vettcode-cli 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/.env.example ADDED
@@ -0,0 +1,20 @@
1
+ # OpenRouter API Configuration
2
+ # Get your API keys from https://openrouter.ai/keys
3
+
4
+ # Option 1: Single API key
5
+ OPENROUTER_API_KEY_1=your-api-key-here
6
+
7
+ # Option 2: Multiple API keys (for load balancing and rate limit handling)
8
+ # OPENROUTER_API_KEY_1=your-first-api-key
9
+ # OPENROUTER_API_KEY_2=your-second-api-key
10
+ # OPENROUTER_API_KEY_3=your-third-api-key
11
+
12
+ # Option 3: Comma-separated list of keys
13
+ # OPENROUTER_API_KEYS=key1,key2,key3
14
+
15
+ # Optional: Specify AI models to use (comma-separated, max 3)
16
+ # Defaults to: openrouter/free,deepseek/deepseek-chat-v3-0324:free,qwen/qwen-2.5-coder-32b-instruct:free
17
+ # OPENROUTER_MODELS=openrouter/free,deepseek/deepseek-chat-v3-0324:free
18
+
19
+ # Optional: Set environment (development/production)
20
+ # NODE_ENV=development
package/LICENSE ADDED
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 VettCode CLI
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
package/README.md ADDED
@@ -0,0 +1,286 @@
1
+ # VettCode CLI
2
+
3
+ **Terminal-based version of VettCode** - AI-powered codebase security and quality scanner.
4
+
5
+ Scan your codebase directly from your terminal, PowerShell, or command prompt. No web interface required.
6
+
7
+ ## 🎯 What It Does
8
+
9
+ VettCode CLI provides the **exact same capabilities as the web version**, featuring a hybrid analysis pipeline:
10
+
11
+ ### Analysis Pipeline
12
+ 1. **Static Analysis** - Pattern-based detection of 350+ vulnerability patterns
13
+ 2. **AST Extraction** - Intelligent code section extraction to reduce token usage
14
+ 3. **AI Analysis** - Deep code analysis using OpenRouter AI models (optional)
15
+ 4. **Verification Layer** - Cross-validation to reduce false positives to <3%
16
+ 5. **Report Generation** - Comprehensive scoring and actionable recommendations
17
+
18
+ ### Security Vulnerabilities
19
+ - SQL Injection (template literals, string concatenation, WHERE/LIMIT clauses)
20
+ - XSS (innerHTML, outerHTML, document.write, dangerouslySetInnerHTML)
21
+ - Command Injection (exec, spawn, eval, Function constructor)
22
+ - Path Traversal (file operations with user input)
23
+ - Hardcoded Secrets (API keys, passwords, tokens)
24
+ - Authentication Bypass (missing middleware, weak JWT secrets)
25
+ - Cryptography Issues (weak algorithms, hardcoded IVs, ECB mode)
26
+
27
+ ### Production Issues
28
+ - Unhandled Errors (empty catch blocks, missing error logging)
29
+ - Missing Validation (API endpoints without input validation)
30
+ - Race Conditions (concurrent database writes)
31
+ - Missing Null Checks (property access without validation)
32
+
33
+ ### Code Quality
34
+ - Magic Numbers (unexplained numeric constants)
35
+ - Deep Nesting (complex control flow)
36
+ - Commented Code (dead code left in source)
37
+ - React Issues (missing keys, useEffect deps, state mutation)
38
+
39
+ ### Database Issues
40
+ - N+1 Query Problems (queries inside loops)
41
+ - Missing Connection Limits (unbounded connection pools)
42
+ - Missing Timeouts (infinite wait scenarios)
43
+
44
+ ### Advanced Analysis
45
+ - **Data Flow Analysis** - Tracks user input from sources to dangerous sinks
46
+ - **Control Flow Analysis** - Identifies error handling and validation gaps
47
+ - **Reference Graph** - Cross-file dependency mapping for context-aware validation
48
+
49
+ ## 🚀 Installation
50
+
51
+ ### Local Installation
52
+
53
+ ```bash
54
+ # Clone the repository
55
+ cd Vettcode-engine-cli
56
+
57
+ # Install dependencies
58
+ npm install
59
+
60
+ # Build the project
61
+ npm run build
62
+
63
+ # Run directly
64
+ node dist/cli.js <directory>
65
+ ```
66
+
67
+ ### Global Installation (Recommended)
68
+
69
+ ```bash
70
+ # Install globally
71
+ npm install -g .
