Skip to content

VitorLourenco/codeslick-cli

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

@codeslick/cli

CodeSlick CLI - Pre-commit security scanner for JavaScript, TypeScript, Python, Java, Go, and Terraform.

Catch security vulnerabilities before they enter your codebase with automated pre-commit scanning.

Features

  • Local Security Scanning - No API calls required, fully offline
  • Pre-commit Hook Integration - Automatically scans staged files before each commit
  • Fast Analysis - <3s for 10 files using CodeSlick's analyzer engine
  • Multi-language Support - JavaScript, TypeScript, Python, Java, Go, Terraform
  • IaC Security - Detects AWS misconfigurations in Terraform (S3, IAM, and more)
  • Configurable Thresholds - Block commits on CRITICAL, HIGH, MEDIUM, or LOW severity
  • Beautiful Terminal Output - Color-coded results with CVSS scores and fix suggestions
  • CI/CD Ready - JSON output mode for automation
  • OWASP Top 10:2025 Compliant - 304 comprehensive security checks

Prerequisites

Git is required - CodeSlick CLI works with any git repository (local or remote):

# Initialize git in your project (if not already done)
git init

Note: You do NOT need GitHub, GitLab, or any remote hosting. CodeSlick works with local git repositories, GitHub repositories, GitLab, Bitbucket, or any git-based workflow.

System Requirements:

  • Node.js 18.0.0 or higher
  • Git (any version)
  • macOS, Linux, or Windows

Installation

Option 1: Use npx (Recommended - No Installation Required)

Run CodeSlick directly without installation:

npx codeslick-cli --help
npx codeslick-cli init
npx codeslick-cli scan

Benefits:

  • ✅ No permission issues
  • ✅ Always runs latest version
  • ✅ Works on all systems
  • ✅ No global pollution

Option 2: Global Installation

npm install -g codeslick-cli

After installation, you can use either codeslick or the shorter alias cs:

codeslick --version
# or
cs --version

Both commands work identically. Use cs for faster typing!

Note: On macOS/Linux, you may encounter permission errors. See Troubleshooting for solutions.

Option 3: Local Installation (Per Project)

npm install --save-dev codeslick-cli
npx codeslick-cli init

Quick Start

1. Make Sure You Have Git Initialized

cd your-project/

# If not already a git repository, initialize it first:
git init

2. Initialize CodeSlick in Your Repository

npx codeslick-cli init
# or if you installed globally:
codeslick init  # or: cs init

This will:

  • Create .codeslick.json configuration file
  • Install pre-commit hook in .git/hooks/
  • Configure automatic scanning

3. Configure Severity Threshold (Optional)

npx codeslick-cli config set severity critical  # Block only CRITICAL issues
npx codeslick-cli config set severity high      # Block HIGH+ issues (recommended)
npx codeslick-cli config set severity medium    # Block MEDIUM+ issues (default)

4. Commit as Usual

git add .
git commit -m "Add new feature"

CodeSlick will automatically scan staged files. If vulnerabilities are found that meet your severity threshold, the commit will be blocked.

Commands

codeslick init

Initialize CodeSlick in your repository.

Usage:

codeslick init [options]

Options:

  • --force, -f - Force re-initialization (overwrite existing config)
  • --severity, -s <level> - Set default severity threshold (critical|high|medium|low)

Examples:

codeslick init                    # Initialize with defaults
codeslick init --force            # Overwrite existing configuration
codeslick init --severity high    # Initialize with HIGH severity threshold

codeslick scan

Scan files for security vulnerabilities.

Usage:

codeslick scan [files...] [options]

Options:

  • --all, -a - Scan all files in repository (overrides default staged-only behavior)
  • --quick, -q - Quick scan - skip deep TypeScript type checking for speed
  • --verbose, -v - Show all issues including MEDIUM and LOW (default: HIGH+ only)
  • --severity, -s <level> - Override severity threshold (critical|high|medium|low)
  • --fix - Auto-apply fixes where possible (experimental)
  • --json - Output results as JSON (for CI/CD)
  • --verify - NEW: Run security scan + tests (combined pass/fail) ⭐
  • --test-command <cmd> - Custom test command (e.g., "npm test", "pytest")

Default Behavior: Scans only staged files for fast pre-commit feedback.

