTTP API integration: push octads via REST (ureq v3; VERISIMDB_URL env var; http feature; filesystem fallback)
-
✓ Per-project VeriSimDB instance:
deploy/panic-attack/fly.tomlforverisim-panic-api(6PN internal, lhr) -
✓ Delta reporting:
diffsubcommand reports changes since last scan (src/report/diff.rs) -
❏ Hexad persistence for Patch Bridge mitigation registry (currently JSON file)
-
❏ Historical trend queries via VCL
-
✓ CLI with 20 subcommands (clap)
-
✓ JSON output for pipeline integration
-
✓ A2ML manifest protocol support
-
✓ i18n support (10 languages, ISO 639-1)
-
✓ Shell completions: bash, zsh, fish, nushell, powershell (
completions/directory) -
✓ Interactive TUI mode for reviewing findings (
tuisubcommand) -
❏ Improved error messages with fix suggestions
-
✓ Cargo.lock parsing and OSV API batch queries
-
✓ Reachability scanning for phantom dependency detection
-
✓ Three-way classification (Mitigable/Unmitigable/Informational)
-
✓ Mitigation registry with lifecycle (Pending/Active/Retiring/Retired/AcceptedRisk)
-
❏ VeriSimDB hexad persistence for mitigation lifecycle
-
❏ Auto-retire mitigations when upstream fix is released
-
❏ Upstream health monitoring (PipeWire, ReScript, UTF-8 tracking)
-
❏ Multi-lockfile support (beyond Cargo.lock: package-lock.json, mix.lock, etc.)
The current weak-point categories cover generic resource-exhaustion patterns (Memory, CPU, Disk, Network, Concurrency) but miss the estate’s distinctive risks. This milestone adds five new detection categories.
The estate uses SHA, Sodium, Ed25519, CBOR proofs, and hash-chain integrity
throughout VerisimCore, Hypatia attestations, and the Patch Bridge. Current
coverage: none beyond unsafe_blocks (too blunt).
-
✓ Detect weak-hash-for-security patterns (MD5/SHA1 in security contexts) — PA022, Rust/Python/JS/Go/Elixir
-
✓ Detect constant-time comparison violations (using
==on secret values) — PA022, Rust/Python -
❏ Detect key-reuse patterns across contexts (not reliably detectable statically — deferred)
-
❏ Detect nonce reuse in symmetric encryption (not reliably detectable statically — deferred)
-
✓ Detect JWT signature verification bypass —
dangerous_insecure_decode(Rust/jsonwebtoken),jwt.decode()withoutjwt.verify()/decodeJwt()withoutjwtVerify()(JS/jose),jwt.ParseUnverified()(Go),verify_signature: False/algorithms=["none"](Python/PyJWT)
The estate maintains Isabelle theories, Idris2 ABI definitions, and Lean4/Agda proofs alongside Julia/Rust mirrors. Nothing currently checks that the mirrors stay in sync with their formal counterparts.
-
✓ Detect
sorry/Admitted/believe_me/oops/trustMein formal files (.thy,.idr,.lean,.agda,.v) — banned proof escape hatches (PA021) -
✓ Detect
assert_total/%partialin Idris2,{-# TERMINATING #-}/postulatein Agda,axiomatizationin Isabelle,Axiom/Parameterin Coq — totality/axiom bypasses -
✓ Detect
@test x isa Y(no value check) standing in for a formally proven theorem in Julia mirror files -
✓ Detect
# sorry/# TODO: prove/# admittedcomments in Julia mirror implementations -
❏ Flag Rust/Julia functions whose name matches an Isabelle definition but whose signature has drifted
-
✓ Detect
Obj.magicin Coq-extracted OCaml (upstream axiom bypass in extracted artifacts) — distinguished from hand-written OCaml viatype __ = Obj.textraction marker
Unvalidated deserialization paths at CBOR proof blobs, A2ML manifest parsing, VeriSimDB scan ingestion (DispatchBridge), and JSON from panic-attack itself.
-
✓ Detect unchecked CBOR / MessagePack deserialization (
serde_cbor/ciborium/rmp_serdein Rust) — PA024 -
❏ Detect A2ML parsing without
try/catchboundary (deferred — requires cross-file taint) -
✓ Detect
JSON.parse/JSON3.readcalls not wrapped in error-handling (JS/Julia) — PA024 -
❏ Track taint from external file reads to trust-sensitive sinks (kanren-phase, deferred)
SHA-pinned GitHub Actions are covered but not Julia Manifest.toml hash
verification, Nix flake input pinning, or Cargo lock coherence checks.
