ai-code-guardian 0.11.2

# 🛡️ AI Code Guardian

<div align="center">

[![Crates.io](https://img.shields.io/crates/v/ai-code-guardian?style=for-the-badge)](https://crates.io/crates/ai-code-guardian)
[![Downloads](https://img.shields.io/crates/d/ai-code-guardian?style=for-the-badge)](https://crates.io/crates/ai-code-guardian)
[![License](https://img.shields.io/crates/l/ai-code-guardian?style=for-the-badge)](LICENSE)

**[🌐 Interactive Demo & Documentation](https://dinakars777.github.io/ai-code-guardian/)**

</div>

---

Security scanner for AI-generated code. Catches vulnerabilities before you commit.

## The Problem

AI coding tools are great, but they introduce security risks:
- Hardcoded API keys and secrets
- SQL injection vulnerabilities
- Insecure HTTP requests
- Exposed credentials

This tool scans your code and catches these issues instantly.

## What Makes Us Different

- **Dependency vulnerability checking** - Scan requirements.txt, package.json, Cargo.toml for known CVEs
- **.guardianignore file** - Exclude files/patterns from scanning
- **Git integration** - Scan only changed or staged files for faster CI/CD
- **Custom rules engine** - Define your own security patterns with `.guardian.rules.json`
- **Severity scoring** - Numerical risk scores (0-100) for every vulnerability
- **Watch mode** - Auto-scan on file changes during development
- **Interactive TUI mode** - Navigate issues with arrow keys, mark false positives
- **Auto-fix suggestions** - Don't just find issues, get actionable solutions
- **Lightning fast** - Written in Rust, 10x faster than Node.js alternatives
- **Single binary** - No npm, no node_modules, just one executable
- **Beautiful output** - Color-coded, easy to read results
- **100% local** - No data leaves your machine

## Installation

```bash
cargo install ai-code-guardian
```

## Usage

```bash
# Scan current directory
ai-guardian scan

# Scan specific directory
ai-guardian scan ./src

# Interactive TUI mode
ai-guardian scan --interactive

# Watch mode - auto-scan on file changes
ai-guardian watch

# Scan only git changed files
ai-guardian scan --git

# Scan only git staged files
ai-guardian scan --staged

# Check dependencies for vulnerabilities
ai-guardian check-deps requirements.txt
ai-guardian check-deps package.json
ai-guardian check-deps Cargo.toml
```

## What It Detects

- **Hardcoded Secrets**: API keys, passwords, tokens
- **SQL Injection**: Unsafe query construction
- **Insecure HTTP**: Unencrypted connections
- **Exposed Credentials**: .env files, config files

## Example Output

```
🛡️  AI Code Guardian - Security Scan

Scanning: ./src

❌ HIGH (Risk: 85): Hardcoded API Key
   File: src/api.rs:12
   Found: const API_KEY = "sk-1234567890abcdef"
   Risk: Exposed credentials in source code
   Fix: Use process.env.API_KEY or import from .env file

❌ HIGH (Risk: 85): SQL Injection Risk
   File: src/db.rs:45
   Found: query = "SELECT * FROM users WHERE id = " + user_id
   Risk: Unsanitized user input in SQL query
   Fix: Use parameterized queries: db.query('SELECT * FROM users WHERE id = ?', [userId])

✅ Scan complete: 2 issues found
```

## CI/CD Integration

### GitHub Actions

Scan PRs automatically. Create `.github/workflows/security.yml`:

```yaml
name: Security Scan

on:
  pull_request:

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
      with:
        fetch-depth: 0
    
    - name: Install AI Code Guardian
      run: cargo install ai-code-guardian
    
    - name: Scan changed files
      run: ai-guardian scan --git
```

See `examples/` directory for more GitHub Action configurations.

### Pre-commit Hook

Add to `.git/hooks/pre-commit`:

```bash
#!/bin/bash
ai-guardian scan
if [ $? -ne 0 ]; then
    echo "Security issues found. Commit blocked."
    exit 1
fi
```

## Custom Rules

Create `.guardian.rules.json` in your project root:

```json
[
  {
    "title": "Hardcoded Credit Card",
    "description": "Credit card number found in source code",
    "severity": "high",
    "pattern": "\\b\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b",
    "fix_suggestion": "Never store credit card numbers in code"
  }
]
```

## Ignore Files

Create `.guardianignore` to exclude files:

```
# Ignore test files
*test*
*spec*

# Ignore vendor code
vendor/
third_party/
```

## How It Works

1. Walks through your codebase
2. Scans files for security patterns
3. Reports high-risk issues
4. Suggests fixes

No data leaves your machine. Everything runs locally.

## Roadmap

- [x] Git integration to scan only changed files
- [x] GitHub Actions examples
- [ ] Auto-fix command to apply fixes automatically
- [ ] XSS detection patterns
- [ ] Path traversal detection
- [ ] Official GitHub Action (no cargo install needed)
- [ ] VS Code extension

## Contributing

Found a false positive? Have a pattern to add? PRs welcome!

## License

MIT

## Changelog

### v0.10.0
- Added dependency vulnerability checking with `check-deps` command
- Integrates with OSV.dev API to detect known CVEs in dependencies
- Supports Python (requirements.txt, pyproject.toml), Node (package.json), Rust (Cargo.toml)
- Released in response to LiteLLM supply chain attack (March 2026)

### v0.9.0
- Improved SQL injection detection to reduce false positives from logging statements
- Pattern now requires SQL keywords (SELECT/INSERT/UPDATE/DELETE) to be followed by FROM/INTO/SET
- Eliminates false positives from code like `LOG_WARNING("Health was to be updated to: " + value)`