Skip to content

yuricommits/hwa

BranchesTags

Repository files navigation

hwa

AI code vulnerability tracker. Detects CVEs, staleness, and hardcoded secrets in AI-generated code.

hwa-kappa.vercel.app

What it does

AI-generated code ships fast but often contains security issues — hardcoded secrets, deprecated cryptography, SQL injection, and packages with known CVEs. hwa catches these before they reach production.

Features

  • CVE detection — cross-references imported packages against OSV, GitHub Advisory DB, and NVD
  • Pattern matching — detects hardcoded secrets, MD5/SHA1, SQL injection, command injection, unsafe deserialization, and more
  • Language-aware — TypeScript, JavaScript, Python, Go, Rust
  • Shareable reports — public report links for sharing scan results
  • Daily CVE sync — automated pipeline keeps vulnerability data fresh

Stack

apps/
  web/                    → Next.js 16 (TypeScript) — Vercel
  analysis-engine/        → Go HTTP service — V2
  cli/                    → Go CLI binary
  zed-extension/          → Zed IDE extension + LSP server
packages/
  database/               → Drizzle ORM + Supabase
  types/                  → Shared TypeScript types
  ui/                     → Shared UI components

CLI

Standalone binary — no server, no API key, no internet required.

Install

Linux:

curl -L https://github.com/yuricommits/hwa/releases/download/v0.1.1/hwa-linux-amd64 -o hwa
chmod +x hwa
sudo mv hwa /usr/local/bin/

macOS (Apple Silicon):

curl -L https://github.com/yuricommits/hwa/releases/download/v0.1.1/hwa-darwin-arm64 -o hwa
chmod +x hwa
sudo mv hwa /usr/local/bin/

macOS (Intel):

curl -L https://github.com/yuricommits/hwa/releases/download/v0.1.1/hwa-darwin-amd64 -o hwa
chmod +x hwa
sudo mv hwa /usr/local/bin/

Usage

# Scan a single file
hwa scan auth.ts

# Scan a directory
hwa scan src/

# JSON output
hwa scan . --json

# Version
hwa version

Exit codes

Code Meaning
0 No critical findings
1 Critical findings found

CI/CD — GitHub Actions

Add to your repo to block PRs with critical vulnerabilities.

Create .github/workflows/security.yml:

name: Security Scan

on:
  pull_request:
    branches: [main, master]

jobs:
  hwa:
    uses: yuricommits/hwa/.github/workflows/reusable-scan.yml@main
    with:
      fail_on_critical: true

What it does

  • Detects changed .ts .js .py .go .rs files in the PR
  • Downloads the hwa binary
  • Scans for vulnerabilities
  • Comments findings on the PR with file + line numbers
  • Uploads JSON results as artifact
  • Blocks merge if critical findings found

Options

Input Default Description
fail_on_critical true Block PR if critical findings exist
scan_path changed files Path to scan — leave empty for changed files only

Zed IDE Extension

Scans code as you type and shows inline diagnostics.

Install

Search for HWA in Zed's extension marketplace or: Ctrl+Shift+P"zed: extensions" → search "hwa" → Install

The LSP server downloads automatically — no manual setup required.

Configure

Add to your global Zed settings (~/.config/zed/settings.json):

{
  "lsp": {
    "hwa-lsp": {
      "initialization_options": {
        "apiUrl": "https://hwa-kappa.vercel.app",
        "apiKey": "your-lsp-api-key"
      }
    }
  }
}

Get your apiKey from your hwa dashboard settings.

The project .zed/settings.json configures language server order — no credentials needed there.

CVE Sources

Source Coverage Schedule
OSV Cross-ecosystem Daily 2AM UTC
GitHub Advisory DB npm-heavy, high quality Daily 3AM UTC
NVD Authoritative CVSS scores Daily 4AM UTC

What it detects

Category Patterns
Secrets Passwords, API keys, AWS keys, GitHub tokens, JWTs, OpenAI/Stripe keys
Cryptography MD5, SHA1
Injection SQL injection, command injection (shell=True, os.system)
Deserialization pickle.load, yaml.load without Loader
SSL/TLS verify=False, rejectUnauthorized: false
Randomness Math.random(), random.random()
Code execution eval(), exec()
Misc Flask debug mode

Development

Prerequisites

  • Node.js 20+
  • pnpm 10+
  • Go 1.21+

Setup

git clone https://github.com/yuricommits/hwa
cd hwa
pnpm install
cp .env.example .env
# Fill in Supabase credentials
pnpm dev

Environment variables

DATABASE_URL=
SUPABASE_URL=
SUPABASE_ANON_KEY=
SUPABASE_SERVICE_ROLE_KEY=
NEXT_PUBLIC_SUPABASE_URL=
NEXT_PUBLIC_SUPABASE_ANON_KEY=
CRON_SECRET=
GITHUB_TOKEN=
NVD_API_KEY=
LSP_API_KEY=

Commands

pnpm dev          # Start Next.js dev server
pnpm build        # Build all packages
pnpm check-types  # TypeScript type check

Roadmap

V1 (current)
✅ Web dashboard
✅ CVE pipeline (OSV + GitHub + NVD)
✅ CLI tool
✅ Zed IDE extension
✅ GitHub Actions CI/CD
✅ Rust language support
✅ Zed IDE extension (registry submission pending)
✅ Automated LSP binary builds

V2
⬜ Go analysis engine deployment
⬜ CI/CD integration (GitLab, Bitbucket)
⬜ More language support (Ruby, Shell, Java)

License

MIT

About

Detects CVEs, staleness, and hardcoded secrets in AI-generated code.

hwa-kappa.vercel.app

Topics

cli security static-analysis vulnerability-scanner

Resources

Readme

License

MIT license

Contributing

Contributing

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 3

v0.1.2 Latest
Mar 18, 2026
+ 2 releases

Packages

 
 
 

Contributors

Languages