SecureCode Guardian is an intelligent and extensible code review agent for JetBrains IDEs (IntelliJ IDEA, PyCharm, WebStorm, etc.). It provides real-time and on-demand static analysis for security vulnerabilities, compliance violations, and code quality issues with a unique focus on stateful remediation tracking and a dynamic, user-expandable rule engine.
developed as part of a learning project by integrating existing security check rulebase with Claude Code
- OWASP Top 10 Detection: SQL injection, XSS, command injection, and more
- CWE Coverage: Common Weakness Enumeration patterns
- Cryptographic Failures: Detect weak algorithms (MD5, SHA1, DES)
- Secrets Detection: Find hardcoded passwords, API keys, tokens
- API Security: Missing authentication, insecure HTTP, SSRF
Built-in rules mapped to industry standards:
- PCI DSS: Payment Card Industry Data Security Standard
- SOC2: Service Organization Control 2
- OWASP: Open Web Application Security Project
- NIST: National Institute of Standards and Technology
- GDPR: General Data Protection Regulation
- NEW: Vulnerabilities found in current scan only
- PERSISTENT: Vulnerabilities found in both current and previous scans
- CLOSED: Vulnerabilities resolved since last scan
- Track remediation progress over time
- Unique fingerprinting prevents duplicate tracking
- Built-in Rules: 10+ comprehensive security rules
- Custom Rules: Add project-specific rules without recompiling
- YAML-Based: Simple, readable rule format
- Hot Reload: Custom rules loaded automatically from
.securecode/rules/ - Pattern Matching: Regex-based detection (AST and taint analysis planned)
- Tool Window: Dedicated panel for viewing results
- Quick Actions: Run scans via menu, toolbar, or keyboard shortcut (
Ctrl+Shift+S) - Quick Fixes: Automated suggestions for common issues
- JSON Reports: Comprehensive, machine-readable output
- Real-time Feedback: See results immediately after scan
- Open your JetBrains IDE (IntelliJ IDEA, PyCharm, etc.)
- Go to
File > Settings > Plugins - Search for "SecureCode Guardian"
- Click
Install - Restart the IDE
-
Clone this repository:
git clone https://github.com/yourusername/securecode-guardian.git cd securecode-guardian -
Build the plugin:
./gradlew buildPlugin
-
Install from disk:
- Go to
File > Settings > Plugins - Click the gear icon ⚙️ >
Install Plugin from Disk - Select
build/distributions/securecode-guardian-1.0.0.zip - Restart the IDE
- Go to
- Open your project in a JetBrains IDE
- Run a scan using one of these methods:
- Menu:
Tools > SecureCode Guardian > Run SecureCode Scan - Right-click project:
SecureCode Guardian > Run SecureCode Scan - Keyboard:
Ctrl+Shift+S(Windows/Linux) orCmd+Shift+S(Mac)
- Menu:
- View results in the SecureCode Guardian tool window (bottom panel)
The tool window displays:
- Summary Panel: Total vulnerabilities, new/persistent/closed counts, severity breakdown
- Vulnerability Table: Detailed list of findings with file locations and descriptions
- Status Indicators: Each vulnerability marked as NEW, PERSISTENT, or CLOSED
JSON reports are saved to:
- Latest:
.securecode/reports/latest-report.json - Historical:
.securecode/reports/report-{timestamp}.json
- Custom Rule Creation Guide: Learn how to write your own security rules
- Report Format Documentation: Understand the JSON report structure
The plugin includes 10 comprehensive built-in rules:
| Rule ID | Name | Severity | Category | Description |
|---|---|---|---|---|
| SEC-001 | Hardcoded Secrets Detection | Critical | Secrets | Detects passwords, API keys, tokens |
| SEC-002 | SQL Injection | Critical | Injection | String concatenation in SQL queries |
| SEC-003 | Weak Cryptography | High | Cryptography | MD5, SHA1, DES usage |
| SEC-004 | Empty Catch Blocks | Medium | Quality | Exception swallowing |
| SEC-005 | Insecure HTTP | High | API Security | HTTP instead of HTTPS |
| SEC-006 | Command Injection | Critical | Injection | OS command injection |
| SEC-007 | Path Traversal | High | Security | File path manipulation |
| SEC-008 | SSRF | High | Security | Server-side request forgery |
| SEC-009 | Insecure Deserialization | Critical | Security | Unsafe object deserialization |
| SEC-010 | Missing Authentication | High | Authentication | API endpoints without auth |
Create .securecode/rules/my-rule.yaml in your project:
id: CUSTOM-001
name: Detect Unsafe API Usage
description: Detects use of deprecated unsafe API methods
severity: high
category: security
patterns:
- type: regex
pattern: 'UnsafeAPI\.(dangerousMethod|riskyCall)'
fileTypes: ["java", "kt"]
message: "Use of unsafe API method detected"
quickFix:
type: suggest
description: "Replace with SafeAPI equivalent methods"
enabled: true
custom: trueid: CUSTOM-002
name: PII in Logs
description: Detects logging of personally identifiable information
severity: high
category: data_security
compliance:
- framework: gdpr
control: "Art. 32"
requirement: "Security of processing"
- framework: pci_dss
control: "3.4"
requirement: "Protect stored cardholder data"
patterns:
- type: regex
pattern: 'log\.(info|debug)\([^)]*ssn[^)]*\)'
fileTypes: ["java", "kt", "py", "js", "ts"]
message: "Social Security Number being logged"
- type: regex
pattern: 'log\.(info|debug)\([^)]*creditCard[^)]*\)'
fileTypes: ["java", "kt", "py", "js", "ts"]
message: "Credit card information being logged"
quickFix:
type: suggest
description: "Remove PII from logs or implement data redaction"
enabled: trueSee the Custom Rule Creation Guide for complete documentation.
