Arm Releases Metis: Open-Source AI-Powered Security Code Review Framework
Key Takeaways
- ▸Metis leverages LLMs for semantic reasoning in security code review, moving beyond hardcoded rules of traditional static analysis tools
- ▸Multi-provider LLM support and local model compatibility give organizations flexibility in inference choice and deployment strategy
- ▸Plugin-based architecture enables easy extension to additional languages and security analysis capabilities
Summary
Arm's Product Security Team has released Metis, an open-source agentic AI security framework designed for deep security code review that leverages large language models (LLMs) with semantic understanding and reasoning capabilities. Unlike traditional linters or static analysis tools that rely on hardcoded rules, Metis can detect subtle vulnerabilities that conventional tooling often misses, particularly valuable for engineers working with large, complex, or legacy codebases.
Metis is distinguished by its deterministic local evidence review approach, which emphasizes source-local analysis and language-specific plugins over broad retrieval methods. The framework includes built-in issue validation that produces its own findings while also validating results from third-party SAST tools, reducing false positives and improving the reliability of security reviews. It supports multiple programming languages through a plugin-based system, making it straightforward to extend to additional languages as needed.
A key strength of Metis is its provider flexibility—it works with major LLM services including OpenAI, Anthropic, Gemini, and AWS Bedrock, as well as local models like Ollama and llama.cpp. This allows organizations to choose their preferred inference provider and run Metis entirely on-premise. The framework also supports multiple vector store backends, including ChromaDB for local usage and PostgreSQL with pgvector for scalable, multi-project deployments. Installation is straightforward via virtual environments or Docker, with configuration through a simple YAML file.
- Built-in validation of findings and integration with third-party SAST tools reduce false positives and improve assessment reliability
Editorial Opinion
Arm's release of Metis represents a meaningful open-source contribution to the application security landscape. By combining LLM reasoning with deterministic local evidence collection, Metis addresses a real pain point in security engineering: reducing review toil while improving accuracy. The multi-provider LLM support and extensible architecture should make this tool valuable not just for Arm's own needs, but as a foundation the broader security community can build upon and adapt.