Examples:

codeslick scan                    # Scan staged files (default)
codeslick scan --all              # Scan entire repository
codeslick scan --quick            # Fast scan (skip TypeScript type checking)
codeslick scan --verbose          # Show all issues (including MEDIUM/LOW)
codeslick scan src/**/*.js        # Scan specific files/patterns
codeslick scan --json             # JSON output (for CI/CD)
codeslick scan --severity high    # Temporarily override threshold

# NEW: Test Execution Integration (v1.3)
codeslick scan --verify           # Run security scan + tests (both must pass)
codeslick scan --verify --test-command "pytest --cov"  # Custom test command

codeslick config

Manage CodeSlick configuration.

Usage:

codeslick config <action> [key] [value]

Actions:

  • list - Display all configuration values
  • get <key> - Get a specific configuration value
  • set <key> <value> - Set a configuration value

Configuration Keys:

  • severity - Severity threshold (critical|high|medium|low)
  • autofix - Enable/disable auto-fix (true|false)
  • languages - Comma-separated list of languages
  • exclude - Comma-separated list of exclude patterns

Examples:

codeslick config list                        # Show all config
codeslick config get severity                # Get current severity
codeslick config set severity critical       # Set severity to CRITICAL only
codeslick config set autofix true            # Enable auto-fix
codeslick config set languages js,ts,py      # Enable only JS, TS, Python

Command Aliases

If installed globally, you can use the shorter cs alias:

Long Command Short Alias Description
codeslick init cs init Initialize CodeSlick
codeslick scan cs scan Scan files
codeslick config cs config Manage config
codeslick auth cs auth Authenticate
codeslick --help cs --help Show help
codeslick --version cs --version Show version

Examples (global installation only):

# These only work after global installation:
codeslick scan --staged
cs scan --staged

# If using npx, use:
npx codeslick-cli scan --staged

Note: The codeslick and cs commands only work after global installation. If using npx, always use npx codeslick-cli <command>.

Configuration

The .codeslick.json file controls how CodeSlick scans your code.

Default Configuration

{
  "version": "1.0",
  "severity": "critical",
  "autofix": false,
  "exclude": [
    "node_modules/**",
    "dist/**",
    "build/**",
    "coverage/**",
    "**/*.test.{js,ts}",
    "**/*.spec.{js,ts}",
    "**/test/**",
    "**/tests/**"
  ],
  "languages": ["javascript", "typescript", "python", "java", "go", "terraform"],

  // NEW: Pass/Fail Thresholds (v1.3)
  "thresholdEnabled": true,
  "thresholdBlockCritical": true,
  "thresholdBlockHigh": false,
  "thresholdMaxVulnerabilities": 50,
  "thresholdMaxEpss": 70,
  "thresholdExemptPaths": ["**/__tests__/**", "vendor/**"],

  // NEW: Test Execution Integration (v1.3)
  "testCommand": "npm test",
  "testTimeout": 300000
}

Configuration Reference

Key Type Default Description
version string "1.0" Configuration version (do not modify)
severity string "critical" Severity threshold: critical, high, medium, low
autofix boolean false Enable auto-fix (experimental)
exclude string[] See above Glob patterns to exclude from scanning
languages string[] All Languages to scan: javascript, typescript, python, java, go, terraform
telemetry boolean true Enable anonymous usage analytics
Thresholds (v1.3)
thresholdEnabled boolean true Enable pass/fail threshold enforcement
thresholdBlockCritical boolean true Block on CRITICAL vulnerabilities
thresholdBlockHigh boolean false Block on HIGH severity vulnerabilities
thresholdMaxVulnerabilities number 50 Max total vulnerabilities allowed
thresholdMaxEpss number 70 Max EPSS score (0-100, exploitability %)
thresholdExemptPaths string[] [] Glob patterns exempt from thresholds
Test Execution (v1.3)
testCommand string Auto-detect Test command to run with --verify flag
testTimeout number 300000 Test execution timeout (milliseconds)

Severity Thresholds

Threshold Blocks On Use Case
critical CRITICAL only Minimum protection (fastest)
high CRITICAL + HIGH Recommended for most projects
medium CRITICAL + HIGH + MEDIUM Strict security requirements
low All issues Maximum security (slowest)

Security Checks

CodeSlick CLI uses the same analysis engine as the GitHub App and WebTool.

