How to catch LiteLLM like security issues proactively/reactively?

github.com · dinakars777 · 10 days ago · view on HN · research
quality 7/10 · good
0 net
Tags
security-issues lite proactive-reactive
# 🛡️ AI Code Guardian
[![Crates.io](https://img.shields.io/crates/v/ai-code-guardian?style=for-the-badge)](https://crates.io/crates/ai-code-guardian) [![Downloads](https://img.shields.io/crates/d/ai-code-guardian?style=for-the-badge)](https://crates.io/crates/ai-code-guardian) [![License](https://img.shields.io/crates/l/ai-code-guardian?style=for-the-badge)](LICENSE) **[🌐 Interactive Demo & Documentation](https://dinakars777.github.io/ai-code-guardian/)**
--- Security scanner for AI-generated code. Catches vulnerabilities before you commit. ## The Problem AI coding tools are great, but they introduce security risks: - Hardcoded API keys and secrets - SQL injection vulnerabilities - Insecure HTTP requests - Exposed credentials This tool scans your code and catches these issues instantly. ## What Makes Us Different - **Dependency vulnerability checking** - Scan requirements.txt, package.json, Cargo.toml for known CVEs - **.guardianignore file** - Exclude files/patterns from scanning - **Git integration** - Scan only changed or staged files for faster CI/CD - **Custom rules engine** - Define your own security patterns with `.guardian.rules.json` - **Severity scoring** - Numerical risk scores (0-100) for every vulnerability - **Watch mode** - Auto-scan on file changes during development - **Interactive TUI mode** - Navigate issues with arrow keys, mark false positives - **Auto-fix suggestions** - Don't just find issues, get actionable solutions - **Lightning fast** - Written in Rust, 10x faster than Node.js alternatives - **Single binary** - No npm, no node_modules, just one executable - **Beautiful output** - Color-coded, easy to read results - **100% local** - No data leaves your machine ## Installation ```bash cargo install ai-code-guardian ``` ## Usage ```bash # Scan current directory ai-guardian scan # Scan specific directory ai-guardian scan ./src # Interactive TUI mode ai-guardian scan --interactive # Watch mode - auto-scan on file changes ai-guardian watch # Scan only git changed files ai-guardian scan --git # Scan only git staged files ai-guardian scan --staged # Check dependencies for vulnerabilities ai-guardian check-deps requirements.txt ai-guardian check-deps package.json ai-guardian check-deps Cargo.toml ``` ## What It Detects - **Hardcoded Secrets**: API keys, passwords, tokens - **SQL Injection**: Unsafe query construction - **Insecure HTTP**: Unencrypted connections - **Exposed Credentials**: .env files, config files ## Example Output ``` 🛡️ AI Code Guardian - Security Scan Scanning: ./src ❌ HIGH (Risk: 85): Hardcoded API Key File: src/api.rs:12 Found: const API_KEY = "sk-1234567890abcdef" Risk: Exposed credentials in source code Fix: Use process.env.API_KEY or import from .env file ❌ HIGH (Risk: 85): SQL Injection Risk File: src/db.rs:45 Found: query = "SELECT * FROM users WHERE id = " + user_id Risk: Unsanitized user input in SQL query Fix: Use parameterized queries: db.query('SELECT * FROM users WHERE id = ?', [userId]) ✅ Scan complete: 2 issues found ``` ## CI/CD Integration ### GitHub Actions Scan PRs automatically. Create `.github/workflows/security.yml`: ```yaml name: Security Scan on: pull_request: jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Install AI Code Guardian run: cargo install ai-code-guardian - name: Scan changed files run: ai-guardian scan --git ``` See `examples/` directory for more GitHub Action configurations. ### Pre-commit Hook Add to `.git/hooks/pre-commit`: ```bash #!/bin/bash ai-guardian scan if [ $? -ne 0 ]; then echo "Security issues found. Commit blocked." exit 1 fi ``` ## Custom Rules Create `.guardian.rules.json` in your project root: ```json [ { "title": "Hardcoded Credit Card", "description": "Credit card number found in source code", "severity": "high", "pattern": "\\b\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b", "fix_suggestion": "Never store credit card numbers in code" } ] ``` ## Ignore Files Create `.guardianignore` to exclude files: ``` # Ignore test files *test* *spec* # Ignore vendor code vendor/ third_party/ ``` ## How It Works 1. Walks through your codebase 2. Scans files for security patterns 3. Reports high-risk issues 4. Suggests fixes No data leaves your machine. Everything runs locally. ## Roadmap - [x] Git integration to scan only changed files - [x] GitHub Actions examples - [ ] Auto-fix command to apply fixes automatically - [ ] XSS detection patterns - [ ] Path traversal detection - [ ] Official GitHub Action (no cargo install needed) - [ ] VS Code extension ## Contributing Found a false positive? Have a pattern to add? PRs welcome! ## License MIT ## Changelog ### v0.10.0 - Added dependency vulnerability checking with `check-deps` command - Integrates with OSV.dev API to detect known CVEs in dependencies - Supports Python (requirements.txt, pyproject.toml), Node (package.json), Rust (Cargo.toml) - Released in response to LiteLLM supply chain attack (March 2026) ### v0.9.0 - Improved SQL injection detection to reduce false positives from logging statements - Pattern now requires SQL keywords (SELECT/INSERT/UPDATE/DELETE) to be followed by FROM/INTO/SET - Eliminates false positives from code like `LOG_WARNING("Health was to be updated to: " + value)`
← Back to stories