🛡️ Security Checker Agent

AI-powered security analysis extension for VS Code that detects vulnerabilities using OWASP Top 10 guidelines

Security Checker Agent is a comprehensive VS Code extension that automatically analyzes your code for security vulnerabilities based on the OWASP Top 10 security risks. It provides real-time security analysis, actionable suggestions, and integrates seamlessly with GitHub Copilot.

✨ Key Features

🔍 Comprehensive Security Analysis

Multi-language support: JavaScript, TypeScript, Python, Java, C#, PHP, Ruby, Go, C/C++, Vue.js, Rust, Kotlin
OWASP Top 10 coverage: All 10 categories with 70+ security rules
Modern frameworks: React, Vue.js, Angular specific vulnerability detection
API security: GraphQL, REST API, CORS vulnerability scanning
Cloud security: AWS, Docker, container security patterns
AST-based analysis: Deep code understanding beyond simple pattern matching
Real-time detection: Instant feedback as you code

🤖 GitHub Copilot Integration

Chat with the security agent using natural language:

@security-checker-agent audit         # Analyze entire workspace
@security-checker-agent check         # Analyze current file
@security-checker-agent learn XSS     # Learn about security topics
@security-checker-agent fix SQL       # Get specific fix suggestions
@security-checker-agent help          # Get help and commands

📊 Interactive Security Reports

Security scoring: 0-100 rating based on vulnerability severity
Visual dashboards: HTML reports with vulnerability breakdowns
Tree view navigation: Organized by OWASP categories
Inline diagnostics: VS Code Problems panel integration
Knowledge base: Interactive learning with examples and fixes

🎓 Learning Dashboard

Interactive security education: Dedicated learning center with guided tutorials
Knowledge base access: Quick access to 7+ security topics with examples
Learning statistics: Track your security education progress
One-click learning: Start interactive sessions directly from dashboard
GitHub Copilot integration: Seamless transition to chat-based learning
Visual learning resources: Color-coded interface with progress tracking

⚡ Smart Analysis Engine

Pattern matching: Regex-based vulnerability detection
Data flow analysis: Track tainted variables through code
Context awareness: Reduces false positives with AST analysis
Framework-specific rules: Tailored detection for React, Vue, Angular
Configurable rules: Enable/disable specific security checks
Performance optimized: Non-blocking background analysis

🏆 OWASP Top 10 Security Coverage

Category	Description	Examples Detected
A01: Broken Access Control	Authorization flaws	Hardcoded roles, missing auth checks
A02: Cryptographic Failures	Weak crypto implementation	MD5/SHA1 usage, hardcoded secrets
A03: Injection	Code injection vulnerabilities	SQL injection, command injection, XSS
A04: Insecure Design	Security design flaws	Missing input validation, weak architecture
A05: Security Misconfiguration	Insecure configurations	Debug mode enabled, default passwords
A06: Vulnerable Components	Outdated dependencies	Known vulnerable packages
A07: Authentication Failures	Auth implementation issues	Weak passwords, session management
A08: Data Integrity Failures	Data validation issues	Unsafe deserialization, tampering
A09: Logging/Monitoring Failures	Insufficient logging	Missing security event logs
A10: Server-Side Request Forgery	SSRF vulnerabilities	Unvalidated URL requests

🎯 Modern Framework Security

React Security Patterns

dangerouslySetInnerHTML XSS: Detects unsafe HTML injection in React components
href XSS vulnerabilities: Identifies dynamic href attributes that can lead to XSS
State mutation issues: Catches direct state modifications that bypass React's update cycle

Vue.js Security Patterns

v-html XSS risks: Detects unsafe use of v-html directive with user input
Template injection: Identifies dynamic template compilation vulnerabilities

Angular Security Patterns

innerHTML XSS: Catches unsafe innerHTML binding with user data
Trust bypass issues: Detects misuse of Angular's security bypass methods

API Security Patterns

GraphQL vulnerabilities: Query complexity attacks, injection risks
CORS misconfigurations: Overly permissive cross-origin policies
Rate limiting gaps: Missing rate limiting on API endpoints
JWT security issues: Weak secrets, missing verification

Cloud Security Patterns

AWS S3 misconfigurations: Public bucket access, insecure policies
Docker security: Root user containers, exposed secrets
Lambda security: Environment variable exposure, privilege escalation

� Getting Started

Installation

Install from the VS Code Marketplace
Open any workspace with code files
The extension activates automatically

Quick Usage

1. Analyze Your Workspace

Command Palette: Security Checker: Audit Workspace
Chat Command: @security-checker-agent audit

2. Check Current File

Command Palette: Security Checker: Audit Current File
Chat Command: @security-checker-agent check

3. View Security Report

Command Palette: Security Checker: Show Security Report
Click on vulnerabilities in the Problems panel

4. Navigate Vulnerabilities

Use the Security Analysis tree view in the Explorer
Click on any vulnerability to jump to the code location

5. Access Learning Dashboard

Command Palette: Security Checker: Show Dashboard
Click "Start Learning" in the Learning Center card
Access Knowledge Base for topic-specific education
Track your learning progress with built-in statistics

6. Interactive Learning

Chat Commands:
- @security learn sql-injection - Learn about SQL injection
- @security learn xss - XSS prevention techniques
- @security learn authentication - Authentication security
Dashboard Features:
- One-click learning mode activation
- Quick access to 7+ security topics
- Visual progress tracking

⚙️ Configuration

Customize the extension behavior in VS Code settings:

{
  "securityChecker.enableRealTimeAnalysis": true,
  "securityChecker.riskThreshold": "medium",
  "securityChecker.enabledRules": [
    "injection",
    "broken-auth",
    "sensitive-data",
    "xxe",
    "broken-access",
    "security-config",
    "xss",
    "insecure-deserialization",
    "vulnerable-components",
    "logging-monitoring"
  ]
}

