Is the Paid plan also open source?

No. The Paid-plan enrichment gateway (hosted semantic deduplication and reranking) is closed source. The OSS CLI is the detection layer; the gateway is the optional AI-powered ranking layer that customers subscribe to for $12/dev/month. The wire-format contract between them is documented in the public repo.

Why Apache 2.0 instead of MIT or AGPL?

Apache 2.0 includes an explicit patent grant that MIT lacks, which matters for an enterprise-grade scanner. It is also permissive enough that downstream OSS distros, commercial vendors, and individual developers can adopt BrassCoders without legal friction. AGPL would have forced network-deployment users to release derivative server code; the OSS core is local-first CLI usage, not a server, so AGPL adds friction without protecting BrassCoders's actual business model.

Can I run BrassCoders fully offline with the OSS core?

Yes. The OSS core makes zero outbound network calls during scans. Pass --offline to assert that contract explicitly; the only optional outbound path is --check-package-hallucination, which queries PyPI/npm/pkg.go.dev to verify imported package names exist.

Why does the public repo have fewer test files than the PyPI release?

A subset of internal test files contain real-format secret PLACEHOLDERS (sk_test_, AKIA, ghp_) used to exercise BrassCoders's own redaction logic. GitHub's secret-scanning push protection rejects them, and the org-level policy prevents repo-level bypass. The PyPI wheel ships the full test suite; the public repo excludes the placeholder-heavy fixture files. The detection logic itself is unchanged.

Can I fork BrassCoders and ship my own version?

Yes, under Apache 2.0. The license requires attribution and preserves the NOTICE file. You cannot use the BrassCoders trademark in a way that implies endorsement of your fork, but the code is yours to modify and redistribute. Forks are welcome and a healthy signal for any OSS project.

BrassCoders Is Now Open Source on GitHub

Q: Where is the BrassCoders source code?

The full OSS CLI lives at github.com/CopperSunDev/brasscoders under Apache 2.0. This is the same code that pipx install brasscoders pulls from PyPI; the GitHub repo is the canonical source for issue tracking, pull requests, and source review.

BrassCoders, the bug scanner for AI coders, is now open source on GitHub. The full CLI — the same code that pipx install brasscoders pulls from PyPI — is published under Apache 2.0 at github.com/CopperSunDev/brasscoders.

The repo includes the 12 deterministic scanners, the YAML output format, the configuration files, the developer documentation, and a curated subset of the test suite. Builders can audit the detection logic, contribute scanner improvements, fork the codebase, or just file an issue when something does not work the way the docs say it should.

This post walks through what is in the public repo, why open source matters for a bug scanner specifically, the division between the OSS core and the closed-source Paid gateway, and how contributions work.

What’s In The Repo

BrassCoders ships the entire OSS detection layer at the public repo — every scanner, every config file, every line of YAML-output logic. The initial commit contains 424 source files including the src/ tree, a curated subset of the test suite, the developer documentation, and the Apache 2.0 license.

Concretely, the repo contains:

src/brass/: the full CLI source tree. Twelve scanners, the ranker, the output generator, the privacy redaction layer, and the secret-pattern detectors.
tests/: unit, integration, and end-to-end tests. A subset of test files with secret-format placeholders are excluded from the public repo because they trigger GitHub’s push-protection scanner (see the FAQ below); the PyPI wheel ships the full suite.
docs/: developer documentation: setup guide, CI integration recipes, data handling policy, privacy policy, the cache lifecycle, and the CLI user guide.
pyproject.toml: project metadata, pinned dependencies, the canonical configuration for building the wheel.
LICENSE: Apache 2.0.
NOTICE: attribution required by Apache 2.0.
SECURITY.md: disclosure policy.
CONTRIBUTING.md: contribution conventions.

Repo: github.com/CopperSunDev/brasscoders. PyPI: pypi.org/project/brasscoders.

Why Open Source Matters For A Bug Scanner

BrassCoders is open source because the detection layer needs to be auditable. Builders shipping AI-generated code want to know exactly what patterns the scanner catches, what it misses, and where the source-of-truth model files live. Closed-source SAST tools cannot answer those questions.

The audit posture is the load-bearing reason. When a SOC 2 auditor or an AppSec lead asks “how do you know the scanner catches the SQL injection pattern in db.execute?”, the answer should be a line number in src/brass/scanners/. Closed-source scanners require trust; open-source scanners require evidence. Evidence is reproducible; trust is not.