Coverage by Language

Language Security Checks Key Detections
JavaScript 28 checks SQL injection, XSS, eval(), dangerous APIs
TypeScript 56 checks Type errors, property validation, AI code
Python 47 checks Django/Flask security, pickle, exec(), secrets
Java 32 checks Log4j, Spring Security, SQL injection, deserialization
Go 26 checks SQL injection, command injection, TLS misconfig, race conditions
Terraform 10 checks S3 public ACL, IAM wildcards, encryption, versioning, logging

Total: 304 comprehensive security checks

OWASP Top 10:2025 Compliance

CodeSlick CLI is 95% compliant with OWASP Top 10:2025:

  • A01:2025 - Broken Access Control
  • A02:2025 - Cryptographic Failures
  • A03:2025 - Injection
  • A04:2025 - Insecure Design
  • A05:2025 - Security Misconfiguration
  • A06:2025 - Vulnerable and Outdated Components
  • A07:2025 - Identification and Authentication Failures
  • A08:2025 - Software and Data Integrity Failures
  • A09:2025 - Security Logging and Monitoring Failures
  • A10:2025 - Server-Side Request Forgery (SSRF)

CI/CD Integration

Use CodeSlick CLI in your CI/CD pipeline with JSON output mode.

GitHub Actions

name: Security Scan
on: [push, pull_request]

jobs:
  codeslick:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: 18

      # Option 1: Security scan only
      - run: npx codeslick-cli scan --json > results.json

      # Option 2: Security scan + tests (v1.3) ⭐
      - run: npx codeslick-cli scan --verify

      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: codeslick-results
          path: results.json

GitLab CI

codeslick:
  image: node:18
  script:
    - npx codeslick-cli scan --json > results.json
  artifacts:
    when: always
    paths:
      - results.json

Jenkins

pipeline {
  agent any
  stages {
    stage('Security Scan') {
      steps {
        sh 'npx codeslick-cli scan --json > results.json'
      }
    }
  }
  post {
    always {
      archiveArtifacts artifacts: 'results.json'
    }
  }
}

Skipping the Pre-commit Hook

If you need to commit without scanning (not recommended):

git commit --no-verify -m "Emergency hotfix"

Or temporarily disable:

rm .git/hooks/pre-commit
# Make your commits
codeslick init --force  # Re-install hook

Troubleshooting

"Not a git repository" error

Problem: Running codeslick init in a non-git directory.

Why this happens: CodeSlick CLI requires git to:

  • Install pre-commit hooks in .git/hooks/ directory
  • Track staged files for scanning
  • Work with your existing git workflow

Solution: Initialize git first:

# Initialize git in your project
git init

# Now run CodeSlick init
npx codeslick-cli init

Note: You do NOT need GitHub or any remote repository. CodeSlick works with local git repositories.

"No staged files to scan" message

Problem: Running codeslick scan with no staged files.

Why this happens: By default, CodeSlick scans only staged files for fast pre-commit feedback.

Solutions:

# Option 1: Stage files first
git add <files>
codeslick scan

# Option 2: Scan entire repository
codeslick scan --all

# Option 3: Scan specific path
codeslick scan src/

Pre-commit hook not running

Problem: Hook installed but not executing.

Solution: Ensure hook is executable (Unix):

chmod +x .git/hooks/pre-commit

Solution: Re-install hook:

codeslick init --force

"EACCES: permission denied" error on macOS/Linux

Problem: Permission denied when installing globally:

npm error code EACCES
npm error syscall mkdir
npm error path /usr/local/lib/node_modules/codeslick-cli

✅ Solution 1 - Use npx (Recommended - No installation needed):

npx codeslick-cli --help
npx codeslick-cli init
npx codeslick-cli scan

Solution 2 - Fix npm permissions (Best long-term):

mkdir ~/.npm-global
npm config set prefix '~/.npm-global'
echo 'export PATH=~/.npm-global/bin:$PATH' >> ~/.zshrc
source ~/.zshrc
npm install -g codeslick-cli

Solution 3 - Use sudo (Not recommended):

sudo npm install -g codeslick-cli

"Command not found: codeslick" error

Problem: CLI not installed globally or not in PATH.

Solution: Install globally:

npm install -g codeslick-cli

Solution: Use npx (no install required):

npx codeslick-cli init
npx codeslick-cli scan

Slow scanning performance

Problem: Scanning takes >5s for small projects.

Solution: Exclude unnecessary directories:

codeslick config set exclude "node_modules/**,dist/**,coverage/**"

Too many false positives

Problem: Legitimate code flagged as vulnerable.

Solution: Adjust severity threshold:

codeslick config set severity high  # Only block HIGH+ issues

Solution: Exclude specific files:

codeslick config set exclude "test/**,migrations/**"

Performance

Typical scan times on a 2020 MacBook Pro:

Files Languages Time
10 Mixed <3s
50 Mixed <10s
100 Mixed <20s
500 Mixed <60s

Contributing

We welcome contributions! Please see CONTRIBUTING.md for guidelines.