72
+
73
+ # Now you can use vettcode from anywhere
74
+ vettcode <directory>
75
+ ```
76
+
77
+ ## 📖 Usage
78
+
79
+ ### Basic Scan
80
+
81
+ Scan a directory:
82
+
83
+ ```bash
84
+ vettcode ./my-project
85
+ ```
86
+
87
+ ### Advanced Options
88
+
89
+ ```bash
90
+ # Save report to JSON file
91
+ vettcode ./my-project -o report.json
92
+
93
+ # Ignore specific patterns (comma-separated)
94
+ vettcode ./my-project -i "node_modules,dist,build,test"
95
+
96
+ # Output JSON format to stdout
97
+ vettcode ./my-project --json
98
+
99
+ # Deep scan mode (analyzes all files instead of priority files)
100
+ vettcode ./my-project --mode deep
101
+
102
+ # Disable AI analysis (static analysis only)
103
+ vettcode ./my-project --no-ai
104
+
105
+ # Combine options
106
+ vettcode ./my-project -o report.json -i "node_modules,dist" --mode deep
107
+ ```
108
+
109
+ ### Options
110
+
111
+ - `<directory>` - Directory to scan (required)
112
+ - `-o, --output <file>` - Save report to JSON file
113
+ - `-i, --ignore <patterns>` - Comma-separated ignore patterns
114
+ - `--json` - Output JSON format instead of formatted text
115
+ - `--mode <mode>` - Scan mode: `quick` (default) or `deep`
116
+ - `--no-ai` - Disable AI analysis, use static analysis only
117
+ - `-h, --help` - Show help
118
+ - `-V, --version` - Show version number
119
+
120
+ ## 🔑 AI Configuration (Optional)
121
+
122
+ VettCode CLI can use AI for deeper code analysis via OpenRouter. This is optional - the scanner works with static analysis alone.
123
+
124
+ ### Setting Up OpenRouter
125
+
126
+ 1. Get API keys from [OpenRouter.ai](https://openrouter.ai/keys)
127
+ 2. Create a `.env` file in the CLI directory (or set environment variables)
128
+ 3. Copy `.env.example` to `.env` and add your API keys:
129
+
130
+ ```bash
131
+ cp .env.example .env
132
+ # Edit .env and add your API key
133
+ ```
134
+
135
+ ### Environment Variables
136
+
137
+ ```bash
138
+ # Single API key
139
+ OPENROUTER_API_KEY_1=your-api-key-here
140
+
141
+ # Multiple API keys (for load balancing)
142
+ OPENROUTER_API_KEY_1=your-first-api-key
143
+ OPENROUTER_API_KEY_2=your-second-api-key
144
+ OPENROUTER_API_KEY_3=your-third-api-key
145
+
146
+ # Or comma-separated
147
+ OPENROUTER_API_KEYS=key1,key2,key3
148
+
149
+ # Optional: Specify AI models (defaults to free models)
150
+ OPENROUTER_MODELS=openrouter/free,deepseek/deepseek-chat-v3-0324:free
151
+ ```
152
+
153
+ ### AI Fallback
154
+
155
+ If AI analysis fails or no API keys are configured, VettCode CLI automatically falls back to **enhanced static analysis** with 85% coverage of the web version's capabilities.
156
+
157
+ ## 📊 Output
158
+
159
+ The CLI provides a color-coded terminal output with:
160
+
161
+ - **Overall Score** (0-100) with letter grade (A+ to F)
162
+ - **Executive Verdict** - High-level assessment
163
+ - **Findings by Severity** - Count of critical, high, medium, low, info issues
164
+ - **Critical Blockers** - Must-fix issues before production
165
+ - **Strengths** - What your codebase does well
166
+ - **Detailed Findings Table** - Top 20 findings with file locations
167
+ - **Scan Metadata** - Files scanned, lines scanned, static/AI findings, tokens saved, report confidence
168
+
169
+ ### Example Output
170
+
171
+ ```
172
+ ══════════════════════════════════════════════════════════════════
173
+ SCAN RESULTS
174
+ ══════════════════════════════════════════════════════════════════
175
+
176
+ Score: 72/100 (C-)
177
+
178
+ Analyzed 45 files (3,421 lines). Found 12 issues.
