ai-code-guardian 0.9.0

Security scanner for AI-generated code - detects vulnerabilities before you commit
ai-code-guardian-0.9.0 is not a library.

🛡️ AI Code Guardian

Security scanner for AI-generated code. Catches vulnerabilities before you commit.

The Problem

AI coding tools are great, but they introduce security risks:

  • Hardcoded API keys and secrets
  • SQL injection vulnerabilities
  • Insecure HTTP requests
  • Exposed credentials

This tool scans your code and catches these issues instantly.

What Makes Us Different

  • .guardianignore file - Exclude files/patterns from scanning
  • Git integration - Scan only changed or staged files for faster CI/CD
  • Custom rules engine - Define your own security patterns with .guardian.rules.json
  • Severity scoring - Numerical risk scores (0-100) for every vulnerability
  • Watch mode - Auto-scan on file changes during development
  • Interactive TUI mode - Navigate issues with arrow keys, mark false positives
  • Auto-fix suggestions - Don't just find issues, get actionable solutions
  • Lightning fast - Written in Rust, 10x faster than Node.js alternatives
  • Single binary - No npm, no node_modules, just one executable
  • Beautiful output - Color-coded, easy to read results
  • 100% local - No data leaves your machine

Installation

cargo install ai-code-guardian

Usage

# Scan current directory
ai-guardian scan

# Scan specific directory
ai-guardian scan ./src

# Interactive TUI mode
ai-guardian scan --interactive

# Watch mode - auto-scan on file changes
ai-guardian watch

# Scan only git changed files
ai-guardian scan --git

# Scan only git staged files
ai-guardian scan --staged

# Scan with JSON output
ai-guardian scan --json

What It Detects

  • Hardcoded Secrets: API keys, passwords, tokens
  • SQL Injection: Unsafe query construction
  • Insecure HTTP: Unencrypted connections
  • Exposed Credentials: .env files, config files

Example Output

🛡️  AI Code Guardian - Security Scan

Scanning: ./src

❌ HIGH (Risk: 85): Hardcoded API Key
   File: src/api.rs:12
   Found: const API_KEY = "sk-1234567890abcdef"
   Risk: Exposed credentials in source code
   Fix: Use process.env.API_KEY or import from .env file

❌ HIGH (Risk: 85): SQL Injection Risk
   File: src/db.rs:45
   Found: query = "SELECT * FROM users WHERE id = " + user_id
   Risk: Unsanitized user input in SQL query
   Fix: Use parameterized queries: db.query('SELECT * FROM users WHERE id = ?', [userId])

✅ Scan complete: 2 issues found

Pre-commit Hook

Add to .git/hooks/pre-commit:

#!/bin/bash
ai-guardian scan
if [ $? -ne 0 ]; then
    echo "Security issues found. Commit blocked."
    exit 1
fi

Custom Rules

Create .guardian.rules.json in your project root:

[
  {
    "title": "Hardcoded Credit Card",
    "description": "Credit card number found in source code",
    "severity": "high",
    "pattern": "\\b\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b",
    "fix_suggestion": "Never store credit card numbers in code"
  }
]

Ignore Files

Create .guardianignore to exclude files:

# Ignore test files
*test*
*spec*

# Ignore vendor code
vendor/
third_party/

How It Works

  1. Walks through your codebase
  2. Scans files for security patterns
  3. Reports high-risk issues
  4. Suggests fixes

No data leaves your machine. Everything runs locally.

Roadmap

  • Auto-fix command to apply fixes automatically
  • XSS detection patterns
  • Path traversal detection
  • CI/CD GitHub Action
  • VS Code extension

Contributing

Found a false positive? Have a pattern to add? PRs welcome!

License

MIT

Changelog

v0.9.0

  • Improved SQL injection detection to reduce false positives from logging statements
  • Pattern now requires SQL keywords (SELECT/INSERT/UPDATE/DELETE) to be followed by FROM/INTO/SET
  • Eliminates false positives from code like LOG_WARNING("Health was to be updated to: " + value)