PuryAI - AI-Powered Code Security Scanner 🛡️

PuryAI is a powerful, AI-powered command-line tool and library that ensures the "purity" and security of your codebase. It combines traditional static analysis with cutting-edge AI technology to detect malware, vulnerabilities, secrets, and code quality issues.

🌟 Features

🔍 AI-Powered Analysis

• Malware Detection: Advanced pattern recognition to identify malicious code, obfuscation, and suspicious behaviors
• Secret Scanning: Detects API keys, passwords, tokens, and other sensitive information
• Vulnerability Assessment: Identifies security weaknesses and dependency vulnerabilities
• Code Quality: Analyzes code smells, performance issues, and maintainability problems

🤖 Gemini AI Integration

• Powered by Google's Gemini AI for intelligent code analysis
• Context-aware scanning that understands code intent
• Real-time streaming analysis for large codebases
• Low false-positive rates through AI reasoning

🛠️ Practical Tools

• Console Cleaner: Remove debug statements before production
• Localization Helper: Convert non-English text to English for international collaboration
• Environment Formatter: Organize and validate .env files
• Multiple Output Formats: Console, JSON, HTML, and SARIF reports

🚀 Quick Start

Installation

# Install globally
npm install -g pury

# Or use with npx
npx pury --help

Setup

1. Get your Gemini API key from Google AI Studio

2. Set the environment variable:

   export GEMINI_API_KEY="your-api-key-here"

3. Initialize configuration:

   pury init

Basic Usage

# Scan current directory
pury scan .

# Scan specific directory with JSON output
pury scan ./src --format json

# Clean console.log statements
pury clean-logs ./src --apply

# Convert non-English text to English
pury localize ./src --apply

# Format environment files
pury env-format .env --apply

📖 Detailed Usage

Scanning for Security Issues

# Basic security scan
pury scan ./project

# Scan with specific analyzers
pury scan ./src --analyzers malware secrets vulnerabilities

# High sensitivity scan
pury scan ./src --sensitivity high

# Output to file
pury scan ./src --format json --output security-report.json

Configuration

Create a puryai.config.yaml file:

scanner:
  exclude:
    - node_modules/**
    - dist/**
    - '*.min.js'
  maxFileSize: 1048576 # 1MB

analyzers:
  malware:
    enabled: true
    sensitivity: medium
  secrets:
    enabled: true
    sensitivity: high
  vulnerabilities:
    enabled: true
    sensitivity: medium

ai:
  provider: gemini
  gemini:
    model: gemini-2.5-flash
    temperature: 0.1
    maxTokens: 2048

Command Reference

pury scan [path]

Scan files for security threats and code quality issues.

Options:

• --config <file>: Configuration file path
• --exclude <patterns...>: Patterns to exclude
• --include <patterns...>: Patterns to include
• --format <type>: Output format (console, json, html, sarif)
• --no-ai: Disable AI analysis
• --analyzers <types...>: Specific analyzers to run
• --sensitivity <level>: Analysis sensitivity (low, medium, high)

pury clean-logs [path]

Remove console.log and debug statements.

Options:

• --apply: Actually apply changes (default is dry-run)
• --backup: Create backup files
• --exclude <patterns...>: Patterns to exclude

pury localize [path]

Convert non-English text to English.

Options:

• --apply: Apply changes
• --backup: Create backup files
• --target-lang <lang>: Target language (default: en)

pury env-format [path]

Format and organize environment files.

Options:

• --apply: Apply formatting
• --backup: Create backup files
• --sort: Sort variables alphabetically
• --group: Group related variables

pury init

Initialize configuration file.

Options:

• --force: Overwrite existing config
• --global: Create global config
• --template <type>: Config template (default, strict, minimal)

🔧 Library Usage

PuryAI can also be used as a library in your Node.js applications:

import { PuryAI } from 'pury';

const pury = new PuryAI();
await pury.loadConfig();

const report = await pury.scan(
  {
    path: './src',
    recursive: true
  },
  {
    analyzers: ['malware', 'secrets'],
    useAI: true,
    sensitivity: 'medium'
  }
);

console.log(`Found ${report.summary.threatsFound} issues`);

🎯 Detection Capabilities

Malware Patterns

• Obfuscated JavaScript/TypeScript code
• Base64 encoded payloads
• Suspicious function calls (eval, exec, Function constructor)
• Dynamic code generation
• Command injection patterns
• Network exfiltration attempts

Secret Detection

• API keys (AWS, Google, GitHub, etc.)
• Database credentials and connection strings
• JWT tokens and OAuth secrets
• Private keys and certificates
• Hardcoded passwords
• Webhook URLs

Vulnerability Types

• SQL injection opportunities
• Cross-site scripting (XSS) risks
• Command injection vulnerabilities
• Path traversal issues
• Insecure cryptographic usage
• Authentication bypasses

Code Quality Issues

• Debug statements (console.log, debugger)
• Dead code and unreachable blocks
• Performance anti-patterns
• Complexity violations
• Non-English text in code

🔒 Security & Privacy

• No Code Upload: All analysis happens locally on your machine
• API Privacy: Only code patterns are sent to AI services, not full source code
• Configurable: Disable AI analysis entirely if needed
• Open Source: Full transparency in security analysis methods

📊 Output Formats

Console Output

Clean, color-coded terminal output with severity indicators and actionable suggestions.

JSON Report

{
  "summary": {
    "filesScanned": 42,
    "threatsFound": 3,
    "severityCount": { "high": 1, "medium": 2, "low": 0 }
  },
  "findings": [
    {
      "type": "secret",
      "severity": "high",
      "title": "API Key Detected",
      "file": "config.js",
      "line": 15,
      "suggestion": "Move to environment variables"
    }
  ]
}

HTML Report

Interactive HTML report with filtering and detailed findings.

SARIF

Industry-standard format compatible with GitHub, VS Code, and other tools.

🛣️ Roadmap

• VS Code Extension: Real-time scanning in your editor
• CI/CD Integration: GitHub Actions, Jenkins, GitLab pipelines
• Custom Rules: Define your own detection patterns
• Team Collaboration: Shared configurations and reporting
• More AI Providers: OpenAI, Claude, and local models
• Additional Languages: Python, Java, Go, Rust support

🤝 Contributing

We welcome contributions! Please see our Contributing Guide for details.

1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Add tests
5. Submit a pull request

📄 License

MIT License - see LICENSE file for details.

🙏 Acknowledgments

• Google Gemini AI: For powering our intelligent analysis
• Open Source Community: For security patterns and vulnerability data
• Security Researchers: For continuous improvement of detection methods

📞 Support

• 📚 Documentation
• 🐛 Issue Tracker
• 💬 Discord Community
• 📧 Email Support

Made with ❤️ by the PuryAI Team

Keep your code pure, secure, and ready for production!