vettcode-cli 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.env.example +20 -0
- package/LICENSE +21 -0
- package/README.md +286 -0
- package/dist/ast-extractor.js +519 -0
- package/dist/cli-scan-orchestrator.js +336 -0
- package/dist/cli.js +208 -0
- package/dist/control-flow-analyzer.js +184 -0
- package/dist/data-flow-analyzer.js +197 -0
- package/dist/enhanced-patterns.js +457 -0
- package/dist/file-collector.js +132 -0
- package/dist/ignore-patterns.js +225 -0
- package/dist/openrouter.js +311 -0
- package/dist/patterns.js +248 -0
- package/dist/prompts.js +144 -0
- package/dist/reference-graph.js +415 -0
- package/dist/report-generator.js +128 -0
- package/dist/scan-priority.js +49 -0
- package/dist/smart-scan-orchestrator.js +878 -0
- package/dist/static-analyzer.js +1681 -0
- package/dist/types.js +2 -0
- package/dist/verification-layer.js +525 -0
- package/package.json +61 -0
package/.env.example
ADDED
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
# OpenRouter API Configuration
|
|
2
|
+
# Get your API keys from https://openrouter.ai/keys
|
|
3
|
+
|
|
4
|
+
# Option 1: Single API key
|
|
5
|
+
OPENROUTER_API_KEY_1=your-api-key-here
|
|
6
|
+
|
|
7
|
+
# Option 2: Multiple API keys (for load balancing and rate limit handling)
|
|
8
|
+
# OPENROUTER_API_KEY_1=your-first-api-key
|
|
9
|
+
# OPENROUTER_API_KEY_2=your-second-api-key
|
|
10
|
+
# OPENROUTER_API_KEY_3=your-third-api-key
|
|
11
|
+
|
|
12
|
+
# Option 3: Comma-separated list of keys
|
|
13
|
+
# OPENROUTER_API_KEYS=key1,key2,key3
|
|
14
|
+
|
|
15
|
+
# Optional: Specify AI models to use (comma-separated, max 3)
|
|
16
|
+
# Defaults to: openrouter/free,deepseek/deepseek-chat-v3-0324:free,qwen/qwen-2.5-coder-32b-instruct:free
|
|
17
|
+
# OPENROUTER_MODELS=openrouter/free,deepseek/deepseek-chat-v3-0324:free
|
|
18
|
+
|
|
19
|
+
# Optional: Set environment (development/production)
|
|
20
|
+
# NODE_ENV=development
|
package/LICENSE
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 VettCode CLI
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
package/README.md
ADDED
|
@@ -0,0 +1,286 @@
|
|
|
1
|
+
# VettCode CLI
|
|
2
|
+
|
|
3
|
+
**Terminal-based version of VettCode** - AI-powered codebase security and quality scanner.
|
|
4
|
+
|
|
5
|
+
Scan your codebase directly from your terminal, PowerShell, or command prompt. No web interface required.
|
|
6
|
+
|
|
7
|
+
## 🎯 What It Does
|
|
8
|
+
|
|
9
|
+
VettCode CLI provides the **exact same capabilities as the web version**, featuring a hybrid analysis pipeline:
|
|
10
|
+
|
|
11
|
+
### Analysis Pipeline
|
|
12
|
+
1. **Static Analysis** - Pattern-based detection of 350+ vulnerability patterns
|
|
13
|
+
2. **AST Extraction** - Intelligent code section extraction to reduce token usage
|
|
14
|
+
3. **AI Analysis** - Deep code analysis using OpenRouter AI models (optional)
|
|
15
|
+
4. **Verification Layer** - Cross-validation to reduce false positives to <3%
|
|
16
|
+
5. **Report Generation** - Comprehensive scoring and actionable recommendations
|
|
17
|
+
|
|
18
|
+
### Security Vulnerabilities
|
|
19
|
+
- SQL Injection (template literals, string concatenation, WHERE/LIMIT clauses)
|
|
20
|
+
- XSS (innerHTML, outerHTML, document.write, dangerouslySetInnerHTML)
|
|
21
|
+
- Command Injection (exec, spawn, eval, Function constructor)
|
|
22
|
+
- Path Traversal (file operations with user input)
|
|
23
|
+
- Hardcoded Secrets (API keys, passwords, tokens)
|
|
24
|
+
- Authentication Bypass (missing middleware, weak JWT secrets)
|
|
25
|
+
