brad/LLM_Engineering_OLD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bootcamp week 4: Add SecureCode AI - an AI-powered code security and performance analyzer

Browse Source
This commit is contained in:
Mohamed Salah
2025-10-27 13:16:14 +03:00
parent e8cfa78499
commit 0f74c215df
24 changed files with 1373 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

320
week4/community-contributions/salah/securecode-ai/README.md Normal file
View File

@@ -0,0 +1,320 @@
# SecureCode AI
**AI-Powered Code Security & Performance Analyzer**
Built for Week 4 of the LLM Engineering course - A novel solution that addresses real-world needs not covered by other community contributions.
## Why SecureCode AI?
Unlike other Week 4 projects that focus on docstrings or code conversion, **SecureCode AI** provides:
**Security vulnerability detection** (OWASP Top 10)
**Performance bottleneck analysis** (Big-O, complexity)
**Automated fix generation** with explanations
**Unit test generation** (happy path + edge cases)
**Educational focus** - teaches WHY code is vulnerable/slow
Perfect for developers learning secure coding practices and performance optimization!
## Features
### 🔒 Security Analysis
Detects real vulnerabilities following OWASP guidelines:
- SQL Injection, XSS, Command Injection
- Path Traversal, Insecure Deserialization
- Hardcoded Credentials, Cryptographic Failures
- Authentication/Authorization Issues
### ⚡ Performance Analysis
Identifies performance issues:
- Time/Space Complexity (Big-O analysis)
- Inefficient Algorithms (nested loops, N+1 queries)
- Memory Leaks, Caching Opportunities
- Blocking I/O Operations
### 🔧 Auto-Fix Generation
Automatically generates:
- Secure code alternatives
- Optimized implementations
- Line-by-line explanations
- Best practice recommendations
### 🧪 Unit Test Generation
Creates comprehensive test suites:
- pytest/unittest compatible
- Happy path, edge cases, error handling
- Parameterized tests
- Test fixtures and mocks
### 🌍 Multi-Language Support
Python, JavaScript, Java, C++, Go, Rust with auto-detection
### 🤖 Model Agnostic
Works with any OpenRouter model - free tier available!
## Quick Start
See [QUICKSTART.md](QUICKSTART.md) for detailed setup instructions.
### TL;DR - 2 Steps to Run (using uvx)
```bash
# 1. Configure (get free API key from openrouter.ai)
cd week4/securecode-ai
cp .env.example .env
# Edit .env and add: OPENROUTER_API_KEY=your-key-here
# 2. Run (uvx handles everything else!)
./run.sh
# Or run manually:
# uvx --with gradio --with openai --with python-dotenv python main.py
```
**That's it!** No installation needed - `uvx` handles all dependencies automatically.
The Gradio interface opens automatically at `http://localhost:7860`
**First Time?** The default model is **FREE** - no credit card needed!
## Usage
### Security Analysis
1. Go to the "🔒 Security Analysis" tab
2. Paste your code
3. Select language (or use Auto-detect)
4. Click "🔍 Analyze Security"
5. Review the identified vulnerabilities
### Performance Analysis
1. Go to the "⚡ Performance Analysis" tab
2. Paste your code
3. Select language (or use Auto-detect)
4. Click "🚀 Analyze Performance"
5. Review performance issues and optimization suggestions
### Generate Fix
1. Go to the "🔧 Generate Fix" tab
2. Paste your original code
3. Paste the analysis report (from Security or Performance tab)
4. Select language (or use Auto-detect)
5. Click "✨ Generate Fix"
6. Review the fixed code and explanations
### Generate Tests
1. Go to the "🧪 Generate Tests" tab
2. Paste your code (functions or classes)
3. Select language (or use Auto-detect)
4. Click "🧪 Generate Tests"
5. Get complete pytest test file with:
- Happy path tests
- Edge cases
- Error handling tests
- Test fixtures if needed
## Example Code
Try the example code in `examples/`:
- `vulnerable_code.py` - Code with security issues
- `slow_code.py` - Code with performance issues
- `sample_functions.py` - Clean functions for test generation
## Configuration
### Changing Models
Edit `.env` to use different models:
```bash
# Free tier models (recommended for testing)
SECURECODE_MODEL=meta-llama/llama-3.1-8b-instruct:free
SECURECODE_MODEL=google/gemini-2.0-flash-exp:free
# Paid models (better quality)
SECURECODE_MODEL=openai/gpt-4o-mini
SECURECODE_MODEL=anthropic/claude-3.5-sonnet
SECURECODE_MODEL=qwen/qwen-2.5-coder-32b-instruct
```
Browse all available models at: https://openrouter.ai/models
## Project Structure
Clean, modular Python architecture following best practices:
```
securecode-ai/
├── src/securecode/ # Main package
│ ├── analyzers/ # Analysis engines
│ │ ├── base_analyzer.py # Base class with OpenRouter client
│ │ ├── security_analyzer.py # OWASP security analysis
│ │ ├── performance_analyzer.py # Performance profiling
│ │ ├── fix_generator.py # Auto-fix generation
