🛡️ AI Code Guardian

🌐 Interactive Demo & Documentation

---

Security scanner for AI-generated code. Catches vulnerabilities before you commit.

The Problem

AI coding tools introduce security risks:

• Hardcoded API keys and secrets
• SQL injection vulnerabilities
• Insecure HTTP requests
• Exposed credentials

This tool scans your code and catches these issues instantly.

What Makes Us Different

• Dependency vulnerability checking - Scan requirements.txt, package.json, Cargo.toml for known CVEs
• .guardianignore file - Exclude files/patterns from scanning
• Git integration - Scan only changed or staged files for faster CI/CD
• Custom rules engine - Define your own security patterns with .guardian.rules.json
• Severity scoring - Numerical risk scores (0-100) for every vulnerability
• Watch mode - Auto-scan on file changes during development
• Interactive TUI mode - Navigate issues with arrow keys, mark false positives
• Auto-fix suggestions - Don't just find issues, get actionable solutions
• Lightning fast - Written in Rust, 10x faster than Node.js alternatives
• Single binary - No npm, no node_modules, just one executable
• Beautiful output - Color-coded, easy to read results
• 100% local - No data leaves your machine

Installation

cargo install ai-code-guardian

Usage

# Scan current directory
ai-guardian scan

# Scan specific directory
ai-guardian scan ./src

# Interactive TUI mode
ai-guardian scan --interactive

# Watch mode - auto-scan on file changes
ai-guardian watch

# Scan only git changed files
ai-guardian scan --git

# Scan only git staged files
ai-guardian scan --staged

# Check dependencies for vulnerabilities
ai-guardian check-deps requirements.txt
ai-guardian check-deps package.json
ai-guardian check-deps Cargo.toml

What It Detects

• Hardcoded Secrets: API keys, passwords, tokens
• SQL Injection: Unsafe query construction
• Insecure HTTP: Unencrypted connections
• Exposed Credentials: .env files, config files

Example Output

🛡️  AI Code Guardian - Security Scan

Scanning: ./src

❌ HIGH (Risk: 85): Hardcoded API Key
   File: src/api.rs:12
   Found: const API_KEY = "sk-1234567890abcdef"
   Risk: Exposed credentials in source code
   Fix: Use process.env.API_KEY or import from .env file

❌ HIGH (Risk: 85): SQL Injection Risk
   File: src/db.rs:45
   Found: query = "SELECT * FROM users WHERE id = " + user_id
   Risk: Unsanitized user input in SQL query
   Fix: Use parameterized queries: db.query('SELECT * FROM users WHERE id = ?', [userId])

✅ Scan complete: 2 issues found

CI/CD Integration

GitHub Actions

Scan PRs automatically. Create .github/workflows/security.yml:

name: Security Scan

on:
  pull_request:

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
      with:
        fetch-depth: 0
    
    - name: Install AI Code Guardian
      run: cargo install ai-code-guardian
    
    - name: Scan changed files
      run: ai-guardian scan --git

See examples/ directory for more GitHub Action configurations.

Pre-commit Hook

Add to .git/hooks/pre-commit:

#!/bin/bash
ai-guardian scan
if [ $? -ne 0 ]; then
    echo "Security issues found. Commit blocked."
    exit 1
fi

Custom Rules

Create .guardian.rules.json in your project root:

[
  {
    "title": "Hardcoded Credit Card",
    "description": "Credit card number found in source code",
    "severity": "high",
    "pattern": "\\b\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b",
    "fix_suggestion": "Never store credit card numbers in code"
  }
]

Ignore Files

Create .guardianignore to exclude files:

# Ignore test files
*test*
*spec*

# Ignore vendor code
vendor/
third_party/

How It Works

1. Walks through your codebase
2. Scans files for security patterns
3. Reports high-risk issues
4. Suggests fixes

No data leaves your machine. Everything runs locally.

Roadmap

• Git integration to scan only changed files
• GitHub Actions examples
• Auto-fix command to apply fixes automatically
• XSS detection patterns
• Path traversal detection
• Official GitHub Action (no cargo install needed)
• VS Code extension

Contributing

Found a false positive? Have a pattern to add? PRs welcome!

License

MIT

Changelog

v0.10.0

• Added dependency vulnerability checking with check-deps command
• Integrates with OSV.dev API to detect known CVEs in dependencies
• Supports Python (requirements.txt, pyproject.toml), Node (package.json), Rust (Cargo.toml)
• Released in response to LiteLLM supply chain attack (March 2026)

v0.9.0

• Improved SQL injection detection to reduce false positives from logging statements
• Pattern now requires SQL keywords (SELECT/INSERT/UPDATE/DELETE) to be followed by FROM/INTO/SET
• Eliminates false positives from code like LOG_WARNING("Health was to be updated to: " + value)