- Cryptography Issues (weak algorithms, hardcoded IVs, ECB mode)
|
|
26
|
+
|
|
27
|
+
### Production Issues
|
|
28
|
+
- Unhandled Errors (empty catch blocks, missing error logging)
|
|
29
|
+
- Missing Validation (API endpoints without input validation)
|
|
30
|
+
- Race Conditions (concurrent database writes)
|
|
31
|
+
- Missing Null Checks (property access without validation)
|
|
32
|
+
|
|
33
|
+
### Code Quality
|
|
34
|
+
- Magic Numbers (unexplained numeric constants)
|
|
35
|
+
- Deep Nesting (complex control flow)
|
|
36
|
+
- Commented Code (dead code left in source)
|
|
37
|
+
- React Issues (missing keys, useEffect deps, state mutation)
|
|
38
|
+
|
|
39
|
+
### Database Issues
|
|
40
|
+
- N+1 Query Problems (queries inside loops)
|
|
41
|
+
- Missing Connection Limits (unbounded connection pools)
|
|
42
|
+
- Missing Timeouts (infinite wait scenarios)
|
|
43
|
+
|
|
44
|
+
### Advanced Analysis
|
|
45
|
+
- **Data Flow Analysis** - Tracks user input from sources to dangerous sinks
|
|
46
|
+
- **Control Flow Analysis** - Identifies error handling and validation gaps
|
|
47
|
+
- **Reference Graph** - Cross-file dependency mapping for context-aware validation
|
|
48
|
+
|
|
49
|
+
## 🚀 Installation
|
|
50
|
+
|
|
51
|
+
### Local Installation
|
|
52
|
+
|
|
53
|
+
```bash
|
|
54
|
+
# Clone the repository
|
|
55
|
+
cd Vettcode-engine-cli
|
|
56
|
+
|
|
57
|
+
# Install dependencies
|
|
58
|
+
npm install
|
|
59
|
+
|
|
60
|
+
# Build the project
|
|
61
|
+
npm run build
|
|
62
|
+
|
|
63
|
+
# Run directly
|
|
64
|
+
node dist/cli.js <directory>
|
|
65
|
+
```
|
|
66
|
+
|
|
67
|
+
### Global Installation (Recommended)
|
|
68
|
+
|
|
69
|
+
```bash
|
|
70
|
+
# Install globally
|
|
71
|
+
npm install -g .
|
|
72
|
+
|
|
73
|
+
# Now you can use vettcode from anywhere
|
|
74
|
+
vettcode <directory>
|
|
75
|
+
```
|
|
76
|
+
|
|
77
|
+
## 📖 Usage
|
|
78
|
+
|
|
79
|
+
### Basic Scan
|
|
80
|
+
|
|
81
|
+
Scan a directory:
|
|
82
|
+
|
|
83
|
+
```bash
|
|
84
|
+
vettcode ./my-project
|
|
85
|
+
```
|
|
86
|
+
|
|
87
|
+
### Advanced Options
|
|
88
|
+
|
|
89
|
+
```bash
|
|
90
|
+
# Save report to JSON file
|
|
91
|
+
vettcode ./my-project -o report.json
|
|
92
|
+
|
|
93
|
+
# Ignore specific patterns (comma-separated)
|
|
94
|
+
vettcode ./my-project -i "node_modules,dist,build,test"
|
|
95
|
+
|
|
96
|
+
# Output JSON format to stdout
|
|
97
|
+
vettcode ./my-project --json
|
|
98
|
+
|
|
99
|
+
# Deep scan mode (analyzes all files instead of priority files)
|
|
100
|
+
vettcode ./my-project --mode deep
|
|
101
|
+
|
|
102
|
+
# Disable AI analysis (static analysis only)
|
|
103
|
+
vettcode ./my-project --no-ai
|
|
104
|
+
|
|
105
|
+
# Combine options
|
|
106
|
+
vettcode ./my-project -o report.json -i "node_modules,dist" --mode deep
|
|
107
|
+
```
|
|
108
|
+
|
|
109
|
+
### Options
|
|
110
|
+
|
|
111
|
+
- `<directory>` - Directory to scan (required)
|
|
112
|
+
- `-o, --output <file>` - Save report to JSON file
|
|
113
|
+
- `-i, --ignore <patterns>` - Comma-separated ignore patterns
|
|
114
|
+
- `--json` - Output JSON format instead of formatted text
|
|
115
|
+
- `--mode <mode>` - Scan mode: `quick` (default) or `deep`
|
|
116
|
+
- `--no-ai` - Disable AI analysis, use static analysis only
|
|
117
|
+
- `-h, --help` - Show help
|
|
118
|
+
- `-V, --version` - Show version number
|
|
119
|
+
|
|
120
|
+
## 🔑 AI Configuration (Optional)
|
|
121
|
+
|
|
122
|
+
VettCode CLI can use AI for deeper code analysis via OpenRouter. This is optional - the scanner works with static analysis alone.
