Source-level test inventory · AI security classification
A reproducible, audit-friendly map of every test in your codebase — classified for security relevance and ready to ship into regulated pipelines.
Capabilities
Discovers test methods via lexical parsing — no compilation, no class loading. Eight languages and their idiomatic test frameworks are recognised out of the box; see the language matrix.
Ten providers — one local (Ollama) and nine cloud (OpenAI, Anthropic,
Azure OpenAI, Mistral, Groq, xAI, GitHub Models, OpenRouter, plus an
auto selector) — label each test by security relevance,
taxonomy tags, and rationale.
An opt-in -detect-secrets pass finds hard-coded credentials with a
clean-room Aho-Corasick engine over 170+ vendor formats — no live verification.
With AI enabled, each candidate is scored for credibility and attributed to the
endpoint it authenticates against.
An interaction score flags “security” tests that only assert methods were called but never verify an outcome — a class of false-confidence bug that coverage and static-analysis tools cannot see.
CSV (default), plain text, SARIF 2.1.0, GitHub Actions annotations, and flat JSON. Pick the schema your downstream tooling already speaks.
The -apply-tags mode inserts AI-suggested display names and tags
directly into Java/Kotlin and C# source files using a formatting-preserving
printer.
Two-phase prepare and consume mode for environments where direct AI API calls are not permitted — the runtime never leaves the secure perimeter.
Immutable per-run CSV audit trail, schema-versioned override YAML, and framework-specific guidance for PCI DSS, ISO 27001, NIST SSDF, EU DORA, and SOC 2.
-emit-receipt fingerprints every input that shaped a scan —
configuration, taxonomy, AI provider and model, and a per-template checksum of
every LLM prompt — so an auditor can prove a re-run would yield identical
results without repeating it.
-emit-coverage maps your tests against a team-authored control mapping
(such as OWASP ASVS) and reports the gaps — the primary deliverable for a
risk board or auditor.
Tamper-evident evidence packs, signed with classical (Ed25519, RSA, ECDSA), post-quantum (SPHINCS+, ML-DSA, SLH-DSA), or hybrid classical + post-quantum signatures — so an audit trail stays verifiable as cryptography moves on.
Verifiable with ZeroEcho or, for classical keys, standard tools such as openssl.Quick start
1 — Static inventory (no AI)
# bin/ script from the distribution archive
./methodatlas src/test/java
2 — AI enrichment (local Ollama)
./methodatlas -ai \ -ai-provider ollama \ -ai-model qwen2.5-coder:7b \ src/test/java
3 — SARIF for GitHub Code Scanning
./methodatlas -sarif src/test/java \ > results.sarif
4 — GitHub Models (free for OSS on GitHub)
export GITHUB_TOKEN=ghp_... ./methodatlas -ai \ -ai-provider github_models \ -ai-model gpt-4o-mini \ -ai-api-key-env GITHUB_TOKEN \ src/test/java
5 — Signed evidence pack (PCI / ISO / NIST / ASVS)
./methodatlas -gen-signing-key audit.keyring -key-alias audit ./methodatlas -evidence-pack PCI-6.4.1 \ -evidence-pack-keyring audit.keyring \ -evidence-pack-key-alias audit \ src/test/java
6 — Credential detection (deterministic, values masked)
./methodatlas -detect-secrets -sarif \ src/test/java \ > findings.sarif
7 — Reproducibility receipt (audit fingerprint)
./methodatlas -ai -emit-receipt \ -receipt-file receipt.json \ src/test/java
8 — Control-coverage matrix (GRC gaps)
./methodatlas -ai -emit-coverage \ -coverage-mapping controls.json \ src/test/java