I built Reverie: An AI powered vulnerability scanner and testing toolkit.
I was watching a YouTube video recently, and the YouTuber was talking about building harnesses around AI models for cybersecurity. A thought popped into my head: Hey! I could do that... So, I did. After a bit of research, I fired up my favorite coding agent and grinded through the weekend. And on that fateful Tuesday, Reverie was born.
What is Reverie, you may ask?
Here is the description:
Reverie AI is a multi-agent, graph-augmented code review system designed to identify deep logic bugs, security vulnerabilities, and architectural smells across large codebases.
Any random tool would have just passed individual files to an LLM and said: "Find the vulnerabilities."
But I wanted more!
I already knew of Knowledge graphs and messed around with them. But now I'll tackle them head-on.
What are Knowledge graphs?
According to google:
A knowledge graph is a structured way of organizing information that connects distinct data points to give them context. Instead of storing information in rigid rows and columns, it maps knowledge like a web of related facts, making it highly understandable for both humans and machines.
At its core, A Knoweldge Graph breaks down information into three primary components, often referred to as "triples":
Nodes (Entities): The "nouns" of the dataset. A node could be a person, a concept, a piece of software, or a server.
Edges (Relationships): The "verbs" that connect the nodes. Edges are directional and define exactly how two entities interact (e.g., "DEPENDS_ON," "BUILT_WITH," "REPORTS_TO").
Properties (Attributes): Key-value pairs attached to either nodes or edges to store metadata (e.g., a "Python" node might have the property
type: dynamically_typed).
From this explanation, one can see how a vulnerability scanner would use Knowledge graphs. Your codebase is essentially one large Knowledge graph; modules contain classes and functions which contain variables and other function calls.
When a senior engineer or cyber security professional scans a code base, they usually track inputs across the knowledge graph to see how they're modified and/or used and how the modifiers work. Reverie builds on this.
The core idea
Most AI code tools read a file and tell you what they see. Reverie does something different before any of that happens: it parses your entire repository using tree-sitter and builds a Knowledge Graph. Every function, every class, every import, every call relationship across your whole codebase, stored in a graph database called LadybugDB.
When the agents run, they walk this graph. The Security Agent, for example, finds your API routes, marks their inputs as tainted, and traces that taint forward through the call graph hop by hop until it either hits sanitization or hits something dangerous like a raw SQL query or a subprocess call. Cross-file. Not limited to whatever file you happened to open.
There are three agents total, running in parallel via LangGraph:
Security searches for vulnerabilities adversarially. How does user input reach a dangerous sink?
Bug Detection looks at whether functions behave the way their callers expect.
Smell looks at structural problems. Is the codebase getting harder to work with over time?
They all share the same Knowledge Graph but reason about it differently.
Tech stack
Backend: Python 3.13, FastAPI, SQLAlchemy, LangGraph
AI: LangChain, LangGraph, LiteLLM
Parsing: Tree-sitter
Storage: LadybugDB (graph), ChromaDB (vector store), SQLite (project registry)
Frontend: Vue 3, Vite, Pinia, vanilla CSS
Reverie works with basically any LLM provider using a provider/model_name format all thanks to LiteLLM.
Getting started
Install with uv:
uv tool install ./reverie --force --no-cache
Config goes in ~/.reverie/.env:
mkdir -p ~/.reverie
cat <<EOF > ~/.reverie/.env
LLM_MODEL=openai/gpt-4o
LLM_API_KEY=your_openai_key
EMBEDDING_MODEL=openai/text-embedding-3-small
EMBEDDING_API_KEY=your_openai_key
TAVILY_API_KEY=your_tavily_key
Then three commands:
reverie init ./my-project --tag my-api
reverie load my-api
reverie review my-api
init registers the project. load parses the repo and builds the Knowledge Graph. This is the slow step. You do it once, or when the codebase changes enough to warrant a re-index. review runs the agents and drops Markdown and SARIF reports into your output directory.
The CLI
reverie summary gives you an AI-generated architectural overview of the codebase. Useful when coming back to a project after a few months and needing to remember how things fit together.
reverie review has a --mode flag if you only want specific agents:
bash
reverie review my-api --mode security,bug_detect
There is also a pre-commit hook:
bash
reverie hook install my-api
Adds a script to .git/hooks/pre-commit that runs a fast check on staged files. Under five seconds. I have kept it on in my own projects, which is a bar I have failed to clear with most pre-commit tools I have tried.
For looking at past runs:
bash
reverie history list my-api
reverie history get-report my-api <ID>
reverie history get-sarif my-api <ID>
How the Security Agent works
Since this is the interesting part, here is the full loop:
It pulls relevant security rules from the vector store into its context. OWASP patterns, CWE mappings, things relevant to the language and framework it is looking at.
It reads the target file and identifies entry points and dangerous sinks.
It uses get_data_flow and get_callers to trace tainted input through the graph across file boundaries.
It reads the relevant files to verify whether the vulnerability is actually exploitable and check for sanitization it might have missed.
Findings come out with severity, CWE IDs, line numbers, and remediation steps. SARIF format for CI integration.
The GUI
There is a Vue dashboard too if you prefer that to the CLI:
reverie server
Runs at http://127.0.0.1:8000. Project management, triggered reviews, rendered Markdown reports.
What is next
Things I want to build that are not done:
Test generation using the Knowledge Graph for context.
An agent that tries to confirm findings by actually exploiting them.
A file tree explorer in the browser.
More Robust LLM evals.
MIT licensed.
Feedback welcome, If you like the project feel free to give it a star.
