vibe-secure 1.0.0 → 1.1.0

package/README.md

@@ -60,6 +60,29 @@ What it Checks
 | Auth | Flags API routes like app.delete('/user/:id') that appear to have no middleware. |
 | SQL Injection | Flags SELECT statements using string concatenation or template literals. |
 | XSS | Flags dangerouslySetInnerHTML, javascript: links, and eval(). |
+| **AI Analysis** | (Optional) Uses **Google Gemini 2.0 Flash** to find logic flaws and subtle bugs. |
+
+AI-Powered Analysis (Experimental)
+----------------------------------
+
+Vibe Secure now supports **AI-powered security audits** using Google Gemini. This goes beyond regex to find logic bugs, such as missing permission checks or authentication bypasses.
+
+**Requirements:**
+1.  Get a [Google Gemini API Key](https://aistudio.google.com/).
+2.  Set the environment variable:
+    ```bash
+    export GEMINI_API_KEY=your_key_here
+    ```
+
+**Usage:**
+Run with the `--ai` flag:
+
+```bash
+vibe-secure . --ai
+```
+
+> **Note:** This feature sends your code snippet (up to 10k chars) to Google's AI for analysis. Use with caution on private codebases.
+
 
 Development
 -----------

package/index.js

@@ -3,12 +3,15 @@
 const { Command } = require('commander');
 const chalk = require('chalk');
 const figlet = require('figlet');
-const { scanFolder } = require('./src/scanner');
+const { scanFolder } = require('./src/core/scanner');
 const { checkForSecrets } = require('./src/checks/secrets');
+
 const { checkForDatabaseUrls } = require('./src/checks/dbCheck');
 const { checkForUnsafeEndpoints } = require('./src/checks/endpointCheck');
 const { checkForSqlInjection } = require('./src/checks/sqlInjection.js');
 const { checkForDangerousReact } = require('./src/checks/unsafeReact.js');
+const { checkForEval } = require('./src/checks/ast/eval.js');
+const { aiSecurityReview } = require('./src/checks/ai/analysis.js');
 const fs = require('fs').promises;
 const path = require('path');
 
@@ -17,15 +20,23 @@ const program = new Command();
 console.log(chalk.cyan(figlet.textSync('Vibe Secure', { horizontalLayout: 'full' })));
 
 program
-  .version('1.0.0')
+  .version('1.0.1')
   .description('Security scanner for vibe-coded AI applications')
   .argument('[directory]', 'Directory to scan', '.')
-  .action(async (directory) => {
-    const targetDir = path.resolve(directory);
-    console.log(chalk.blue(`\n🔍 Scanning directory: ${targetDir}\n`));
+  .option('--ai', 'Enable AI-powered analysis (requires GEMINI_API_KEY)')
+  .action(async (directory, options) => {
+    const targetPath = path.resolve(directory);
+    console.log(chalk.blue(`\n🔍 Scanning: ${targetPath}\n`));
 
     try {
-      const files = await scanFolder(targetDir);
+      let files = [];
+      const stat = await fs.stat(targetPath);
+      
+      if (stat.isFile()) {
+        files = [targetPath];
+      } else {
+        files = await scanFolder(targetPath);
+      }
       
       if (files.length === 0) {
         console.log(chalk.yellow('⚠️  No relevant implementation files found (.js, .jsx, .ts, .tsx).'));
@@ -48,10 +59,21 @@ program
           ...checkForDatabaseUrls(content, relativePath),
           ...checkForUnsafeEndpoints(content, relativePath),
           ...checkForSqlInjection(content, relativePath),
-          ...checkForDangerousReact(content, relativePath)
+          ...checkForDangerousReact(content, relativePath),
+          ...checkForEval(content, relativePath)
         ];
         
         allIssues = [...allIssues, ...issues];
+
+        // AI Analysis (Optional)
+        if (options.ai) {
+          if (!process.env.GEMINI_API_KEY) {
+             console.warn(chalk.yellow(`\n⚠️  Skipping specific file AI analysis: GEMINI_API_KEY not found.`));
+          } else {
+             const aiIssues = await aiSecurityReview(content, relativePath);
+             allIssues.push(...aiIssues);
+          }
+        }
       }
 
       console.log(chalk.gray('────────────────────────────────────────'));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vibe-secure",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "The security scanner for AI-generated applications code",
   "bin": {
     "vibe-secure": "index.js"
@@ -20,8 +20,13 @@
   "license": "MIT",
   "type": "commonjs",
   "dependencies": {
+    "@google/generative-ai": "^0.24.1",
     "chalk": "^4.1.2",
     "commander": "^14.0.2",
-    "figlet": "^1.10.0"
+    "dotenv": "^17.2.3",
+    "figlet": "^1.10.0",
+    "tree-sitter": "^0.21.1",
+    "tree-sitter-javascript": "^0.21.4",
+    "tree-sitter-typescript": "^0.21.2"
   }
 }

