ai-triage | Rohit Salecha https://www.rohitsalecha.com/tags/ai-triage/ ai-triage Source Themes Academic (https://sourcethemes.com/academic/)en-usRohit Salecha &#169; `2026` Thu, 14 May 2026 12:00:00 +0530 https://www.rohitsalecha.com/images/icon_hu40c7ea214729181906829226e930351e_19106_512x512_fill_lanczos_center_2.png ai-triage https://www.rohitsalecha.com/tags/ai-triage/ semhound https://www.rohitsalecha.com/project/semhound/ Thu, 14 May 2026 12:00:00 +0530 https://www.rohitsalecha.com/project/semhound/ <h2 id="motivation">Motivation</h2> <p>Security teams often need the same answer across <strong>many</strong> repositories: “Where else does this pattern show up?” That might be a bug-bounty SQLi variant, a zero-day in a dependency, or a custom policy you encode as Semgrep rules. Running Semgrep repo-by-repo means scripting discovery, cloning, execution, and reporting yourself.</p> <p><strong>semhound</strong> automates that loop at GitHub org (or user) scale: you supply the rules, it handles <strong>discovery</strong> (<code>gh repo list</code>), <strong>parallel shallow clones</strong> over SSH, <strong>scanning</strong>, and a <strong>single report</strong> per target with GitHub permalinks. If you want help separating noise from signal, optional <strong>AI triage</strong> adds a confidence score and a true-positive verdict per finding.</p> <p>The mental model is simple: tools like TruffleHog or Gitleaks are built for <strong>secrets</strong>; semhound is for <strong>any Semgrep pattern</strong> you define, swept across every repo you can access—like a hound for Semgrep findings.</p> <h2 id="what-it-does">What it does</h2> <ol> <li><strong>Discover</strong> — Lists repositories for each org or username you pass (inline or via <code>--orgs-file</code>).</li> <li><strong>Clone</strong> — Shallow clone (<code>--depth 1</code>) with a blob size cap aligned to Semgrep’s default so large binaries are skipped.</li> <li><strong>Scan</strong> — Runs your rules from a local <code>--rules-dir</code>, remote <code>--rules-url</code>, or both.</li> <li><strong>Report</strong> — Writes <code>&lt;target&gt;_scan.csv</code> and optional SARIF (<code>--sarif</code>).</li> </ol> <p>semhound is aimed at <strong>targeted, on-demand</strong> investigations (tight rule sets, specific events), not continuous full-org scanning with huge rule packs.</p> <h2 id="install-and-docs">Install and docs</h2> <ul> <li><strong>PyPI</strong>: <a href="https://pypi.org/project/semhound/" target="_blank" rel="noopener">https://pypi.org/project/semhound/</a> — <code>pipx install semhound</code> is the recommended install path.</li> <li><strong>Source and full README</strong>: <a href="https://github.com/salecharohit/semhound" target="_blank" rel="noopener">https://github.com/salecharohit/semhound</a> — prerequisites (<code>gh</code>, <code>git</code>, <code>semgrep</code>, SSH to GitHub), usage examples, AI provider configuration (<code>ai.config.example</code>), output column reference, and FAQ.</li> </ul> <p>If you use private repositories, you need <code>gh auth login</code> plus an SSH key registered with GitHub for cloning.</p> <h2 id="licence">Licence</h2> <p>Open source under the <strong>MIT</strong> licence; see the repository for details.</p>