The contribution posture is secondary but real. The static-analysis community has accumulated decades of pattern knowledge across Bandit, Pylint, Pyre/Pysa, Semgrep, detect-secrets, and the surrounding upstream tools. BrassCoders builds on top of that knowledge. The right way to give back is by being open enough that improvements flow in both directions.

The reproducibility posture closes the loop. BrassCoders’s reproducible benchmarks page already pins scan results to specific commits of nine open-source codebases. Making the scanner itself source-available means anyone can re-run the benchmarks against any version of the codebase and confirm the numbers. The benchmarks are not vendor claims; they are public artifacts.

The 12 Scanners Bundled

BrassCoders bundles 12 deterministic scanners in the open-source core: Bandit, Pylint, Pyre/Pysa, Semgrep, ast-grep, detect-secrets, plus six custom detectors for secrets, privacy/PII, AI patterns, performance, content moderation, and JavaScript/TypeScript. Each one is independently verifiable in the source tree.

The six upstream tools all have their own public repositories and documentation: Bandit (PyCQA), Pylint (PyCQA), Pyre and Pysa (Meta), Semgrep (r2c), ast-grep, and detect-secrets (Yelp). BrassCoders integrates them, normalizes their output, and adds noise filtering on top.

The six custom detectors are documented in src/brass/scanners/:

Secret patterns: 7 format-specific regexes layered on top of detect-secrets’s entropy engine
Privacy / PII: 10+ Luhn-validated patterns (credit card, SSN, IBAN, NHS, NINO, Aadhaar, PAN, NRIC, Medicare, TFN)
AI patterns: heuristics for common AI-coding-assistant failure modes (hardcoded credentials past comment boundaries, hallucinated imports, unsafe auth patterns)
Performance: bottleneck detection for AI-generated Python code
Content moderation: policy compliance and content safety
JavaScript / TypeScript: Semgrep-driven, with curated rule sets

The full coverage map of what these detectors catch (and what they honestly miss) is in the AI Coding Assistant Blind Spots pillar.

What Stays Closed-Source

BrassCoders keeps one component closed-source: the Paid-plan enrichment gateway that runs AI-powered semantic deduplication and reranking. The detection layer (the 12 scanners) is open; only the hosted ranking layer is proprietary, and the wire-format contract between them is documented.

The division of labor is precise. The OSS CLI produces a raw YAML file with all findings the 12 scanners emit — typically 800-2,000 entries on a real-world codebase. The Paid gateway accepts the redacted findings plus a project signature derived from the codebase’s README and manifest, then returns the same findings deduplicated and ranked by relevance — typically reduced to around 30 actionable entries. Customers who do not subscribe still get the full raw findings file; they just do their own ranking.

The closed-source piece is the embedding-based reranking model and the gateway code that orchestrates it. The wire-format Zod schema in the gateway is mirrored by clamps in the CLI’s src/brass/enrichment/ directory; both are documented and stable across releases. Building a compatible alternative gateway against the documented contract is permitted under Apache 2.0; what is not permitted is using BrassCoders’s hosted gateway without a Paid-plan license, which is a service contract concern rather than a code-license one.

How To Contribute

BrassCoders accepts contributions through the standard GitHub workflow at the public repo. Builders who spot a missed scanner pattern, want to add a language, or have benchmark data for a new codebase should file an issue or open a pull request. The CONTRIBUTING.md in the repo lays out the conventions.

The contribution areas that are most valuable in the near term:

New scanner patterns: particularly for languages BrassCoders currently has shallow coverage on (Go, Rust, Java)
New benchmark codebases: adding a vulnerable-by-design repo to the benchmarks page with reproducible scan instructions
AI-pattern detector rules: heuristics for failure modes the team has not yet documented
Documentation improvements: particularly the CI integration recipes for setups beyond GitHub Actions / GitLab CI / CircleCI
Issue reports with reproducible cases: a PR-ready bug report that includes a minimal repro is the single most useful contribution

Issues, pull requests, and discussions all happen at github.com/CopperSunDev/brasscoders/issues. Email fallback for sensitive security disclosures: brass@coppersuncreative.com (per the repo’s SECURITY.md).

Closing

The OSS release is not a strategic shift; it is what BrassCoders always was. The CLI was Apache 2.0 from day one — the only thing that changed today is that the source is now visible on GitHub instead of just downloadable via pipx. The Paid plan stays $12/dev/month, the OSS core stays free forever, and the same brasscoders scan command runs against both modes.

Install:

pipx install brasscoders
brasscoders scan /path/to/project

Star the repo on GitHub if it’s useful. File issues against patterns you want covered. The community around AI-augmented code quality is still forming; BrassCoders intends to be its OSS reference implementation.