AI/ML Enhanced Analysis
Adds lightweight AI-powered prioritization on top of every scan: EPSS-style enrichment, reachability awareness, and suppression of low-signal findings so you can focus on exploitable issues first.
What it does
- Assigns priority_score using severity, confidence, EPSS-like data, and reachability.
- Enriches findings with epss_score, reachability flags, and suppressed markers for low-risk items.
- Works offline by default; optionally load EPSS maps from
CP_EPSS_PATH. - Surfaces AI badges in the dashboard (priority, EPSS, reachability, suppressed).
Enable it
Turn on AI prioritization via config or environment:
# codephreak.yml premium: enable_ai_prioritization: true # optional: supply API key/org for hosted flows # or set environment variable export CP_ENABLE_AI_PRIORITIZATION=true # optional: provide EPSS map (JSON of CVE/rule -> score) export CP_EPSS_PATH=~/epss.json
# run a scan with AI scoring enabled
CP_ENABLE_AI_PRIORITIZATION=true codephreak scan .
# sample snippet from JSON output
{
"rule_id": "CVE-2023-12345",
"severity": "HIGH",
"priority_score": 0.82,
"epss_score": 0.72,
"reachability": true,
"suppressed": false
}How scoring works
- Severity + confidence weights drive most of the score (capped at 1.0).
- EPSS contributes up to 25%; missing EPSS defaults to
0.05. - Reachable items get an extra boost; unreachable + low EPSS (
<0.02) are marked suppressed when severity is Low/Medium/Info. - EPSS lookup prefers CVE IDs in
rule_id; otherwise uses the rule ID itself.
Reachability hints (optional)
If you have reachability signals (e.g., call-graph reach, exposed endpoints), supply a fingerprint map keyed by tool:rule_id:file:line when calling the AI engine.
{
"semgrep:CVE-2023-12345:src/api/users.py:42": true,
"gitleaks:hardcoded_cred:config/dev.env:10": false
}Dashboard signals
The dashboard highlights AI outputs: top prioritized findings, average EPSS, reachable count, and suppressed items. Each table row shows priority, EPSS, reachability, and suppression badges so teams can triage quickly.