License

MIT License - see LICENSE for details.

Support

What's New in v1.4 🚀

Terraform IaC Security Scanning (February 2026)

  • Terraform Language Support - Full Infrastructure as Code security analysis
  • 10 AWS Security Checks - S3 buckets (public ACL, encryption, versioning, logging) + IAM policies (wildcard actions/resources, privilege escalation)
  • Multiline HCL Parsing - Correctly handles multiline jsonencode() and nested objects
  • OWASP A01:2021 Compliance - Detects Broken Access Control in cloud infrastructure
  • Pre-commit IaC Validation - Block insecure Terraform before deployment
  • 304 Total Security Checks - Now supporting 6 languages

Example:

cs scan infrastructure/*.tf
# ✖ CRITICAL: S3 bucket has public ACL: "public-read"
# ✖ CRITICAL: IAM policy allows wildcard actions (Action: "*")
# ⚠ HIGH: S3 bucket does not have encryption enabled
# Exit code: 1 (blocked - 3 critical issues)

Detected Terraform Vulnerabilities

Check Severity OWASP Description
S3 Public ACL CRITICAL A01:2021 Detects acl = "public-read"
S3 Encryption HIGH A02:2021 Missing server-side encryption
S3 Versioning MEDIUM A09:2021 No versioning enabled
S3 Logging MEDIUM A09:2021 No access logs
IAM Wildcard Actions CRITICAL A01:2021 Action = "*" detected
IAM Wildcard Resources HIGH A01:2021 Resource = "*" detected
IAM Admin Policy CRITICAL A01:2021 AdministratorAccess equivalent
IAM Privilege Escalation CRITICAL A01:2021 Can grant self permissions

What's New in v1.3 ⭐

Pass/Fail Thresholds + Test Execution Integration (February 2026)

  • --verify Flag - Run security scan + tests in one command (both must pass)
  • Granular Thresholds - Configure exactly what blocks commits (CRITICAL only, HIGH+, max count, EPSS score)
  • Path Exemptions - Exclude test files, vendor code, docs from threshold enforcement
  • Auto-Detect Test Frameworks - Supports npm test, pytest, go test, maven, gradle
  • Combined Pass/Fail - Exit code 0 only if BOTH security AND tests pass
  • CLI Default: Enabled - Thresholds enforce by default (configurable in .codeslick.json)

Example:

cs scan --verify  # Run security scan + tests
# ✓ Analyzed 50 files (0 CRITICAL)
# ✓ Tests passed (127 tests, 0 failures)
# Exit code: 0 (commit allowed)

v1.2 Features

  • Go Language Support - Added comprehensive Go security analysis with 26 security checks
  • AI-Generated Code Detection - Detects AI hallucinations and code smells in Go code
  • 294 Total Security Checks - Now supporting 5 languages (JavaScript, TypeScript, Python, Java, Go)
  • Race Condition Detection - Go-specific concurrency vulnerability detection
  • TLS Security Checks - Detects InsecureSkipVerify and weak TLS configurations in Go

v1.1 Features

  • Update Notifications - CLI notifies you when a new version is available
  • Anonymous Telemetry - Usage stats for dashboard analytics (disable with cs config set telemetry false)
  • Improved SSRF Detection - Internal API routes (/api/...) no longer trigger false positives
  • Fixed Critical Sorting - CRITICAL issues now correctly appear first in reports
  • Markdown Reports - Auto-generates detailed reports for large scans (>20 files or >30 issues)

v1.0 Features

  • Staged Files by Default - Fast pre-commit scans (<1s for most commits)
  • Quick Mode - Skip TypeScript type checking with --quick for even faster scans
  • Smart Output - Only shows CRITICAL and HIGH issues by default (use --verbose for all)
  • 294 Security Checks - OWASP Top 10:2025 compliant

Roadmap

v1.5 (Coming Q2 2026)

  • More Terraform Providers - Azure (azurerm_), GCP (google_) resources
  • Expanded IaC Coverage - EC2, RDS, Lambda, VPC security checks (15+ new)
  • Custom Rule Configuration - Define your own security rules via YAML/JSON
  • IDE Integration - VS Code extension with inline security hints
  • Enhanced Auto-fix - More intelligent fix suggestions for complex issues
  • Smart Exemptions - ML-based false positive detection

Made with security in mind by CodeSlick https://codeslick.dev

About

CodeSlick CLI — pre-commit security scanning for JS, TS, Python, Java, and Go

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors