Skip to main content

A CLI tool that scans your codebases for security vulnerabilities powered by powerful AI models.

Project description

Release and Publish GitHub release (latest by date) GitHub issues GitHub pull requests GitHub

CodeScanAI

CodeScanAI utilizes a variety of AI models to scan your codebase for security vulnerabilities. It leverages powerful LLM models to identify risks and provide actionable remediation suggestions. The currently supported AI providers include:

  • OpenAI,
  • Google Gemini, and
  • custom self-hosted AI servers (Ollama, etc.).

It has been designed to integrate seamlessly into CI/CD pipelines like GitHub Actions, or can be used via a simple CLI command locally.

Check out the detailed demo and setup and try it out today!

What's new in v0.1.2

  • Pydantic-AI agent scanner: Files are now scanned one at a time by a structured AI agent, returning typed FileScanResult output instead of a raw markdown string.
  • Inline PR review comments: When running a PR scan, findings are posted as inline review comments directly on the relevant line in the diff. Falls back to a regular issue comment for architectural findings with no specific line.
  • Diff-aware analysis: When scanning a PR or local git diff, changed lines are highlighted with a [CHANGED] marker in the prompt. The agent prioritises those lines while retaining full file context for accurate data flow analysis.

Features

  • Flexible Scanning Options:

    • Full Directory Scans: Comprehensive security analysis across all files in a directory.
    • Changes Only Scan: Scan only files changed since the last commit (--changes_only).
    • PR-Specific Scans: Scan only files modified in a specific pull request, with findings posted as inline review comments.
  • Diff-Aware PR Analysis:

    When scanning a pull request, CodeScanAI fetches the exact lines changed in the diff and annotates them for the agent. This focuses the analysis on new and modified code while preserving full file context to avoid false negatives.

  • Support for Multiple AI Models:

    Supports OpenAI, Google Gemini, and any self-hosted OpenAI-compatible server. Support for additional providers can be added on demand.

  • CI/CD Integration:

    Integrate into GitHub Actions for automated security scanning on every pull request. Supports targeted scans on specific branches or changes within a repository.

Getting Started

Prerequisites

  • Python 3.10 or higher
  • API key for your chosen provider:
    • OpenAI API key, OR
    • Gemini API key, OR
    • Access to a custom AI server (host, port, and optional token)
export OPENAI_API_KEY='your_openai_api_key'

export GEMINI_API_KEY='your_gemini_api_key'

Installation

Option 1: Install via pip

pip install codescanai

This will make the codescanai command available directly in your terminal.

Option 2: Clone the Repository

git clone https://github.com/codescan-ai/codescan.git
cd codescan
pip install -r requirements.txt

Usage

Scan all files in your current directory

codescanai --provider openai

Or if you cloned the repository:

python3 -m core.runner_v2 --provider openai

Scan only changed files (local git diff)

codescanai --provider openai --changes_only

Scan a GitHub pull request

codescanai --provider openai \
  --repo owner/repo \
  --pr_number 42 \
  --github_token your_github_token

Findings will be posted as inline review comments on the PR.

Scan with a Custom AI Server

codescanai --provider custom --host http://localhost --port 5000 --token your_token --directory path/to/code

Using locally running Ollama:

codescanai --provider custom --model llama3 --host http://localhost --port 11434 --endpoint /v1 --directory path/to/code

Supported arguments

name description required default
provider AI provider (openai, gemini, custom) true ""
model AI model to use false ""
directory Directory to scan false .
changes_only Scan only files changed in the local git repo false false
repo GitHub repository (owner/repo) false ""
pr_number Pull request number false ""
github_token GitHub API token (required for PR scans) false ""
host Custom AI server host false ""
port Custom AI server port false ""
token Token for authenticating with the custom AI server false ""
endpoint API endpoint for the custom server false /api/v1/scan

Limitations

  • Rate limits: Depending on your AI provider's capacity, scanning a large number of files in a single run may hit rate limits. The V2 scanner processes files one at a time, which helps, but you may still need to break up very large directories manually.

Future Work

  • Caching: Store results of previously scanned files to reduce API calls and speed up repeat scans.

  • Expanded Git Provider Support: Currently integrated with GitHub. Future plans include GitLab, Bitbucket, and Azure Repos.

  • Expanded Development Tools: Plans to make CodeScanAI accessible as a VSCode extension and in other development environments.

Contributing

Contributions are welcome! Please fork the repository and submit a pull request with your improvements.

License

This project is licensed under the MIT License. See the LICENSE file for details.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

codescanai-0.1.3.tar.gz (15.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

codescanai-0.1.3-py3-none-any.whl (20.5 kB view details)

Uploaded Python 3

File details

Details for the file codescanai-0.1.3.tar.gz.

File metadata

  • Download URL: codescanai-0.1.3.tar.gz
  • Upload date:
  • Size: 15.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.10.20

File hashes

Hashes for codescanai-0.1.3.tar.gz
Algorithm Hash digest
SHA256 c79354ff447fa2e5aa2490ab979c260a4c7f266db26930c0fa48ea6de9df72ae
MD5 d7c416e57eb9a9075cce6ada31a1c89d
BLAKE2b-256 e24bde94dbeb42bc663226b68aae37effb7cc7150e3444164a1201d4503e5799

See more details on using hashes here.

File details

Details for the file codescanai-0.1.3-py3-none-any.whl.

File metadata

  • Download URL: codescanai-0.1.3-py3-none-any.whl
  • Upload date:
  • Size: 20.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.10.20

File hashes

Hashes for codescanai-0.1.3-py3-none-any.whl
Algorithm Hash digest
SHA256 571bbae0eefdd09696c5c1f88c2a421ff6761864724cf2d454c1a2207829847d
MD5 b5128f88d528d0022276b0e208b4c426
BLAKE2b-256 c20f8f465c0096618d4e41dc9cecc66efbbb98ac678a67ef906d8613365f7c22

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page