{
"summary": {
"total": 25,
"new": 5,
"persistent": 18,
"closed": 2,
"bySeverity": {
"critical": 3,
"high": 8,
"medium": 10,
"low": 4
}
}
}{
"id": "VULN-1234567890-1234",
"ruleId": "SEC-001",
"severity": "critical",
"status": "new",
"filePath": "/path/to/file.java",
"lineNumber": 42,
"description": "Hardcoded password detected",
"fingerprint": "a1b2c3d4e5f6g7h8"
}See Report Format Documentation for complete schema.
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up JDK
uses: actions/setup-java@v3
with:
java-version: '17'
- name: Run SecureCode Scan
run: ./gradlew runSecurityScan
- name: Check Critical Issues
run: |
CRITICAL=$(jq '.summary.bySeverity.critical // 0' .securecode/reports/latest-report.json)
if [ "$CRITICAL" -gt 0 ]; then
echo "❌ Found $CRITICAL critical vulnerabilities"
exit 1
fi
- name: Upload Report
uses: actions/upload-artifact@v3
with:
name: security-report
path: .securecode/reports/latest-report.jsonsecurity_scan:
stage: test
script:
- ./gradlew runSecurityScan
- |
CRITICAL=$(jq '.summary.bySeverity.critical // 0' .securecode/reports/latest-report.json)
if [ "$CRITICAL" -gt 0 ]; then
echo "Found $CRITICAL critical vulnerabilities"
exit 1
fi
artifacts:
paths:
- .securecode/reports/
reports:
junit: .securecode/reports/latest-report.jsonRun scans before committing code to catch issues early:
# Add to .git/hooks/pre-commit
./gradlew runSecurityScan || exit 1Automatically scan PRs for security issues:
- Comment on PRs with findings
- Block merges if critical issues found
- Track remediation progress
Generate compliance reports for auditors:
jq '.complianceStatus' .securecode/reports/latest-report.json > compliance-report.jsonTrack security metrics over time:
- Vulnerability trends
- Time to remediation
- Compliance percentage
- Category breakdown
- Java
- Kotlin
- Python
- JavaScript
- TypeScript
- Go
- Ruby
- PHP
- C#
- C/C++
Additional languages can be supported via custom rules.
Create .securecode/config.yaml in your project:
# File patterns to include
includePatterns:
- "**/*.java"
- "**/*.kt"
- "**/*.py"
- "**/*.js"
- "**/*.ts"
# File patterns to exclude
excludePatterns:
- "**/test/**"
- "**/build/**"
- "**/node_modules/**"
- "**/.git/**"
# Minimum severity to report
minSeverity: info # critical, high, medium, low, info
# Enable/disable specific rules
enabledRules: [] # Empty = all rules
disabledRules:
- SEC-004 # Disable empty catch block rule
# Custom rules directory
customRulesPath: .securecode/rulesWe welcome contributions! Here's how you can help:
- Search existing issues first
- Provide detailed reproduction steps
- Include plugin version and IDE version
- Create a new rule following the Custom Rule Guide
- Test thoroughly on sample code
- Submit a pull request with:
- Rule YAML file
- Test cases
- Documentation
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests
- Submit a pull request
See CONTRIBUTING.md for detailed guidelines.
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
- OWASP: For security vulnerability classifications
- CWE: For common weakness enumeration
- JetBrains: For the excellent IDE platform
- Community: For feedback and contributions
- Documentation: docs/
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Real-time code analysis (as you type)
- AST-based pattern matching
- Taint analysis for data flow tracking
- Visual Studio Code extension
- More built-in rules
- Machine learning-based detection
- Auto-fix capabilities
- Team collaboration features
- Cloud-based rule sharing
- Integration with SAST tools
Lines of Code: ~5,000 Built-in Rules: 10+ Supported Frameworks: 7 Supported Languages: 10+ Test Coverage: TBD
Made with ❤️ for the security community
SecureCode Guardian - Secure your code, one scan at a time.