│ │ └── test_generator.py # Unit test creation
│ ├── prompts/ # Specialized AI prompts
│ │ ├── security_prompts.py # Security expert persona
│ │ ├── performance_prompts.py # Performance engineer persona
│ │ ├── fix_prompts.py # Code fixing prompts
│ │ └── test_prompts.py # Test generation prompts
│ ├── utils/
│ │ └── language_detector.py # Auto-detect code language
│ ├── config.py # Environment config
│ └── app.py # Gradio UI (4 tabs)
├── examples/ # Test code samples
│ ├── vulnerable_code.py # SQL injection, etc.
│ ├── slow_code.py # O(n²) algorithms
│ └── sample_functions.py # Clean code for testing
├── main.py # Application entry point
├── pyproject.toml # Modern Python packaging
├── .env.example # Configuration template
├── setup.sh # Automated setup script
├── QUICKSTART.md # Detailed setup guide
└── README.md # This file
```
**Design Principles:**
- **Separation of Concerns**: Each analyzer is independent
- **DRY**: Base class handles OpenRouter communication
- **Extensible**: Easy to add new analyzers
- **Clean Code**: Type hints, docstrings, descriptive names
## Development
### Install development dependencies
```bash
pip install -e ".[dev]"
```
### Code formatting
```bash
black src/
ruff check src/
```
### Running tests
```bash
pytest
```
## How It Works
### Architecture
```
User Code → Language Detection → Specialized Prompt → OpenRouter API → AI Model
User Interface ← Streaming Response ← Analysis/Fix/Tests ← Model Response
```
### Technical Implementation
1. **Multi-Analyzer Pattern**: Separate classes for security, performance, fixes, and tests
2. **Specialized Prompts**: Each analyzer uses persona-based prompts (security expert, performance engineer, etc.)
3. **Streaming Responses**: Real-time output using Gradio's streaming capabilities
4. **Model Agnostic**: Works with any OpenAI-compatible API through OpenRouter
5. **Clean Code**: Type hints, docstrings, modular design
### Example: Security Analysis Flow
```python
# User pastes code
code = "query = f'SELECT * FROM users WHERE id = {user_id}'"
# Security analyzer builds prompt
prompt = SecurityPrompt(code, language="Python")
# Calls AI model via OpenRouter
response = openai.chat.completions.create(
model="meta-llama/llama-3.1-8b-instruct:free",
messages=[
{"role": "system", "content": SECURITY_EXPERT_PROMPT},
{"role": "user", "content": code}
],
stream=True
)
# Streams results to UI
for chunk in response:
yield chunk # Real-time display
```
## Cost Considerations
- **Free Tier Models**: Use models with `:free` suffix (rate-limited but no cost)
- **Paid Models**: More accurate but incur API costs (~$0.001-0.01 per analysis)
- **Recommended**: Start with `meta-llama/llama-3.1-8b-instruct:free` for testing
## Limitations
- Analysis quality depends on the AI model used
- Not a replacement for professional security audits
- May produce false positives or miss subtle issues
- Always review AI suggestions before applying to production
## Support
For issues or questions, open an issue in the repository.
## License
MIT License - See LICENSE file for details
## Week 4 Learning Objectives Met
This project demonstrates mastery of all Week 4 skills:
**Multi-Model Integration** - Works with OpenAI, Anthropic, Google, Meta models
**Prompt Engineering** - Specialized prompts for different analysis types
**Code Analysis & Generation** - Security, performance, fixes, tests
**Gradio UI Development** - Multi-tab interface with streaming
**Real-World Application** - Addresses genuine developer needs
**Clean Architecture** - Modular, extensible, well-documented
## What Makes This Novel?
Compared to other Week 4 community contributions:
| Feature | Other Projects | SecureCode AI |
|---------|----------------|---------------|
| Docstring Generation | ✅ (Many) | |
| Code Conversion | ✅ (Many) | |
| **Security Analysis** | ❌ None | ✅ **Unique** |
| **Performance Profiling** | ❌ None | ✅ **Unique** |
| **Educational Focus** | ❌ Limited | ✅ **Unique** |
| Unit Test Generation | ✅ (Some) | ✅ Enhanced |
| Auto-Fix with Explanation | ❌ None | ✅ **Unique** |
**Result**: A production-ready tool that teaches secure coding while solving real problems!
## Acknowledgments
- **LLM Engineering Course** by Edward Donner
- **OpenRouter** for multi-model API access
- **Gradio** for the excellent UI framework
- **OWASP** for security guidelines
- **Community** for inspiration from Week 4 contributions
## Contributing
Ideas for enhancements:
- Add more security rules (SANS Top 25, CWE)
- Implement batch file processing
- CI/CD integration (GitHub Actions)
- VSCode extension
- API endpoint for programmatic access
- Support for more languages
## License
MIT License - See LICENSE file for details
---
**Built with ❤️ for developers who care about security and performance**