A CLI tool that scans your codebases for security vulnerabilities powered by powerful AI models.
Project description
CodeScanAI
CodeScanAI utilizes a variety of AI models, including OpenAI, Gemini, and custom self-hosted AI servers, to scan your codebase for bad development practices. It is currently configure to catch potential security vulnerabilities, but will be extended to other use cases in the future.
It has been designed to enable seamless integration into CI/CD pipelines like GitHub Actions, or can be used via a simple command. CodeScanAI enables developers to automatically detect potential security issues in their code throughout the development process. Try it out today!
Features
-
Support for Multiple AI Models:
- OpenAI Integration: Utilize OpenAI's advanced models, such as GPT-4, to scan your code and identify potential security vulnerabilities, OR
- Gemini Integration: Tap into Gemini's expertise to analyze your code for security risks, OR
- Custom AI Server Integration: Connect with self-hosted or private AI servers for security scans, offering fully customizable and self-managed AI solutions.
-
CI/CD Integration:
- Seamlessly integrate the CLI tool into GitHub Actions for automated security vulnerability scanning on every pull request.
- Supports targeted scans on specific branches or changes within a repository.
-
Flexible Scanning Options:
- Full Directory Scans: Perform a comprehensive security analysis by scanning all files within a directory.
- Changes Only Scan: Only scan those files that have chnaged since the last scan.
- PR-Specific Scans: Target files modified in a specific pull request to optimize the scanning process and reduce overhead.
Getting Started
Prerequisites
- Python 3.10 or higher
- API keys for the supported AI models:
- OpenAI API key
- Gemini API key
- Access to a custom AI server (host, port, and optional token)
- Set an environment variable for your API key(s).
export OPENAI_API_KEY = 'your_openai_api_key'
OR
export GEMINI_API_KEY = 'your_gemini_api_key'
Installation
Option 1: Install via pip
You can install the tool directly from the repository using pip:
pip install codescanai
This will allow you to use the codescanai command directly in your terminal.
Option 2: Clone the Repository
If you prefer to clone the repository and install the dependencies manually:
git clone https://github.com/codescan-ai/codescan.git
cd codescan
pip install -r requirements.txt
Usage
Scanning files in your current directory
codescanai --provider openai
OR if you're cloning the repository,
python3 -m core.runner --provider openai
Scanning with a Custom AI Server
To scan code using a custom AI server:
codescanai --provider custom --host http://localhost --port 5000 --token your_token --directory path/to/your/code
Supported arguments
| name | description | required | default |
|---|---|---|---|
provider |
AI provider |
true |
"" |
model |
AI model to use |
false |
"" |
directory |
Directory to scan |
false |
. |
changes_only |
Scan only changed files |
false |
false |
repo |
GitHub repository |
false |
"" |
pr_number |
Pull request number |
false |
"" |
github_token |
GitHub API token |
false |
"" |
host |
Custom AI server host |
false |
"" |
port |
Custom AI server port |
false |
"" |
token |
Token for authenticating with the custom AI server |
false |
"" |
endpoint |
API endpoint for the custom server |
false |
/api/v1/scan |
Supported AI Providers
- OpenAI: Utilizes GPT models for in-depth security analysis.
- Gemini: Delivers strong security insights through Gemini's advanced capabilities.
- Custom: Connects with self-hosted or private AI servers for fully customizable solutions.
Limitations
- Large number of files: We currently do not support scalable way to scan a large number of files on a single run. Depending on the capacity of your AI Provider, you might run into a
rate_limit_exceedederror. To do this, you can create a custom solution that breaks down the number of files for each run.
Future Work
-
Batch Processing: For the limitation above, a future version will be to implement batch processing for a large number of files.
-
Caching Implementation: A caching mechanism to store results of previously scanned files, reducing the number of API calls and optimizing performance.
-
Expanded Git Provider Support: The tool is currently integrated with GitHub for PR-based scanning, future plans include extending support to other Git providers like GitLab, Bitbucket, and Azure Repos.
-
Expanded Development tools: This will be a plan to expand this tool to be accessible in other development environments. For example, as a VSCode extension.
Contributing
Contributions are welcome! Please fork the repository and submit a pull request with your improvements.
License
This project is licensed under the MIT License. See the LICENSE file for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file codescanai-0.1.1.tar.gz.
File metadata
- Download URL: codescanai-0.1.1.tar.gz
- Upload date:
- Size: 10.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.10.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 1aebce215cfb897da472b586c19020eb7025d3ed55949d6f5dbeca2e16efdae9 |
|
| MD5 | d6111b667a57370d2f8739debe637d5c |
|
| BLAKE2b-256 | ac90f4c146e0c28455f668dd962a27894661f3376dedc039f1e2a05a1f1b6b46 |
File details
Details for the file codescanai-0.1.1-py3-none-any.whl.
File metadata
- Download URL: codescanai-0.1.1-py3-none-any.whl
- Upload date:
- Size: 13.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.10.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 7ce8b9fb6936b04c2e6bd03896085639c255e3eb467d60be98e6c25f00209795 |
|
| MD5 | 1b99b0cb440bb6c00c63e04895297706 |
|
| BLAKE2b-256 | d4fd1b7008bf06645bf1d98facd35e984782bf7b559d41222375d4ce19108d41 |