Configuration Options

Setting	Type	Default	Description
`enableRealTimeAnalysis`	boolean	`true`	Enable automatic analysis on file changes
`riskThreshold`	string	`"medium"`	Minimum risk level to display (`low`, `medium`, `high`)
`enabledRules`	array	All rules	Specific OWASP categories to check

📋 Example Detections

❌ Vulnerable Code

// A02: Hardcoded Secret
const API_KEY = 'sk-1234567890abcdef';

// A03: SQL Injection
const query = `SELECT * FROM users WHERE id = ${userId}`;

// A01: Hardcoded Role
const user = { role: 'admin' };

// A03: Command Injection
exec('ls -la ' + userInput);

// React XSS
<div dangerouslySetInnerHTML={{__html: userInput}} />

// Vue.js XSS
<div v-html="userContent"></div>

// GraphQL Injection
const query = `{ user(id: "${req.params.id}") { name } }`;

// JWT Security Issues
const token = jwt.decode(userToken); // No verification
const secret = 'weak-secret'; // Weak secret

✅ Secure Code (Recommended)

// A02: Environment Variable
const API_KEY = process.env.API_KEY;

// A03: Parameterized Query
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);

// A01: Dynamic Role Check
const userRole = await getUserRole(userId);

// A03: Safe Command Execution
execFile('ls', ['-la', sanitizedInput]);

// React Security
<div>{userInput}</div> // Auto-escaped
<div dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(userInput)}} />

// Vue.js Security
<div>{{ userContent }}</div> // Auto-escaped

// GraphQL Security
const query = 'query($id: ID!) { user(id: $id) { name } }';
graphql(schema, query, null, null, { id: userId });

// JWT Security
const decoded = jwt.verify(token, strongSecret); // Proper verification
const secret = crypto.randomBytes(64).toString('hex'); // Strong secret

🔧 Commands

Command	Description	Keybinding
`Security Checker: Audit Workspace`	Analyze all files in workspace
`Security Checker: Audit Current File`	Analyze currently open file
`Security Checker: Show Security Report`	Display detailed HTML report
`Security Checker: Clear Diagnostics`	Clear all security diagnostics

📊 Security Scoring

The extension calculates a security score from 0-100 based on detected vulnerabilities:

Critical: -20 points each 🚨
High: -10 points each ⚠️
Medium: -5 points each 💛
Low: -2 points each ℹ️

Score Levels

90-100: 🟢 Excellent - Highly secure code
70-89: 🔵 Good - Minor security improvements needed
50-69: 🟡 Fair - Several security issues to address
30-49: 🟠 Poor - Significant security vulnerabilities
0-29: 🔴 Critical - Immediate security attention required

🎯 Supported Languages

Language	File Extensions	Analysis Type
JavaScript	`.js`, `.jsx`	AST + Pattern
TypeScript	`.ts`, `.tsx`	AST + Pattern
Vue.js	`.vue`	Pattern
Python	`.py`	Pattern
Java	`.java`	Pattern
C#	`.cs`	Pattern
PHP	`.php`	Pattern
Ruby	`.rb`	Pattern
Go	`.go`	Pattern
C/C++	`.c`, `.cpp`	Pattern
Rust	`.rs`	Pattern
Kotlin	`.kt`	Pattern
Docker	`Dockerfile`	Pattern
YAML/JSON	`.yaml`, `.json`	Pattern

🤝 Contributing

We welcome and encourage contributions from the community! Whether you're fixing bugs, adding new features, improving documentation, or suggesting security rules, your help makes this extension better for everyone.

Ways to Contribute

🐛 Report Bugs: Found an issue? Create a bug report
✨ Request Features: Have an idea? Submit a feature request
🛡️ Suggest Security Rules: Propose new OWASP rules or improvements
📝 Improve Documentation: Help make our docs clearer and more comprehensive
💻 Code Contributions: Submit pull requests for bug fixes or new features

Getting Started for Contributors

Fork the repository on GitHub

Clone your fork locally:

git clone https://github.com/YOUR_USERNAME/security-checker-agent.git
cd security-checker-agent

Install dependencies:
```
npm install
```

Create a feature branch:

git checkout -b feature/your-feature-name

Make your changes and test thoroughly

Commit with clear, descriptive messages:

git commit -m "Add: New OWASP rule for detecting XSS vulnerabilities"

Push to your fork and create a pull request

Development Setup

# Install dependencies
npm install

# Build the extension
npm run build

# Watch for changes during development
npm run watch

# Run tests
npm test

# Package the extension
npm run package

# Lint code
npm run lint

Coding Guidelines

Follow TypeScript best practices
Add tests for new security rules
Update documentation for new features
Ensure all tests pass before submitting PR
Follow the existing code style and patterns

Pull Request Process

Ensure your PR description clearly describes the problem and solution
Include the relevant issue number if applicable
Make sure all tests pass and no linting errors exist
Update the README.md if you change functionality
Your PR will be reviewed by maintainers before merging

🐛 Reporting Bugs

If you encounter any bugs or issues, please help us improve by reporting them:

Before Reporting

Check if the issue already exists in GitHub Issues
Make sure you're using the latest version of the extension
Try reproducing the issue in a clean environment

How to Report

Use our Bug Report Template: Create Bug Report

Please include:

Clear description of the bug
Steps to reproduce the issue
Expected vs actual behavior
Screenshots or error messages
Your environment details (VS Code version, OS, etc.)
Sample code that triggers the issue

✨ Feature Requests

Have an idea to make Security Checker Agent even better? We'd love to hear it!

Request a Feature

Use our Feature Request Template: Request Feature