Open Source · Java 21 · Project Loom

AI code security
inside your pipeline.

ByteDefense runs an AI model directly inside your JVM build process to scan, detect, and auto-fix vulnerabilities — without sending a single line of code to the cloud.

bytedefense-cli — scan
$ java -jar bytedefense.jar --target=src/main/java
[PHASE 1] Core Initialization
✓ Target AST mapped: TokenParser.java
✓ Jlama SLM loaded (1.14 GB / qwen2.5-coder:1.5b-q4)
✓ Virtual Thread executor ready
[PHASE 2] Semantic Analysis
! CRITICAL: Time-Based Data Exfiltration Backdoor
[PHASE 3] Auto-Remediation
→ Branch created: fix/bytedefense-exfil-99a1b
→ Pull Request opened with compile-verified patch
✓ Pipeline unblocked. 0 vulnerabilities remaining.

What ByteDefense does

A security engine that lives inside your build process. Not a dashboard you check after deployment.

In-Process AI Scanning

Jlama loads a quantized coding model directly into your JVM build. No external API calls, no docker daemons. Pure in-memory inference under 1.5 GB RAM.

Logic Bomb Detection

Goes beyond traditional AST scanners. ByteDefense understands semantic code logic to identify time-based backdoors, data exfiltration conditionals, and privilege escalation paths.

Auto-PR Remediation

When a vulnerability is found, the engine generates a patch, compiles it locally to verify correctness, then creates a Git branch and opens a Pull Request automatically.

Compile-Verified Patches

Every AI-generated fix is validated through the Java Compiler API before committing. If it doesn't compile, it doesn't ship. No broken builds from automated patches.

How it works

From commit to remediation in under 15 seconds on a standard runner.

01

PR opened or commit pushed

ByteDefense triggers automatically from your GitHub Actions workflow. It reads the changed files and maps the AST tree.

02

In-process model inference

Jlama loads the quantized Qwen 2.5 Coder model into the JVM heap. Your code is analyzed semantically for logic bombs, backdoors, and OWASP Top 10 vulnerabilities.

03

Compile-verified fix generated

If a vulnerability is found, the engine generates a remediated version and compiles it in-memory with javax.tools.JavaCompiler to ensure correctness.

04

Auto-PR with clean patch

The engine branches your repo, commits the verified fix, and opens a Pull Request titled [ByteDefense Auto-Fix] with a complete diff and explanation.

Why not just use Snyk or SonarQube?

Existing tools scan for known patterns. ByteDefense reasons about your code like a security engineer would.

No cloud dependency. Ever.

The Jlama engine runs GGUF model weights directly inside your JVM heap. Your source code never leaves your runner, your network, or your jurisdiction.

Works on cheap CI runners

Optimized for shared 2-core, 4 GB RAM GitHub Actions runners. The quantized Q4_K_M model loads in under 1.14 GB. No GPU required.

Catches what SAST tools miss

Traditional static analysis flags SQL injection patterns. ByteDefense understands semantic logic — it catches time-gated backdoors, environment-dependent exfiltration, and chained privilege escalation.

Patches that actually compile

Every AI-generated code fix is validated through javax.tools.JavaCompiler before being committed. Broken patches never reach your main branch.

The technical stack

Built for enterprise compliance teams that can't send code to external clouds.

Java 21 + Project Loom

Virtual Threads allow ByteDefense to scan hundreds of class files concurrently without spawning heavyweight OS threads, maximizing throughput on limited runners.

LangChain4j + Jlama

The Jlama integration executes GGUF model weights natively inside the JVM through Java vector intrinsics. No Python runtime. No ONNX. Pure Java inference.

< 1.5 GB Memory Cap

Quantized Q4_K_M weights keep inference strictly under 1.14 GB RAM. ByteDefense is designed for the cheapest shared CI/CD runners — no GPU required.

Air-Gapped by Design

ByteDefense makes zero outbound HTTP requests during inference. Your proprietary source code and AST trees never leave your build container's network boundary.

Used by security teams

We integrated ByteDefense into our GitHub Actions pipeline in under 30 minutes. It caught a time-gated data exfiltration backdoor in a third-party dependency PR that our existing SAST tools completely missed.

Security Architect
Fortune 500 FinTech

The air-gapped model execution was the deciding factor. Our compliance team cannot allow source code to leave our VPC. ByteDefense runs entirely inside the runner — no exceptions.

Head of DevSecOps
Healthcare SaaS

The auto-PR feature saves us hours. When a vulnerability is flagged, the engine creates a branch, patches the code, verifies it compiles, and opens a clean PR. Our review backlog dropped 40%.

Senior Staff Engineer
Cloud Infrastructure

FAQ

Ship secure code. Automatically.

Add ByteDefense to your GitHub Actions workflow in 5 minutes. Your first scan is free.