CodeSentinel

A web-based security vulnerability scanner with plugin support, AI-powered analysis, and CVSS scoring. Scan your source code for security issues using static analysis with regex + AST hybrid detection.

Features

• Multi-Language Scanning — Supports Python, JavaScript, Java, and more via tree-sitter AST parsing
• CVSS v3.1 Scoring — Automatic severity assessment with base score, severity level, and vector string
• AI-Powered Analysis — AI-generated vulnerability summaries and fix suggestions (Ollama / OpenAI-compatible)
• Real-Time Progress — WebSocket-based live updates during scanning
• Code Highlighting — Vulnerable code snippets with syntax highlighting (Prism.js)
• Custom Rules — User-defined detection rules via YAML configuration
• Plugin System — Extend detection capabilities with builtin and custom plugins
• OWASP Top 10 Coverage — Built-in rules covering injection, XSS, SSRF, and more
• Dashboard Analytics — Interactive charts and statistics (Chart.js)
• Scan Management — Pause, resume, and cancel scans; export reports as PDF

Quick Start

Docker (Recommended)

git clone https://github.com/your-username/CodeSentinel.git
cd CodeSentinel
docker compose up -d

Open http://localhost:5500 in your browser.

Local Setup

# Install dependencies
pip install -e ".[dev]"

# Start the server
python start.py

Open http://localhost:5500 in your browser.

Screenshots

Dashboard & Scanning

Dashboard Overview	New Scan	Scan Results

AI-Powered Analysis

Connect to any OpenAI-compatible LLM (Ollama, vLLM, LocalAI, etc.) to get intelligent vulnerability insights.

AI Settings	AI Vulnerability Analysis	AI Fix Suggestion

AI Scan Summary

AI Features:

• Vulnerability Analysis — Deep analysis of each finding with risk assessment, exploitation scenarios, and remediation priority
• Fix Suggestions — AI-generated code fixes with before/after examples and additional hardening tips
• Scan Summary — Executive-level AI summary of overall scan results
• Multi-Provider — Works with Ollama, vLLM, LocalAI, and any OpenAI-compatible API

Architecture

Browser (Vanilla JS SPA)
    ↕ HTTP / WebSocket
FastAPI Server (server/main.py)
    ↕
┌───────────┬──────────────┐
│  Scanner   │  AI Client   │
│  Engine    │  (Ollama)    │
│           │              │
│ RuleEngine│  LLM API     │
│  + 9 Det. │  Client      │
└─────┬─────┴──────────────┘
      ↕
  SQLite (via SQLAlchemy + aiosqlite)

Tech stack: Python, FastAPI, SQLAlchemy, SQLite, WebSocket, tree-sitter, Prism.js, Chart.js

Key Components

Component	Description
server/core/scanner.py	Scan engine — lifecycle management, concurrent file scanning, WebSocket broadcast
server/core/rule_engine.py	Rule engine — loads builtin + plugin rules, dispatches to detectors
server/core/vulnerabilities/	9 detector modules (SQL injection, XSS, path traversal, SSRF, etc.)
server/core/parsers/	Language-specific tree-sitter AST parsers
server/plugins/	Plugin manager with YAML config and dynamic loading
server/ai/client.py	OpenAI-compatible LLM client for AI analysis and fix suggestions
web/	Single-page application with hash-based routing

API Documentation

Scans

Method	Endpoint	Description
GET	/api/browse	Browse server directory
POST	/api/scans	Create a new scan
GET	/api/scans	List all scans
GET	/api/scans/{id}	Get scan details
DELETE	/api/scans/{id}	Delete a scan
POST	/api/scans/{id}/pause	Pause a running scan
POST	/api/scans/{id}/resume	Resume a paused scan
POST	/api/scans/{id}/cancel	Cancel a scan
GET	/api/scans/{id}/stats	Scan statistics
GET	/api/scans/{id}/export/json	Export findings as JSON
GET	/api/scans/{id}/summary	Get AI-generated summary
POST	/api/scans/{id}/summary	Generate AI summary
WS	/api/scans/{id}/ws	Real-time scan progress

Findings

Method	Endpoint	Description
GET	/api/scans/{id}/findings	List findings for a scan
GET	/api/scans/{id}/findings/{fid}	Get finding details
PATCH	/api/scans/{id}/findings/{fid}	Update finding status
DELETE	/api/scans/{id}/findings/{fid}	Delete a finding
POST	/api/scans/{id}/findings/{fid}/analyze	AI vulnerability analysis
POST	/api/scans/{id}/findings/{fid}/fix	AI-generated fix suggestion

Dashboard

Method	Endpoint	Description
GET	/api/dashboard/stats	Overall statistics
GET	/api/dashboard/recent	Recent scans
GET	/api/dashboard/trends	Trend data

Plugins

Method	Endpoint	Description
GET	/api/plugins	List all plugins
GET	/api/plugins/{id}	Get plugin details
POST	/api/plugins/{id}/enable	Enable a plugin
POST	/api/plugins/{id}/disable	Disable a plugin
POST	/api/plugins/upload	Upload a plugin archive
DELETE	/api/plugins/{id}	Delete a plugin

Settings

Method	Endpoint	Description
GET	/api/settings	Get all settings
POST	/api/settings/ai	Add AI configuration
PUT	/api/settings/ai/{id}	Update AI configuration
DELETE	/api/settings/ai/{id}	Delete AI configuration
POST	/api/settings/ai/models	Fetch available models
POST	/api/settings/ai/test	Test AI connection

Custom Rules

Method	Endpoint	Description
GET	/api/settings/rules	List custom rules
POST	/api/settings/rules	Add a custom rule
PUT	/api/settings/rules/{id}	Update a custom rule
DELETE	/api/settings/rules/{id}	Delete a custom rule
POST	/api/settings/rules/test	Test a custom rule

Plugin System

CodeSentinel supports extendable plugins. Each plugin:

1. Has a plugin.yaml defining metadata and entry point
2. Implements PluginInterface (get_info(), get_rules(), analyze())
3. Returns FindingResult objects for detected vulnerabilities

Builtin plugins: OWASP Top 10, Secret Detection, Dependency Check

To create a custom plugin, place it in plugins/user/ and it will be auto-discovered.

Development

# Install dev dependencies
pip install -e ".[dev]"

# Run unit tests
python -m pytest tests/ -v

# Run a specific test
python -m pytest tests/test_vulnerabilities.py::TestSQLInjection -v

# Start with hot reload
python start.py

License

This project is licensed under the MIT License — see the LICENSE file for details.