// offending code· 3 files flaggedpatterns: 15
--- package/package.json (excerpt) ---
{
"name": "ciphernest",
"displayName": "CipherNest",
"description": "AI-aware security scanner for VS Code — code vulnerabilities, LLM risks, secrets, dependencies, MCP & agent security",
"version": "0.8.4",
"publisher": "CipherNestSecure",
"icon": "media/logo.png",
"repository": {
"type": "git",
"url": "git+https://github.com/vmmuthu31/CipherNest.git"
},
"engines": {
"vscode": "^1.85.0"
},
"categories": [
"Linters",
"Other"
],
"keywords": [
"security",
"llm",
"ai",
"secrets",
"vulnerabilities",
"mcp",
"agent"
],
"activationEvents": [
"onStartupFinished"
],
"main": "./out/extension.js",
"contributes": {
"commands": [
{
"command": "ciphernest.scanFile",
"title": "CipherNest: Scan Current File",
"icon": "$(shield)"
},
{
"command": "ciphernest.scanWorkspace",
"title": "CipherNest: Scan Workspace",
"icon": "$(search)"
},
{
"command": "ciphernest.scanDependencies",
"title": "CipherNest: Scan Dependencies",
"icon": "$(package)"
},
{
"command": "ciphernest.simulatePromptAttack",
"title": "CipherNest: Simulate Prompt Attack",
"icon": "$(bug)"
},
{
"command": "ciphernest.showDashboard",
"title": "CipherNest: Show Security Dashboard",
"icon": "$(graph)"
},
{
"command": "ciphernest.showAttackGraph",
--- package/test-fixtures/vulnerable-sample.ts (excerpt) ---
// CipherNest test fixture — intentionally vulnerable code
// DO NOT use in production
import OpenAI from 'openai';
import { AgentExecutor } from 'langchain/agents';
const openai = new OpenAI({ apiKey: 'sk-proj-abc123XYZ789aaabbbcccdddeee' }); // SEC001 + CODE008
// LLM001: user input passed directly to LLM
async function handleChat(userInput: string) {
const response = await openai.chat.completions.create({
model: 'gpt-4',
messages: [{ role: 'user', content: userInput }], // LLM001
});
// LLM003: executing LLM output
const code = response.choices[0].message.content!;
eval(code); // CODE001 + LLM003
// CODE004: XSS
document.getElementById('output')!.innerHTML = code; // CODE004
return code;
}
// CODE009: TLS disabled
const tlsAgent = require('https').globalAgent;
const opts = { rejectUnauthorized: false }; // CODE009
// CODE010: weak crypto
import { createHash } from 'crypto';
const hash = createHash('md5').update('password').digest('hex'); // CODE010
// LLM006: agent with shell tool
const executor = new AgentExecutor({
tools: [new ShellTool(), new SQLDatabase()], // LLM006, LLM008
maxIterations: undefined, // AGENT003
});
// LLM011: agent without restrictions
const agent = initialize_agent(tools, llm); // LLM011
// CODE015: CORS wildcard
res.setHeader('Access-Control-Allow-Origin', '*'); // CODE015
--- package/src/extension.ts (excerpt) ---
import * as vscode from 'vscode';
import { SecurityEngine } from './scanner/index';
import { SecurityEngine as CoreEngine } from '@ciphernest/core';
import { scanDependencies } from './scanner/dependencyScanner';
import { scanInstalledExtensions } from './scanner/extensionScanner';
import { DiagnosticsManager } from './ui/diagnostics';
import { FindingsTreeProvider } from './ui/findingsTreeProvider';
import { SecurityCodeLensProvider } from './ui/securityCodeLens';
import { SecurityFileDecorationProvider } from './ui/fileDecorations';
import { DashboardPanel } from './ui/dashboardPanel';
import { PromptAttackPanel } from './ui/promptAttackPanel';
import { NpmShieldPanel } from './ui/panels/npmShieldPanel';
import { AgentPermissionMapPanel } from './ui/panels/agentPermissionMapPanel';
import { SecretJourneyPanel } from './ui/panels/secretJourneyPanel';
import { ShipCheckPanel } from './ui/panels/shipCheckPanel';
import { BackgroundScanner } from './daemon/backgroundScanner';
import { FindingTriageStore } from './triage/suppressionStore';
import { AuditLogger } from './audit/auditLog';
import { PolicyEngine } from './policy/policyEngine';
import { SecurityMemoryStore } from './memory/securityMemory';
import { AutoFixProvider } from './autofix/autoFixEngine';
import { AttackSurfaceMapPanel } from './ui/panels/attackSurfaceMapPanel';
import { ScoreViewProvider } from './ui/scoreViewProvider';
import { writeSbomFile, generateSbom } from './sbom/sbomGenerator';
import { Finding } f