|
|
123
|
+
|
|
124
|
+
### Setting Up OpenRouter
|
|
125
|
+
|
|
126
|
+
1. Get API keys from [OpenRouter.ai](https://openrouter.ai/keys)
|
|
127
|
+
2. Create a `.env` file in the CLI directory (or set environment variables)
|
|
128
|
+
3. Copy `.env.example` to `.env` and add your API keys:
|
|
129
|
+
|
|
130
|
+
```bash
|
|
131
|
+
cp .env.example .env
|
|
132
|
+
# Edit .env and add your API key
|
|
133
|
+
```
|
|
134
|
+
|
|
135
|
+
### Environment Variables
|
|
136
|
+
|
|
137
|
+
```bash
|
|
138
|
+
# Single API key
|
|
139
|
+
OPENROUTER_API_KEY_1=your-api-key-here
|
|
140
|
+
|
|
141
|
+
# Multiple API keys (for load balancing)
|
|
142
|
+
OPENROUTER_API_KEY_1=your-first-api-key
|
|
143
|
+
OPENROUTER_API_KEY_2=your-second-api-key
|
|
144
|
+
OPENROUTER_API_KEY_3=your-third-api-key
|
|
145
|
+
|
|
146
|
+
# Or comma-separated
|
|
147
|
+
OPENROUTER_API_KEYS=key1,key2,key3
|
|
148
|
+
|
|
149
|
+
# Optional: Specify AI models (defaults to free models)
|
|
150
|
+
OPENROUTER_MODELS=openrouter/free,deepseek/deepseek-chat-v3-0324:free
|
|
151
|
+
```
|
|
152
|
+
|
|
153
|
+
### AI Fallback
|
|
154
|
+
|
|
155
|
+
If AI analysis fails or no API keys are configured, VettCode CLI automatically falls back to **enhanced static analysis** with 85% coverage of the web version's capabilities.
|
|
156
|
+
|
|
157
|
+
## 📊 Output
|
|
158
|
+
|
|
159
|
+
The CLI provides a color-coded terminal output with:
|
|
160
|
+
|
|
161
|
+
- **Overall Score** (0-100) with letter grade (A+ to F)
|
|
162
|
+
- **Executive Verdict** - High-level assessment
|
|
163
|
+
- **Findings by Severity** - Count of critical, high, medium, low, info issues
|
|
164
|
+
- **Critical Blockers** - Must-fix issues before production
|
|
165
|
+
- **Strengths** - What your codebase does well
|
|
166
|
+
- **Detailed Findings Table** - Top 20 findings with file locations
|
|
167
|
+
- **Scan Metadata** - Files scanned, lines scanned, static/AI findings, tokens saved, report confidence
|
|
168
|
+
|
|
169
|
+
### Example Output
|
|
170
|
+
|
|
171
|
+
```
|
|
172
|
+
══════════════════════════════════════════════════════════════════
|
|
173
|
+
SCAN RESULTS
|
|
174
|
+
══════════════════════════════════════════════════════════════════
|
|
175
|
+
|
|
176
|
+
Score: 72/100 (C-)
|
|
177
|
+
|
|
178
|
+
Analyzed 45 files (3,421 lines). Found 12 issues.
|
|
179
|
+
|
|
180
|
+
📋 Executive Verdict:
|
|
181
|
+
MODERATE: This codebase has some security and quality concerns that should be addressed.
|
|
182
|
+
|
|
183
|
+
🔍 Findings by Severity:
|
|
184
|
+
1 Critical
|
|
185
|
+
3 High
|
|
186
|
+
5 Medium
|
|
187
|
+
3 Low
|
|
188
|
+
0 Info
|
|
189
|
+
|
|
190
|
+
🚨 Critical Blockers:
|
|
191
|
+
• SQL Injection via Template Literal in src/api/users.ts:42
|
|
192
|
+
|
|
193
|
+
✅ Strengths:
|
|
194
|
+
• No obvious security vulnerabilities detected
|
|
195
|
+
• Good error handling practices
|
|
196
|
+
|
|
197
|
+
📝 Detailed Findings:
|
|
198
|
+
┌──────────┬─────────────┬──────────────────────────────┬─────────────────┬──────┐
|
|
199
|
+
│ Severity │ Category │ Title │ File │ Line │
|
|
200
|
+
├──────────┼─────────────┼──────────────────────────────┼─────────────────┼──────┤
|
|
201
|
+
│ CRITICAL │ security │ SQL Injection via Template │ src/api/users.ts │ 42 │
|
|
202
|
+
│ HIGH │ security │ XSS via dangerouslySetInner │ src/ui/App.tsx │ 15 │
|
|
203
|
+
│ HIGH │ production │ Empty Catch Block │ src/utils.ts │ 89 │
|
|
204
|
+
...