179
+
180
+ 📋 Executive Verdict:
181
+ MODERATE: This codebase has some security and quality concerns that should be addressed.
182
+
183
+ 🔍 Findings by Severity:
184
+ 1 Critical
185
+ 3 High
186
+ 5 Medium
187
+ 3 Low
188
+ 0 Info
189
+
190
+ 🚨 Critical Blockers:
191
+ • SQL Injection via Template Literal in src/api/users.ts:42
192
+
193
+ ✅ Strengths:
194
+ • No obvious security vulnerabilities detected
195
+ • Good error handling practices
196
+
197
+ 📝 Detailed Findings:
198
+ ┌──────────┬─────────────┬──────────────────────────────┬─────────────────┬──────┐
199
+ │ Severity │ Category │ Title │ File │ Line │
200
+ ├──────────┼─────────────┼──────────────────────────────┼─────────────────┼──────┤
201
+ │ CRITICAL │ security │ SQL Injection via Template │ src/api/users.ts │ 42 │
202
+ │ HIGH │ security │ XSS via dangerouslySetInner │ src/ui/App.tsx │ 15 │
203
+ │ HIGH │ production │ Empty Catch Block │ src/utils.ts │ 89 │
204
+ ...
205
+ ```
206
+
207
+ ## 🔧 Supported Languages
208
+
209
+ - **JavaScript/TypeScript** (.js, .jsx, .ts, .tsx)
210
+ - **Python** (.py, .pyw)
211
+ - **Java** (.java)
212
+ - **PHP** (.php, .phtml)
213
+ - **Go** (.go)
214
+ - **Ruby** (.rb)
215
+ - **C#** (.cs)
216
+ - **C/C++** (.c, .cpp, .h)
217
+ - **Swift** (.swift)
218
+ - **Kotlin** (.kt, .kts)
219
+ - **Rust** (.rs)
220
+ - **Vue** (.vue)
221
+ - **Svelte** (.svelte)
222
+
223
+ ## 🚫 Default Ignore Patterns
224
+
225
+ The following directories and files are ignored by default:
226
+
227
+ - `node_modules`
228
+ - `.git`
229
+ - `dist`, `build`
230
+ - `.next`
231
+ - `coverage`
232
+ - `.vscode`, `.idea`
233
+ - `*.log`
234
+ - `*.min.js`, `*.min.css`
235
+ - `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`
236
+
237
+ You can add more patterns using the `-i` option.
238
+
239
+ ## 📦 Development
240
+
241
+ ```bash
242
+ # Install dependencies
243
+ npm install
244
+
245
+ # Build TypeScript
246
+ npm run build
247
+
248
+ # Run in development mode
249
+ npm run dev
250
+
251
+ # Run linter
252
+ npm run lint
253
+ ```
254
+
255
+ ## 🔒 Security & Privacy
256
+
257
+ - **Local Analysis** - Files are analyzed locally on your machine
258
+ - **No Data Persistence** - Scans are stateless, no data is stored
259
+ - **AI Optional** - Full static analysis works without AI
260
+ - **AI Privacy** - When AI is used, only extracted code sections are sent to OpenRouter (not full files)
261
+ - **Token Efficiency** - AST extraction reduces token usage by 60-80%
262
+ - **Rate Limiting** - Built-in API key rotation and rate limit handling
263
+
264
+ ## 📄 License
265
+
266
+ MIT
267
+
268
+ ## 🤝 Contributing
269
+
270
+ Contributions welcome! Areas for improvement:
271
+
272
+ - Add more language-specific patterns
273
+ - Improve AST extraction for other languages
274
+ - Add more verification rules
275
+ - Enhance output formatting
276
+
277
+ ## ⚠️ Disclaimer
278
+
279
+ VettCode CLI is a tool to assist in code review, not a replacement for:
280
+
281
+ - Professional security audits
282
+ - Penetration testing
283
+ - Manual code review
284
+ - Automated testing
285
+
286
+ Always validate findings and conduct thorough testing before production deployment.