An intelligent security analysis tool that uses a multi-agent AI system to scan codebases for security vulnerabilities, missing controls, and best practice violations.
- π Multi-Agent Analysis - Three specialized AI agents work together to provide comprehensive security analysis
- π Visual Reports - Interactive dashboard with security scores, charts, and detailed findings
- π Multiple Upload Methods - Support for ZIP uploads and GitHub repository URLs
- π― Framework Detection - Automatic detection of project frameworks with specialized analysis
- π Real-time Logs - Live streaming logs during analysis
- π OWASP Mapped - Findings mapped to OWASP Top 10 and API Security standards
- Getting Started
- Upload Methods
- Preprocessing
- Analysis Agents
- Output & Reports
- Configuration
- Maintainer
- Node.js 18+
- pnpm (recommended) or npm
- OpenAI API key or Anthropic API key
# Clone the repository
git clone https://github.com/kavienanj/code-scanner-ai.git
cd code-scanner-ai
# Install dependencies
pnpm install
# Copy environment variables
cp .env.example .envEdit .env with your API keys:
# AI Model Configuration
DEFAULT_MODEL=claude-opus-4-5-20251101
# API Keys (at least one required)
OPENAI_API_KEY=sk-your-openai-key
ANTHROPIC_API_KEY=sk-ant-your-anthropic-key# Development mode
pnpm dev
# Production build
pnpm build
pnpm startVisit http://localhost:3000 to access the application.
Code Scanner AI supports two methods for uploading code:
Upload a ZIP archive containing your project source code directly through the web interface.
- Supported: Any ZIP file up to 50MB
- Best for: Local projects, offline analysis
- Process: File is extracted in-memory and processed immediately
Provide a GitHub repository URL to fetch and analyze the codebase.
- Supported: Public repositories (private repos with pat token)
- Format:
https://github.com/owner/repoorhttps://github.com/owner/repo/tree/branch - Best for: Open source projects, quick scans
Before analysis begins, the uploaded code goes through a preprocessing pipeline:
The system automatically detects the project framework based on:
- Package manager files (
package.json,requirements.txt,pom.xml, etc.) - Configuration files (framework-specific configs)
- File structure patterns
- Import statements and dependencies
Supported Frameworks:
- JavaScript/TypeScript: Next.js, Express, NestJS, Fastify
- Python: Django, Flask, FastAPI
- Java: Spring Boot
- And more...
Files are filtered and cleaned based on the detected framework:
-
Directory Filtering - Removes irrelevant directories:
node_modules/,.git/,dist/,build/- Virtual environments, cache directories
- Test fixtures and mock data
-
File Filtering - Includes only relevant source files:
- Source code files (
.ts,.js,.py,.java, etc.) - Configuration files (framework-specific)
- Excludes minified files, lock files, binary files
- Source code files (
-
Size Limits - Files over 1MB are excluded to optimize analysis
The security analysis is performed by three specialized AI agents working in sequence:
Task: Endpoint Discovery & Code Tracing
The Sentinel Agent is responsible for discovering API endpoints and tracing their complete code flow.
What it does:
- Scans the codebase for API entry points (routes, controllers, handlers)
- Traces each endpoint through the code following imports and function calls
- Documents middleware chains, validators, and database interactions
- Generates detailed markdown documentation for each endpoint flow
- Groups related CRUD operations for the same entity
Output: EndpointProfile[] - Detailed profiles of each discovered endpoint including:
- Flow name and purpose
- Entry point location
- Input/output types
- Sensitivity level assessment
- Complete code documentation in markdown
Task: Security Checklist Generation
The Guardian Agent analyzes each discovered endpoint and generates a tailored security checklist.
What it does:
- Reviews endpoint profiles from Sentinel
- Consults OWASP Top 10, API Security guidelines, and framework best practices
- Generates required and recommended security controls
- Assigns importance levels (critical, high, medium, low)
- Maps controls to OWASP categories
Output: SecurityChecklist[] - Security checklists for each flow including:
- Required controls (must-have for security)
- Recommended controls (best practices)
- Security references and documentation links
- OWASP mappings for each control
Task: Code Inspection & Vulnerability Detection
The Inspector Agent performs deep code inspection against the security checklists.
What it does:
- Matches code implementations against security checklists
- Identifies implemented, missing, and framework-handled controls
- Actively scans for vulnerabilities:
- SQL Injection
- Cross-Site Scripting (XSS)
- Command Injection
- Path Traversal
- Hardcoded Secrets
- SSRF, Weak Cryptography, and more
- Provides specific code locations and fix recommendations
Output: SecurityReport[] - Detailed security reports including:
- Implemented controls with evidence
- Missing controls with recommendations
- Auto-handled controls (framework protections)
- Detected vulnerabilities with severity ratings
- Overall security severity assessment
A calculated score from 0-100 based on:
| Factor | Impact |
|---|---|
| Vulnerabilities | -15 (critical), -10 (high), -5 (medium), -2 (low) |
| Missing Controls | -8 (critical), -5 (high), -3 (medium), -1 (low) |
| Implementation Bonus | +10 (>80%), +5 (>60%), +2 (>40% implemented) |
Grades:
- A (90-100): Excellent security posture
- B (80-89): Good, minor improvements needed
- C (70-79): Fair, address medium-priority issues
- D (60-69): Poor, significant gaps exist
- F (0-59): Critical, immediate action required
Visual pie chart showing:
- β Implemented controls (green)
β οΈ Missing controls (orange)- π΅ Auto-handled by framework (blue)
- π΄ Vulnerabilities found (red)
Each endpoint receives a detailed security report with:
- Endpoint details and sensitivity level
- Checklist verification results
- Vulnerability findings with code snippets
- Actionable recommendations
Raw analysis outputs are saved to /output/ for debugging:
sentinel-agent/- Endpoint discovery logsguardian-agent/- Checklist generation logsinspector-agent/- Inspection results
| Variable | Description | Required |
|---|---|---|
DEFAULT_MODEL |
AI model to use | Yes |
OPENAI_API_KEY |
OpenAI API key | If using GPT models |
ANTHROPIC_API_KEY |
Anthropic API key | If using Claude models |
- Anthropic:
claude-opus-4-5-20251101,claude-sonnet-4-20250514 - OpenAI:
gpt-5.1-2025-11-13,gpt-5-pro-2025-10-06
- Frontend: Next.js 16, React 19, Tailwind CSS, shadcn/ui
- Charts: Recharts
- AI SDK: Vercel AI SDK with OpenAI & Anthropic providers
- Language: TypeScript
src/
βββ app/ # Next.js app router
β βββ api/ # API routes
β β βββ analyze/ # Analysis endpoints
β β βββ fetch-repo/ # GitHub fetching
β β βββ upload-zip/ # ZIP upload handling
β βββ task/[id]/ # Task status page
βββ components/
β βββ task/ # Task page components
β β βββ SecurityScore # Score visualization
β β βββ FindingsChart # Pie chart
β β βββ ... # Other components
β βββ upload/ # Upload page components
β βββ ui/ # shadcn/ui components
βββ lib/
βββ agents/ # AI agents
β βββ sentinel-agent # Endpoint discovery
β βββ guardian-agent # Checklist generation
β βββ inspector-agent# Code inspection
βββ code-cleaner/ # Preprocessing
βββ generate-text.ts # AI text generation
βββ analysis-runner.ts # Orchestration
βββ job-store.ts # Job state management
Kavienan J (@kavienanj)
This project is open source and available under the MIT License.
Contributions are welcome! Please open an issue or submit a pull request on GitHub.
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add some amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
If you find this project useful, please consider giving it a star on GitHub!