-
✓ Flag
Manifest.tomlpresent without[deps]hash entries (Julia) -
✓ Flag
flake.nixinputs without lockednarHash(Nix) -
✓ Flag
Cargo.tomlgit dependencies without explicitrev = -
✓ Flag unpinned
deno.jsonimport map entries (bare specifiers without version)
Identified as an estate-wide gap in the 2026-04-05 KRL-stack CRG blitz audit.
-
✓ Detect test suites with zero mutation-test configuration (no
cargo-mutantsin Rust) — PA025 -
✓ Flag
@testsetblocks with no assertion diversity (all@test x isa Y, no value checks) — PA025 -
✓ Detect Elixir test suites without
ExUnitPropertiesor StreamData for property-based testing — PA025 -
❏ Emit
mutation_gapweak-point for any module with >80% line coverage but zero mutation score (requires runtime coverage data — deferred)
Based on the 007 repository analysis (2026-04-15), this milestone targets specific false positive patterns that currently inflate weak-point counts.
Panic-attack currently flags comments that mention "unsafe" or document security aspects, leading to false positives in security tests.
-
❏ Parse Rust/JS/Python/Julia comment syntax to exclude from unsafe detection
-
❏ Add
// panic-attack: acceptedcomment parser for explicit suppression -
❏ Create comment-only weak-point category for documentation review
-
❏ Improve Zig comment parsing to reduce build.zig false positives
Test files should not be held to the same safety standards as production code, but panic-attack currently applies uniform rules.
-
❏ Detect test modules (
#[cfg(test)],test "…",ExUnit.Case) across languages -
❏ Suppress PanicPath findings in test-only code (unwrap/expect acceptable in tests)
-
❏ Add test/production context to weak-point metadata
-
❏ Create test-specific suppression patterns for HTTP URLs and other test data
Current FFI detection flags build system files and legitimate ABI boundaries.
-
❏ Distinguish
@import("std")from@cImportin Zig analyzer -
❏ Recognize build.zig as build-system context, not FFI usage
-
❏ Cross-reference with
audits/audit-ffi-unsafe.mdfor pre-approved boundaries -
❏ Add FFI category subtyping (BuildSystem, RuntimeABI, TestMock)
JIT compilation inherently requires unsafe code for function pointer manipulation, but panic-attack flags these as generic UnsafeCode findings.
-
❏ Detect Cranelift/LLVM JIT compilation contexts
-
❏ Add JIT-specific unsafe suppression for transmute patterns
-
❏ Document JIT safety invariants in weak-point metadata
-
❏ Create JIT category for specialized analysis
-
✓ Assemblyline batch scanning with rayon parallelism
-
✓ BLAKE3 fingerprinting for incremental scanning
-
✓ Notification pipeline (markdown summaries, GitHub issues)
-
✓ Chapel metalayer:
mass-panicorchestrator with fNIRS-inspired SystemImage, temporal snapshots, VeriSimDB hexad persistence (chapel/src/) -
✓
fingerprintsubcommand: BLAKE3 directory hashing for incremental skip -
✓ Temporal diff subcommand:
--subcommand=diffwith global health/risk/weak-point deltas -
✓ Single-locale scan validated against 303-repo estate (2026-04-12)
-
❏ Per-node temporal diff: load full SystemImage JSON for per-repo health breakdown
-
❏ Multi-machine orchestration: gasnet/ofi multi-locale Chapel run across cluster nodes
-
❏ VeriSimDB HTTP push from Chapel metalayer (currently file-only)
-
✓
--scheduler=queue— resumable dynamic work-pull scheduler for mass-panic. Atomic fetch-add work index shared across locales; per-run JSONL journal shards (locale-<id>-<runId>.jsonl) recording{claim, done}state per repo with full RepoResult payload ondone;--resumereplays every shard in the journal directory, reconstructs RepoResult records from prior runs, and skips those repos on the new run. ~5–15% slower than static on clean runs; a crash or Ctrl+C loses only the in-flight repo per locale. Seechapel/README.md§Scheduling modes for the full spec.
-
✓ Panicbot integration (gitbot-fleet, PA001-PA025 codes)
-
✓ Hypatia diagnostics self-check
-
✓ PanLL event-chain export (two dedicated panels)
-
✓ Cryptographic attestation chain with optional Ed25519 signing
-
❏ Echidnabot proof verification of scan claims
-
❏ Hypatia learning loop: findings → observed-patterns → rules
-
❏ PanLL panel for Patch Bridge CVE dashboard