Skip to content

rohansx/vgx

BranchesTags

Repository files navigation

VGX

Open-source security scanner for AI-assisted development.

Version License Stars

InstallationCLI ReferenceAPIVS CodeHow It Works

The Problem

With AI coding assistants (Copilot, Cursor, Claude), developers ship code they didn't write and often don't fully understand. Studies show:

  • 42% of code now has AI assistance (Sonar 2026)
  • 96% of developers don't fully trust AI-generated code
  • 45% of AI-generated code contains security vulnerabilities

VGX helps you know what's AI-generated and catch vulnerabilities before they hit production.

Features

Feature Description
AI Code Detection Identify AI-generated code using stylometry + pattern analysis
Security Scanning Vulnerability detection via Semgrep (+ optional OpenAI)
Pre-commit Hooks Block insecure code before it's committed
VS Code Extension Real-time AI detection in your editor
Offline-First No API keys required. Your code never leaves your machine.
CI/CD Ready JSON output for pipeline integration

Installation

Quick Install (Linux/macOS)

curl -sSL https://vgx.sh/install | bash

Go Install

go install github.com/rohansx/vgx@latest

Docker

docker pull ghcr.io/rohansx/vgx:latest
docker run -v $(pwd):/code ghcr.io/rohansx/vgx detect --path /code

Build from Source

git clone https://github.com/rohansx/vgx.git
cd vgx
go build -o vgx ./cmd/vgx

CLI Reference

Commands

vgx <command> [options]

Commands:
  detect    Detect AI-generated code
  scan      Security vulnerability scan
  version   Print version
  help      Show help

vgx detect — AI Code Detection

Analyze files for AI-generated code patterns.

# Scan a directory
vgx detect --path ./src

# Scan a single file
vgx detect src/api/handler.ts

# JSON output (for CI/CD)
vgx detect --path ./src --format json

# Custom threshold (default: 70)
vgx detect --path ./src --threshold 80

Options:

Flag Short Default Description
--path -p . Path to scan
--format -f text Output format: text, json
--threshold 70 AI confidence threshold (0-100)

Example Output:

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  VGX AI Code Detection
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  Files scanned:     12
  AI-generated:      4
  Human-written:     8
  AI percentage:     33.2%
  Max AI confidence: 89%

  FILES
     🤖 src/api/handlers.ts                         89%
     🤖 src/utils/fetch.ts                          82%
     ✓  src/config.ts                               28%

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  🤖 4 file(s) detected as AI-generated
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

vgx scan — Security Scanning

Scan for vulnerabilities using Semgrep rules.

# Scan changed files (default)
vgx scan

# Scan all files
vgx scan --changes=false

# Scan specific files
vgx scan src/auth.ts src/api/users.ts

Options:

Flag Default Description
--changes true Scan only git-changed files
--report true Generate markdown report
--update-context true Update file context cache

Detects:

  • Hardcoded secrets & API keys
  • SQL injection vulnerabilities
  • XSS (Cross-Site Scripting)
  • Insecure cryptography
  • Path traversal
  • Command injection
  • And more via Semgrep rules

API

JSON Output Schema

Detection Result

{
  "files_scanned": 12,
  "ai_detected": 4,
  "human_written": 8,
  "max_ai_confidence": 0.89,
  "ai_percentage": 33.2,
  "results": [
    {
      "file_path": "src/api/handler.ts",
      "ai_confidence": 0.89,
      "confidence_level": "very_high",
      "style_score": 0.82,
      "pattern_score": 0.94,
      "is_ai_generated": true,
      "lines_of_code": 145,
      "patterns": [
        {
          "name": "async_await_fetch",
          "confidence": 0.10,
          "line_start": 23,
          "line_end": 35
        }
      ]
    }
  ]
}

Vulnerability Result

{
  "file": "src/auth.ts",
  "description": "Hardcoded API key detected",
  "rule": "generic.secrets.security.detected-api-key",
  "severity": "high",
  "line": 15,
  "source": "semgrep",
  "recommendation": "Use environment variables for secrets"
}

Exit Codes

Code Meaning
0 Success, no issues found
1 Issues found (AI code or vulnerabilities)
2 Error (invalid path, etc.)

VS Code Extension

Real-time AI code detection in your editor.

Features

  • Status Bar Indicator — Shows AI confidence for current file
  • Inline Highlighting — Highlights AI-generated code patterns
  • Workspace Scanning — Scan entire workspace for AI code

Commands

Command Description
VGX: Detect AI Code in File Analyze current file
VGX: Detect AI Code in Workspace Scan all files
VGX: Security Scan File Run security scan

Settings

{
  "vgx.aiThreshold": 70,
  "vgx.highlightAICode": true,
  "vgx.showInlineConfidence": true
}

Installation

cd vscode-extension
npm install
npm run compile
# Then install via "Install from VSIX" in VS Code

How It Works

AI Detection Algorithm

VGX uses a combination of stylometry (code style analysis) and pattern matching to detect AI-generated code.

