Gryph is an open-source security and audit tool for AI coding agent activity. When AI agents autonomously make code changes — adding dependencies, modifying configs, writing new files — Gryph tracks these actions and generates an audit trail. It focuses on supply chain security risks: AI agents may introduce vulnerable packages, malicious dependencies, or insecure code patterns. Gryph helps security teams understand and verify what AI agents have done to their codebase.

Gryph is built by SafeDep, a company focused on open-source software supply chain security. SafeDep also maintains vet, a tool for scanning open-source packages for security issues. Gryph extends SafeDep's supply chain security focus to the AI coding agent context — ensuring that when agents add dependencies or write code, those additions are audited for security risks.

Is Gryph free and open source?

Yes — Gryph is free and open source under the Apache License 2.0. It can be self-hosted and integrated into CI/CD pipelines. There's no subscription fee for the open-source version. SafeDep may offer commercial products built on top of Gryph for enterprise customers, but the core audit trail functionality is open source.

What security risks does Gryph help with?

Gryph focuses on risks introduced by AI coding agents: dependency confusion attacks (agents adding packages with names similar to internal packages), use of known-vulnerable package versions, introduction of packages with suspicious activity patterns (typosquatting, recent ownership changes), and tracking which AI system introduced which code change for compliance purposes. This is especially relevant as organizations adopt agents that can autonomously open PRs and modify code.

Gryph | db.fyi

Why it matters

AI coding agents are increasingly able to make autonomous code changes — Gryph provides the audit trail enterprises need for compliance and security review of AI-generated contributions.
Supply chain security gap: most code security tools audit human-written code, but lack context for tracking which changes were AI-generated and whether those AI-introduced dependencies are safe.
Traceability requirement: regulated industries (financial services, healthcare) need audit trails of all code changes regardless of who (or what) made them.
Early tooling for a new security domain — as AI agents become standard in development workflows, audit trail tooling will become a compliance requirement.

Key capabilities

Audit trail: Record and log all code changes made by AI coding agents.
Dependency tracking: Monitor packages and dependencies introduced by AI agents.
Security scanning: Flag risky dependencies using SafeDep's vulnerability and supply chain data.
Agent attribution: Track which AI system made which code change.
CI/CD integration: Run as part of pull request review pipelines.
Open source: Self-hosted; Apache 2.0 license.
SafeDep integration: Connects with SafeDep's vet tool for package security analysis.

Technical notes

License: Apache License 2.0
GitHub: github.com/safedep/gryph
Stars: 53 (early-stage project)
Made by: SafeDep
Integration: CI/CD pipelines; GitHub Actions
Focus: AI agent audit trail, supply chain security

Ideal for

Security teams at organizations adopting AI coding agents who need auditability and compliance tracking for AI-generated code.
DevSecOps pipelines where code provenance (human vs. AI-generated) needs to be tracked for compliance.
Enterprise teams concerned about AI agents introducing vulnerable dependencies without security review.

Not ideal for

Teams not yet using AI coding agents — Gryph's value is specifically in auditing agent-generated changes.
General code security scanning (not agent-specific) — use Snyk, GitHub Advanced Security, or similar tools.
High-volume observability needs — AgentOps provides broader AI agent monitoring with session replay and LLM call tracking.

Gryph

Why it matters

Key capabilities

Technical notes

Ideal for

Not ideal for

See also

FAQ

Alternatives

Integrations

Built on

Why it matters

Key capabilities

Technical notes

Ideal for

Not ideal for

See also

Gryph

Why it matters

Key capabilities

Technical notes

Ideal for

Not ideal for

See also

FAQ

What is Gryph?

Who makes Gryph?

Is Gryph free and open source?

What security risks does Gryph help with?

Alternatives

Integrations

Built on

Related tools

Why it matters

Key capabilities

Technical notes

Ideal for

Not ideal for

See also