๐ง๐ฒ๐๐๐ถ๐ป๐ด ๐๐ฒ๐บ๐ถ๐ป๐ถ๐๐๐ ๐ฆ๐ฒ๐ฐ๐๐ฟ๐ถ๐๐ ๐๐ ๐๐ฒ๐ป๐๐ถ๐ผ๐ป๐ ๐ผ๐ป ๐๐ผ๐ฑ๐ฒ๐ซ
I tested two new Gemini CLI extensions on the CodeX source code. These tools help with code reviews and security scans.
๐ง๐ต๐ฒ ๐๐ ๐๐ฒ๐ป๐๐ถ๐ผ๐ป๐
โข Code Review Extension: This tool checks code changes for quality. Use the /code-review command to start. โข Security Extension: This tool performs SAST scans. It finds vulnerabilities and provides fix suggestions. Use /security:analyze to start.
๐๐ผ๐ ๐๐ผ ๐๐ป๐๐๐ฎ๐น๐น
You can install them using these commands:
โฏ gemini extensions install https://github.com/gemini-cli-extensions/security โฏ gemini extensions install https://github.com/gemini-cli-extensions/code-review
๐ง๐ฒ๐๐ ๐ฅ๐ฒ๐๐๐น๐๐
I ran the security scan on 65 files from the CodeX repository. The tool found several issues:
โข High Severity: Path Traversal in read_file.rs. The code does not restrict file access to a specific directory. โข Medium Severity: Potential Prompt Injection in codex.rs. User input goes to the model without sanitization. โข Medium Severity: Information Disclosure in otel_event_manager.rs. Sensitive prompts might get logged. โข Low Severity: Hardcoded password in the GitHub release workflow.
๐ง๐ต๐ฒ ๐๐ผ๐๐ ๐ผ๐ณ ๐ฆ๐ฒ๐ฐ๐๐ฟ๐ถ๐๐
Running these scans comes with a price in time and money. For 65 files, the results were:
โข Time: 36 minutes. โข Cost: 23.88 USD.
The speed is similar to traditional SAST tools. The cost is currently high for daily use. You might want to wait for more optimized tools before using this for every scan.
๐ง๐ถ๐ฝ ๐ณ๐ผ๐ฟ ๐จ๐๐ฒ๐ฟ๐
Do not use a standard Google login for large scans. It often fails with error messages. Instead, use a Gemini API Key or Vertex AI for better stability.
Source: https://dev.to/jh5_pulse/shi-ce-geminicli-security-extensions-lai-review-codex-yuan-shi-ma-4h40
Optional learning community: https://t.me/GyaanSetuAi