┌─────────────────────────────────────────────────────────────┐
│                    VGX DETECTION ENGINE                      │
├─────────────────────────────────────────────────────────────┤
│                                                              │
│  INPUT: Source code file                                     │
│                                                              │
│  ┌─────────────────────┐    ┌─────────────────────┐         │
│  │   STYLOMETRY (45%)  │    │  PATTERNS (55%)     │         │
│  ├─────────────────────┤    ├─────────────────────┤         │
│  │ • Naming consistency│    │ • try/catch style   │         │
│  │ • Indentation       │    │ • async/await fetch │         │
│  │ • Comment density   │    │ • React hooks       │         │
│  │ • Line length var.  │    │ • Go error handling │         │
│  │ • Boilerplate ratio │    │ • Python docstrings │         │
│  │ • Empty line ratio  │    │ • JSDoc comments    │         │
│  └─────────────────────┘    └─────────────────────┘         │
│            │                          │                      │
│            └──────────┬───────────────┘                      │
│                       ▼                                      │
│              Combined Score (0-100%)                         │
│                       │                                      │
│                       ▼                                      │
│         ┌─────────────────────────┐                         │
│         │  Threshold Check (70%)  │                         │
│         └─────────────────────────┘                         │
│                       │                                      │
│            ┌──────────┴──────────┐                          │
│            ▼                     ▼                          │
│     🤖 AI-Generated        ✓ Human-Written                  │
│                                                              │
└─────────────────────────────────────────────────────────────┘

Stylometry Features

Feature AI Signal Weight
Naming Consistency High consistency = AI 20%
Indentation Perfect consistency = AI 20%
Boilerplate Ratio High boilerplate = AI 20%
Line Length Variance Low variance = AI 15%
Comment Density ~15% density = AI 10%
Empty Line Ratio Consistent spacing = AI 10%
Average Line Length ~45 chars = AI 5%

Pattern Detection

VGX recognizes 16+ language-specific patterns commonly generated by AI:

JavaScript/TypeScript:

  • copilot_try_catch — Standard try/catch with console.error
  • async_await_fetch — Async function with await fetch
  • arrow_with_types — Typed arrow functions
  • use_effect_deps — React useEffect with dependency array
  • use_state_destructure — React useState destructuring

Go:

  • go_error_checkif err != nil { return } pattern
  • go_deferdefer file.Close() pattern
  • go_struct_init — Multi-line struct initialization

Python:

  • python_docstring — Docstrings with Args/Returns/Raises
  • python_type_hints — Function type annotations

Pre-commit Hook

Block AI code or vulnerabilities before commit.

Setup

# Create hook
cat > .git/hooks/pre-commit << 'EOF'
#!/bin/bash
vgx scan --changes=true
if [ $? -ne 0 ]; then
  echo "VGX: Commit blocked due to security issues"
  exit 1
fi
EOF

chmod +x .git/hooks/pre-commit

With pre-commit framework

# .pre-commit-config.yaml
repos:
  - repo: local
    hooks:
      - id: vgx-scan
        name: VGX Security Scan
        entry: vgx scan --changes=true
        language: system
        pass_filenames: false

Configuration

VGX works out of the box with zero configuration.

Environment Variables

Variable Description
OPENAI_API_KEY Enable AI-enhanced scanning (optional)
SEMGREP_RULES Custom Semgrep rules (default: p/security-audit)

Example .env

# Optional: Enhanced scanning with OpenAI
OPENAI_API_KEY=sk-...

# Optional: Custom Semgrep rules
SEMGREP_RULES=p/security-audit,p/secrets

Project Structure

vgx/
├── cmd/
│   └── vgx/
│       └── main.go           # CLI entrypoint
├── pkg/
│   ├── detection/
│   │   ├── detector.go       # Main detector
│   │   ├── stylometry.go     # Style analysis
│   │   └── patterns.go       # Pattern matching
│   ├── scanner/
│   │   ├── scanner.go        # Vulnerability scanner
│   │   ├── semgrep.go        # Semgrep integration
│   │   └── openai.go         # OpenAI integration
│   ├── context/
│   │   └── manager.go        # File context & caching
│   ├── cache/
│   │   └── cache.go          # Scan result cache
│   └── types/
│       └── types.go          # Shared types
├── vscode-extension/
│   └── src/
│       └── extension.ts      # VS Code extension
├── website/
│   └── index.html            # Landing page
├── scripts/
│   └── install.sh            # Installer script
└── .github/
    └── workflows/
        └── release.yml       # CI/CD

Requirements

  • Go 1.22+ (for building)
  • Semgrep (optional, for security scanning)
# Install Semgrep (optional)
pip install semgrep
# or
brew install semgrep

Contributing

Contributions welcome! Please read our contributing guidelines.

# Clone
git clone https://github.com/rohansx/vgx.git
cd vgx

# Build
go build -o vgx ./cmd/vgx

# Test
go test ./...

# Run
./vgx detect --path ./pkg

License

MIT License — see LICENSE

Links

Built for developers who ship AI-assisted code responsibly.

About

A Git pre-commit security scanner with LLM integration to detect vulnerabilities before they enter your codebase.

vibeguard.io

Resources

Readme

License

MIT license
Activity

Stars

11 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases 1

v2.0.0 Latest
Feb 2, 2026

Packages

 
 
 

Contributors

Languages