Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
SeaGOAT
A code search engine for the AI age. SeaGOAT is a local search tool that leverages vector embeddings to enable you to search your codebase semantically.
In order to install SeaGOAT, you need to have the following dependencies already installed on your computer:
When bat
is installed,
it is used to display results as long as color is enabled. When SeaGOAT is
used as part of a pipeline, a grep-line output format is used. When color is
enabled, but bat
is not installed, SeaGOAT will highlight the output using
pygments. Using bat
is recommended.
To install SeaGOAT using pipx
, use the following command:
pipx install seagoat
Should work on any decent laptop.
SeaGOAT is designed to work on Linux (tested ✅), macOS (partly tested, help 🙏) and Windows (help needed 🙏).
In order to use SeaGOAT in your project, you have to start the SeaGOAT server using the following command:
seagoat-server start /path/to/your/repo
If you have the server running, you can simply use the
gt
or seagoat
command to query your repository. For example:
gt "Where are the numbers rounded"
You can also use Regular Expressions in your queries, for example
gt "function calc_.* that deals with taxes"
You can stop the running server using the following command:
seagoat-server stop /path/to/your/repo
SeaGOAT can be tailored to your needs through YAML configuration files,
either globally or project-specifically with a .seagoat.yml
file.
For instance:
# .seagoat.yml
server:
port: 31134 # Specify server port
Check out the documentation for more details!
Requirements:
After cloning the repository, install dependencies using the following command:
poetry install
poetry run ptw
poetry run pytest . --testmon
poetry run pytest .
You can test any SeaGOAT command manually in your local development
environment. For example to test the development version of the
seagoat-server
command, you can run:
poetry run seagoat-server start ~/path/an/example/repository
The points in this FAQ are indications of how SeaGOAT works, but are not a legal contract. SeaGOAT is licensed under an open source license and if you are in doubt about the privacy/safety/etc implications of SeaGOAT, you are welcome to examine the source code, raise your concerns, or create a pull request to fix a problem.
SeaGOAT does not rely on 3rd party APIs or any remote APIs and executes all functionality locally using the SeaGOAT server that you are able to run on your own machine.
Instead of relying on APIs or "connecting to ChatGPT", it uses the vector database called ChromaDB, with a local vector embedding engine and telemetry disabled by default.
Apart from that, SeaGOAT also uses ripgrep, a regular-expression based code search engine in order to provider regular expression/keyword based matches in addition to the "AI-based" matches.
While the current version of SeaGOAT does not send your data to remote servers, it might be possible that in the future there will be optional features that do so, if any further improvement can be gained from that.
SeaGOAT needs a server in order to provide a speedy response. SeaGOAT heavily relies on vector embeddings and vector databases, which at the moment cannot be replace with an architecture that processes files on the fly.
It's worth noting that you are able to run SeaGOAT server entirely locally, and it works even if you don't have an internet connection. This use case does not require you to share data with a remote server, you are able to use your own SeaGOAT server locally, albeit it's also possible to run a SeaGOAT server and allow other computers to connect to it, if you so wish.
If you are concerned about the ethical implications of using AI tools keep in mind that SeaGOAT is not a code generator but a code search engine, therefore it does not create AI derived work.
That being said, a language model is being used to generate vector embeddings. At the moment SeaGOAT uses ChromaDB's default model for calculating vector embeddings, and I am not aware of this being an ethical concern.
Currently SeaGOAT is hard coded to only process files in the following formats:
*.txt
)*.md
)*.py
)*.c
, *.h
)*.cpp
, *.cc
, *.cxx
, *.hpp
)*.ts
, *.tsx
)*.js
, *.jsx
)*.html
)*.go
)*.java
)*.php
)*.rb
)Since processing files for large repositories can take a long time, SeaGOAT is designed to allow you to use your computer while processing files. It is an intentional design choice to avoid blocking/slowing down your computer.
This design decision does not affect the performance of queries.
By the way, you are able to use SeaGOAT to query your repository while it's processing your files! When you make a query, and the files are not processed yet, you will receive a warning with an estimation of the accuracy of your results. Also, regular expression/full text search based results will be displayed from the very beginning!
The preferred character encoding is UTF-8. Most other character encodings should also work. Only text files are supported, SeaGOAT ignores binary files.
Where SeaGOAT stores databases and cache depends on your operating system.
For your convenience, you can use the seagoat-server server-info
command to find out where these files are stored on your system.
Yes, if you would like to use SeaGOAT without having to run the server on
the same computer, you can simply self-host SeaGOAT server on a different
computer or in the cloud, and
configure
the seagoat
/gt
command to connect to this remote server through the
internet.
Keep in mind that SeaGOAT itself does not enforce any security as it is primarily designed to run locally. If you have private code that you do not wish to leak, you will have to make sure that only trusted people have access to the SeaGOAT server. This could be done by making it only available through a VPN that only your teammates can access.
SeaGOAT already ignores all files/directories ignored in your .gitignore
.
If you wish to ignore additional files but keep them in git, you can use the
ignorePatterns
attribute from the server configuration.
Learn more
FAQs
A semantic-code search engine
We found that seagoat demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.