package/src/checks/ai/analysis.js

@@ -0,0 +1,70 @@
+const { GoogleGenerativeAI } = require("@google/generative-ai");
+
+/**
+ * Analyzes code using Google Gemini for security vulnerabilities
+ * @param {string} code - The code content
+ * @param {string} filePath - The path to the file
+ * @returns {Promise<Array>} - Array of found issues
+ */
+async function aiSecurityReview(code, filePath) {
+  const apiKey = process.env.GEMINI_API_KEY;
+  if (!apiKey) {
+    return [];
+  }
+
+  const genAI = new GoogleGenerativeAI(apiKey);
+  // Using gemini-2.0-flash for speed and availability
+  const model = genAI.getGenerativeModel({ model: "gemini-2.0-flash" });
+
+  const prompt = `You are an expert security auditor. Analyze the following code for security vulnerabilities.
+  Focus on:
+  1. Injection attacks (SQL, XSS, Command Injection)
+  2. Authentication/Authorization bypasses
+  3. Hardcoded secrets not caught by regex
+  4. Exposed sensitive data
+  5. Logic flaws
+
+  Return ONLY a JSON object with this valid schema:
+  {
+    "issues": [
+      {
+        "severity": "Critical" | "High" | "Medium" | "Low",
+        "line": <number>,
+        "message": "<concise description>",
+        "fix": "<brief fix suggestion>"
+      }
+    ]
+  }
+
+  If no issues are found, return { "issues": [] }.
+
+  Code to analyze (${filePath}):
+  ${code.substring(0, 10000)} 
+  `; // Truncate to avoid context limit
+
+  try {
+    const result = await model.generateContent(prompt);
+    const response = await result.response;
+    const responseText = response.text();
+    
+    // Extract JSON from response (handle potential markdown blocks)
+    const jsonMatch = responseText.match(/\{.*\}/s);
+    if (!jsonMatch) return [];
+
+    const parsed = JSON.parse(jsonMatch[0]);
+    
+    return parsed.issues.map(issue => ({
+      file: filePath,
+      line: issue.line || 1, // Fallback
+      type: `[AI] ${issue.severity}`,
+      message: issue.message,
+      code: issue.fix || "Check logic"
+    }));
+
+  } catch (error) {
+    console.error("AI Analysis failed:", error.message);
+    return [];
+  }
+}
+
+module.exports = { aiSecurityReview };

package/src/checks/ast/eval.js

@@ -0,0 +1,53 @@
+const parser = require('../../core/parser');
+
+/**
+ * Checks for usage of eval() using Tree-sitter
+ * @param {string} content 
+ * @param {string} filePath 
+ * @returns {Array} issues
+ */
+function checkForEval(content, filePath) {
+  const issues = [];
+  
+  try {
+    const tree = parser.parse(content, filePath);
+    const ext = filePath.split('.').pop();
+    const lang = ext === 'tsx' ? 'tsx' : (ext === 'ts' ? 'ts' : 'js');
+
+    // Query for function calls to 'eval'
+    // (call_expression function: (identifier) @name (#eq? @name "eval"))
+    const query = `
+      (call_expression
+        function: (identifier) @func
+        (#eq? @func "eval")
+      ) @call
+    `;
+
+    const matches = parser.query(tree, query, lang);
+
+    for (const match of matches) {
+      // match.captures[0].node is the captured node
+      const node = match.captures[0].node;
+      
+      // Extract the code line
+      const lineContent = content.split('\n')[node.startPosition.row] || '';
+
+      issues.push({
+        file: filePath,
+        line: node.startPosition.row + 1,
+        column: node.startPosition.column,
+        message: 'Dangerous use of eval() detected (AST Verified)',
+        type: 'Critical',
+        code: lineContent.trim()
+      });
+    }
+
+  } catch (error) {
+    // Fallback or ignore parse errors
+    // console.error(error);
+  }
+
+  return issues;
+}
+
+module.exports = { checkForEval };

package/src/core/parser.js

@@ -0,0 +1,51 @@
+const Parser = require('tree-sitter');
+const JavaScript = require('tree-sitter-javascript');
+const TypeScript = require('tree-sitter-typescript').typescript;
+const TSX = require('tree-sitter-typescript').tsx;
+
+class CodeParser {
+  constructor() {
+    this.jsParser = new Parser();
+    this.jsParser.setLanguage(JavaScript);
+
+    this.tsParser = new Parser();
+    this.tsParser.setLanguage(TypeScript);
+
+    this.tsxParser = new Parser();
+    this.tsxParser.setLanguage(TSX);
+  }
+
+  /**
+   * Parse code into an AST
+   * @param {string} code 
+   * @param {string} filePath 
+   * @returns {Parser.Tree}
+   */
+  parse(code, filePath) {
+    if (filePath.endsWith('.tsx')) {
+      return this.tsxParser.parse(code);
+    } else if (filePath.endsWith('.ts')) {
+      return this.tsParser.parse(code);
+    } else {
+      return this.jsParser.parse(code);
+    }
+  }
+
+  /**
+   * Run a query on the code
+   * @param {Parser.Tree} tree 
+   * @param {string} queryStr 
+   * @param {string} language - 'js', 'ts', 'tsx'
+   * @returns {Parser.QueryCapture[]}
+   */
+  query(tree, queryStr, language = 'js') {
+    let langObj = JavaScript;
+    if (language === 'tsx') langObj = TSX;
+    if (language === 'ts') langObj = TypeScript;
+
+    const query = new Parser.Query(langObj, queryStr);
+    return query.matches(tree.rootNode);
+  }
+}
+
+module.exports = new CodeParser();

package/src/{scanner.js → core/scanner.js}

@@ -8,8 +8,9 @@ async function scanFolder(dir, fileList = []) {
     const filePath = path.join(dir, file);
     const stat = await fs.stat(filePath);
 
+    const ignoredDirs = ['node_modules', '.git', '.next', 'dist', 'build', 'out', 'coverage', '.vercel'];
     if (stat.isDirectory()) {
-      if (file !== 'node_modules' && file !== '.git') {
+      if (!ignoredDirs.includes(file)) {
         await scanFolder(filePath, fileList);
       }
     } else {