Metis: Arm's Open-Source Agentic Security Review Tool
Metis, built by Arm's Product Security Team, is an open-source framework that uses LLM reasoning to find security vulnerabilities across large codebases.
Developed by Arm's Product Security Team, Metis is an open-source agentic AI framework built for deep security code review in large or legacy codebases where traditional static analysis tools often fall short. Instead of relying on hardcoded rules like linters, it leverages LLMs capable of semantic reasoning to catch subtle vulnerabilities and reduce reviewer fatigue.
The tool features a plugin-based architecture supporting 13 languages including C, C++, Java, Python, Rust, Go, TypeScript, Solidity, Verilog, and AArch64 Assembly, combining Tree-sitter-based flow/structural analysis with deterministic evidence gathering. Metis validates both its own findings and results from third-party SAST tools to cut down false positives, and integrates with a wide range of LLM providers including OpenAI, Anthropic, Google Gemini, AWS Bedrock, Ollama, and llama.cpp.
Configuration is managed through metis.yaml and plugins.yaml, letting teams customize prompt templates, code chunking parameters, and engine behavior. It defaults to a zero-setup ChromaDB backend but also supports PostgreSQL with pgvector for scalable, multi-project deployments. Third-party language plugins can be added via Setuptools entry points, making Metis adaptable to organization-specific security policies.