Hadrix is an AI-powered security scanner that audits your codebase for vulnerabilities. Simply run a scan and copy and paste the output into your agent of choice (for example, Codex) for remediation.
NOTE: more detail can be found on https://cli.hadrix.ai.
We do a combination of static scanning and LLM-powered scanning. Please see https://cli.hadrix.ai/#scan-pipeline for more details on how the scan pipeline works.
Install
npm install -g hadrixSetup - installs required binaries - static scanners
hadrix setupSet required environment variables (API-key providers)
# OpenAI (API key)
export HADRIX_PROVIDER=openai
export OPENAI_API_KEY=sk-...# Anthropic (API key)
export HADRIX_PROVIDER=anthropic
export ANTHROPIC_API_KEY=...If you prefer a provider-agnostic key, set HADRIX_API_KEY instead of the provider-specific key above.
Supported providers: openai, anthropic, codex
OpenAI (API-key mode)
export HADRIX_PROVIDER=openai
export OPENAI_API_KEY=sk-...
hadrix scanAnthropic (API-key mode)
export HADRIX_PROVIDER=anthropic
export ANTHROPIC_API_KEY=...
hadrix scanCodex provider setup and auth flow (uses the local codex CLI and does not require HADRIX_API_KEY):
export HADRIX_PROVIDER=codex
hadrix auth login --provider codex
hadrix auth status --provider codex
hadrix auth logout --provider codexFor CI environments, prefer API-key providers (OpenAI/Anthropic) since Codex requires local CLI auth state. If you must use Codex in CI, run a non-interactive codex login --with-api-key step (key via stdin) before hadrix scan, and validate with hadrix auth status --provider codex.
Run scan
hadrix scanFlags supported by the CLI
hadrix scan [target] # Target defaults to the current directory when omitted.
-f, --format <format> Output format (text|json|core-json)
--json Shortcut for --format json
--skip-static Skip running static scanners
--power Power mode switches the model from the default lightweight models (gpt-5.1-codex-mini, claude-haiku-4-5) to more capable models (gpt-5.2-codex, claude-opus-4-5); power mode gives more thorough results at higher cost.
--debug Enable debug loggingOptional: provide a path to scan a specific directory. hadrix scan path/to/repo. Defaults to the current directory if no path is provided.
Use if you want to run Hadrix directly from the repo instead of the published npm package.
npm install
npm run dev -- setup
npm run dev -- scan /path/to/repoIf you omit the path scan defaults to the current directory.
PRs are encouraged. We check for new PRs daily. If your PR has been waiting for awhile, reach out to Henry on X.
Apache License 2.0. See LICENSE.