ai-code-guardian 0.7.0

Security scanner for AI-generated code - detects vulnerabilities before you commit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140

# 🛡️ AI Code Guardian

Security scanner for AI-generated code. Catches vulnerabilities before you commit.

## The Problem

AI coding tools are great, but they introduce security risks:
- Hardcoded API keys and secrets
- SQL injection vulnerabilities
- Insecure HTTP requests
- Exposed credentials

This tool scans your code and catches these issues instantly.

## What Makes Us Different

- **Git integration** - Scan only changed or staged files for faster CI/CD
- **Custom rules engine** - Define your own security patterns with `.guardian.rules.json`
- **Severity scoring** - Numerical risk scores (0-100) for every vulnerability
- **Watch mode** - Auto-scan on file changes during development
- **Interactive TUI mode** - Navigate issues with arrow keys, mark false positives
- **Auto-fix suggestions** - Don't just find issues, get actionable solutions
- **Lightning fast** - Written in Rust, 10x faster than Node.js alternatives
- **Single binary** - No npm, no node_modules, just one executable
- **Beautiful output** - Color-coded, easy to read results
- **100% local** - No data leaves your machine

## Installation

```bash
cargo install ai-code-guardian
```

## Usage

```bash
# Scan current directory
ai-guardian scan

# Scan specific directory
ai-guardian scan ./src

# Interactive TUI mode
ai-guardian scan --interactive

# Watch mode - auto-scan on file changes
ai-guardian watch

# Scan only git changed files
ai-guardian scan --git

# Scan only git staged files
ai-guardian scan --staged

# Scan with JSON output
ai-guardian scan --json
```

## What It Detects

- **Hardcoded Secrets**: API keys, passwords, tokens
- **SQL Injection**: Unsafe query construction
- **Insecure HTTP**: Unencrypted connections
- **Exposed Credentials**: .env files, config files

## Example Output

```
🛡️  AI Code Guardian - Security Scan

Scanning: ./src

❌ HIGH (Risk: 85): Hardcoded API Key
   File: src/api.rs:12
   Found: const API_KEY = "sk-1234567890abcdef"
   Risk: Exposed credentials in source code
   Fix: Use process.env.API_KEY or import from .env file

❌ HIGH (Risk: 85): SQL Injection Risk
   File: src/db.rs:45
   Found: query = "SELECT * FROM users WHERE id = " + user_id
   Risk: Unsanitized user input in SQL query
   Fix: Use parameterized queries: db.query('SELECT * FROM users WHERE id = ?', [userId])

✅ Scan complete: 2 issues found
```

## Pre-commit Hook

Add to `.git/hooks/pre-commit`:

```bash
#!/bin/bash
ai-guardian scan
if [ $? -ne 0 ]; then
    echo "Security issues found. Commit blocked."
    exit 1
fi
```

## Custom Rules

Create `.guardian.rules.json` in your project root:

```json
[
  {
    "title": "Hardcoded Credit Card",
    "description": "Credit card number found in source code",
    "severity": "high",
    "pattern": "\\b\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b",
    "fix_suggestion": "Never store credit card numbers in code"
  }
]
```

## How It Works

1. Walks through your codebase
2. Scans files for security patterns
3. Reports high-risk issues
4. Suggests fixes

No data leaves your machine. Everything runs locally.

## Roadmap

- [ ] XSS detection
- [ ] Path traversal detection
- [ ] Custom rule engine
- [ ] CI/CD integration
- [ ] VS Code extension

## Contributing

Found a false positive? Have a pattern to add? PRs welcome!

## License

MIT