🛡️ PreSec AI - LangGraph Multi-Agent Security Extension
An AI-powered VS Code extension that analyzes your code for security vulnerabilities in real-time using a 5-agent LangGraph pipeline connected to the CVE/NVD database.
🤖 Agent Architecture (LangGraph)
START → [Agent 1: Context] → [Agent 2: Code] → [Agent 3: CVE] → [Agent 4: Advisory] → [Agent 5: Supervisor] → END
| Agent |
Role |
| 1. Context Agent |
Reads your sprint/todo description, extracts task type, priority, and risk level using Gemini LLM |
| 2. Code Agent |
Scans the active file using both static pattern matching AND AI (Gemini) to detect vulnerabilities |
| 3. CVE Agent |
Matches found vulnerabilities to real CVE entries from local DB + live NVD API |
| 4. Advisory Agent |
Generates actionable, code-specific fix recommendations with Gemini |
| 5. Supervisor Agent |
Assembles all results, calculates risk score, and sends final output to the UI panel |
📋 Prerequisites
🚀 Installation Steps
Step 1: Get the Extension Files
Extract the presec-ai-extension folder to a location you remember, e.g.:
C:\Users\YourName\presec-ai-extension\ (Windows)
~/presec-ai-extension/ (Mac/Linux)
Step 2: Install Dependencies
Open a terminal in the presec-ai-extension folder and run:
npm install
This installs LangGraph, LangChain Google Gemini, and Axios.
Step 3: Get Your Gemini API Key
- Go to https://aistudio.google.com/apikey
- Click "Create API Key"
- Copy the key (starts with
AIza...)
Step 4: Load the Extension in VS Code
Option A — Developer Mode (Recommended for testing):
- Open VS Code
- Press
F5 (or go to Run → Start Debugging) while the presec-ai-extension folder is open
- A new VS Code window opens with the extension loaded
Option B — Install as VSIX:
- Install vsce:
npm install -g @vscode/vsce
- In the extension folder run:
vsce package
- In VS Code:
Ctrl+Shift+P → "Extensions: Install from VSIX" → select the generated .vsix file
Step 5: Set Your API Key in VS Code
After the extension loads:
- Open the PreSec AI panel (click the shield icon 🛡️ in the Activity Bar on the left)
- You'll see a yellow warning banner "Gemini API Key not set"
- Click "Set API Key" and paste your Gemini key
- OR go to Settings (
Ctrl+,) → search "PreSec AI" → paste in Gemini Api Key
🎯 How to Use
Analyze a File
- Open any code file (
.js, .py, .ts, .java, .php, .rb, .go, .cs)
- Open the PreSec AI panel (shield icon in sidebar)
- (Optional) Paste your sprint notes/JIRA ticket in the Sprint/Task Context box → click Save Context
- Click 🔍 Analyze Current File
- Watch all 5 agents run in the pipeline visualization!
Scan a Project
- Click 📁 Scan Project to analyze all source files in your workspace
- Results show combined vulnerabilities across all files (max 30 files per scan)
Export Report
- After analysis, click the 📤 button in the header
- A JSON report is saved to your workspace folder
⚙️ Settings
Open Ctrl+, and search "presecAI":
| Setting |
Description |
Default |
presecAI.geminiApiKey |
Your Google Gemini API Key |
(empty) |
presecAI.model |
Gemini model to use |
gemini-2.0-flash |
presecAI.autoScan |
Auto-scan on every file save |
false |
🔍 What It Detects
| Vulnerability |
CVE Examples |
| SQL Injection |
CVE-2023-4512, CVE-2022-21503 |
| XSS (Cross-Site Scripting) |
CVE-2023-1234, CVE-2021-39182 |
| Command Injection |
CVE-2021-34523 |
| Path Traversal |
CVE-2021-41773 |
| Hardcoded Secrets |
CVE-2022-12345 |
| Insecure Deserialization |
CVE-2020-28476 |
| JWT Vulnerabilities |
CVE-2022-21449 |
| Weak Cryptography |
CVE-2022-21449 |
| Prototype Pollution |
CVE-2019-10744 |
| Dangerous eval() |
CVE-2023-29017 |
| SSL Verification Disabled |
Various |
🌐 CVE Sources
- Local Database — Always available offline, instant results
- NIST NVD API — Live CVE data when internet is available
- Predicted CVEs — Based on your task context (e.g., if building "authentication", predicts JWT/crypto CVEs)
🧪 Test the Extension
Open any of these code snippets in VS Code and click Analyze Current File:
JavaScript (XSS + Hardcoded Secret):
const apiKey = "sk-abc123supersecret";
document.getElementById("output").innerHTML = userInput;
const result = eval(userCode);
Python (SQL Injection):
query = "SELECT * FROM users WHERE id = " + user_id
cursor.execute(query)
🛠️ Troubleshooting
"API Key not set" even after setting it:
→ Restart VS Code after setting the key
Analysis runs but no AI results:
→ Check your Gemini API key is valid at https://aistudio.google.com
→ The extension falls back to static analysis if AI fails
npm install fails:
→ Make sure you have Node.js 18+ installed: node --version
Extension doesn't appear:
→ Make sure you pressed F5 to start debugging, or properly installed the VSIX
NVD API results empty:
→ The NVD API has rate limits; local database results always work offline
📁 File Structure
presec-ai-extension/
├── extension.js ← VS Code extension entry point
├── index.html ← Webview UI panel
├── package.json ← Extension manifest + dependencies
├── agents/
│ └── securityGraph.js ← LangGraph 5-agent pipeline (THE CORE)
└── media/
├── styles.css ← UI stylesheet
└── icon.svg ← Activity bar icon
