MEDUSA, an AI-first Static Application Security Testing (SAST) tool boasting 74 specialized scanners and over 180 AI agent security rules.
This open-source CLI scanner targets modern development challenges like false positives and multi-language coverage.
MEDUSA consolidates security scanning across 42+ languages and file types, including Python, JavaScript, Go, Rust, Java, Dockerfiles, Terraform, and Kubernetes manifests.
Developers install it via pip and run scans with a single command, enabling parallel processing for 10-40x speedups over sequential tools. It generates reports in JSON, HTML, Markdown, or SARIF formats for CI/CD integration.
Version 2025.9.0 introduced an intelligent false positive filter that cuts noise by 40-60% through context-aware analysis, such as detecting security wrappers and excluding test files.
Sandbox compatibility ensures it runs in restricted environments like OpenAI Codex by falling back to sequential mode. Smart caching skips unchanged files, boosting rescan speeds dramatically.
CVE Detection Capabilities
Pantheon Security unveiled MEDUSA, which excels at identifying high-impact vulnerabilities and scanning package locks for supply chain risks.
| CVE ID | Description | CVSS Score | Affected Components |
|---|---|---|---|
| CVE-2025-55182 | React2Shell pre-auth RCE via Flight protocol deserialization | 10.0 | React 19.0.0-19.2.0, Next.js 15.0.0-15.0.4 |
| CVE-2025-6514 | mcp-remote OAuth SSRF to OS command injection RCE | 9.6 | mcp-remote authorization endpoint |
Upgrading React to 19.0.1+ and Next.js to 15.0.5+ mitigates React2Shell exposure.
The tool includes 180+ rules tailored for agentic AI, covering OWASP LLM Top 10 2025 risks like prompt injection, tool poisoning, and RAG poisoning.
Specialized scanners detect issues in files like .cursorrules, CLAUDE.md, mcp.json, and rag.json. Commands like “medusa scan . –ai-only” isolate AI configs for quick audits.
Users create a virtual environment, then pip install medusa-security, followed by medusa init and medusa install –all for auto-tool setup via winget, Chocolatey, or npm on Windows.
It supports Claude Code, Cursor, VS Code, Gemini CLI, and GitHub Copilot with slash commands like /medusa-scan. Configuration via .medusa.yml allows exclusions and fail-on thresholds.
MEDUSA scans 145 files in 47 seconds with six workers, maintaining consistent speeds across small to large projects. Dogfooding on its own codebase yields zero critical or high issues. CI/CD workflows integrate seamlessly, failing builds on high-severity findings.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