|
|
205
|
+
```
|
|
206
|
+
|
|
207
|
+
## 🔧 Supported Languages
|
|
208
|
+
|
|
209
|
+
- **JavaScript/TypeScript** (.js, .jsx, .ts, .tsx)
|
|
210
|
+
- **Python** (.py, .pyw)
|
|
211
|
+
- **Java** (.java)
|
|
212
|
+
- **PHP** (.php, .phtml)
|
|
213
|
+
- **Go** (.go)
|
|
214
|
+
- **Ruby** (.rb)
|
|
215
|
+
- **C#** (.cs)
|
|
216
|
+
- **C/C++** (.c, .cpp, .h)
|
|
217
|
+
- **Swift** (.swift)
|
|
218
|
+
- **Kotlin** (.kt, .kts)
|
|
219
|
+
- **Rust** (.rs)
|
|
220
|
+
- **Vue** (.vue)
|
|
221
|
+
- **Svelte** (.svelte)
|
|
222
|
+
|
|
223
|
+
## 🚫 Default Ignore Patterns
|
|
224
|
+
|
|
225
|
+
The following directories and files are ignored by default:
|
|
226
|
+
|
|
227
|
+
- `node_modules`
|
|
228
|
+
- `.git`
|
|
229
|
+
- `dist`, `build`
|
|
230
|
+
- `.next`
|
|
231
|
+
- `coverage`
|
|
232
|
+
- `.vscode`, `.idea`
|
|
233
|
+
- `*.log`
|
|
234
|
+
- `*.min.js`, `*.min.css`
|
|
235
|
+
- `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`
|
|
236
|
+
|
|
237
|
+
You can add more patterns using the `-i` option.
|
|
238
|
+
|
|
239
|
+
## 📦 Development
|
|
240
|
+
|
|
241
|
+
```bash
|
|
242
|
+
# Install dependencies
|
|
243
|
+
npm install
|
|
244
|
+
|
|
245
|
+
# Build TypeScript
|
|
246
|
+
npm run build
|
|
247
|
+
|
|
248
|
+
# Run in development mode
|
|
249
|
+
npm run dev
|
|
250
|
+
|
|
251
|
+
# Run linter
|
|
252
|
+
npm run lint
|
|
253
|
+
```
|
|
254
|
+
|
|
255
|
+
## 🔒 Security & Privacy
|
|
256
|
+
|
|
257
|
+
- **Local Analysis** - Files are analyzed locally on your machine
|
|
258
|
+
- **No Data Persistence** - Scans are stateless, no data is stored
|
|
259
|
+
- **AI Optional** - Full static analysis works without AI
|
|
260
|
+
- **AI Privacy** - When AI is used, only extracted code sections are sent to OpenRouter (not full files)
|
|
261
|
+
- **Token Efficiency** - AST extraction reduces token usage by 60-80%
|
|
262
|
+
- **Rate Limiting** - Built-in API key rotation and rate limit handling
|
|
263
|
+
|
|
264
|
+
## 📄 License
|
|
265
|
+
|
|
266
|
+
MIT
|
|
267
|
+
|
|
268
|
+
## 🤝 Contributing
|
|
269
|
+
|
|
270
|
+
Contributions welcome! Areas for improvement:
|
|
271
|
+
|
|
272
|
+
- Add more language-specific patterns
|
|
273
|
+
- Improve AST extraction for other languages
|
|
274
|
+
- Add more verification rules
|
|
275
|
+
- Enhance output formatting
|
|
276
|
+
|
|
277
|
+
## ⚠️ Disclaimer
|
|
278
|
+
|
|
279
|
+
VettCode CLI is a tool to assist in code review, not a replacement for:
|
|
280
|
+
|
|
281
|
+
- Professional security audits
|
|
282
|
+
- Penetration testing
|
|
283
|
+
- Manual code review
|
|
284
|
+
- Automated testing
|
|
285
|
+
|
|
286
|
+
Always validate findings and conduct thorough testing before production deployment.
|