Source-level test inventory · AI security classification
A reproducible, audit-friendly map of every test in your codebase — classified for security relevance and ready to ship into regulated pipelines.
Capabilities
Discovers test methods via lexical parsing — no compilation, no class loading. Eight languages and their idiomatic test frameworks are recognised out of the box; see the language matrix.
Ten providers — one local (Ollama) and nine cloud (OpenAI, Anthropic,
Azure OpenAI, Mistral, Groq, xAI, GitHub Models, OpenRouter, plus an
auto selector) — label each test by security relevance,
taxonomy tags, and rationale.
CSV (default), plain text, SARIF 2.1.0, GitHub Actions annotations, and flat JSON. Pick the schema your downstream tooling already speaks.
The -apply-tags mode inserts AI-suggested display names and tags
directly into Java/Kotlin and C# source files using a formatting-preserving
printer.
Two-phase prepare and consume mode for environments where direct AI API calls are not permitted — the runtime never leaves the secure perimeter.
Immutable per-run CSV audit trail, schema-versioned override YAML, and framework-specific guidance for PCI DSS, ISO 27001, NIST SSDF, EU DORA, and SOC 2.
Quick start
1 — Static inventory (no AI)
# bin/ script from the distribution archive
./methodatlas src/test/java
2 — AI enrichment (local Ollama)
./methodatlas -ai \ -ai-provider ollama \ -ai-model qwen2.5-coder:7b \ src/test/java
3 — SARIF for GitHub Code Scanning
./methodatlas -sarif src/test/java \ > results.sarif
4 — GitHub Models (free for OSS on GitHub)
export GITHUB_TOKEN=ghp_... ./methodatlas -ai \ -ai-provider github_models \ -ai-model gpt-4o-mini \ -ai-api-key-env GITHUB_TOKEN \ src/test/java