Astra

AI-powered tool to scan repositories, detect vulnerabilities, and guide secure fixes seamlessly.

Comment

Inspiration

While working on different projects, we often ran into the same frustrating issue — dependency vulnerabilities. Sometimes we’d spend hours figuring out which package version was the culprit or where it was being used in the repo. We also noticed our friends facing the same problems, often complaining about security alerts that lacked context or clear fixes. That pain point inspired us to build Astra, a tool to simplify this whole process.

What it does

Astra scans all your repositories at once, finds their dependencies, and checks for:

  • Vulnerabilities using the OSV.dev database
  • Outdated packages and unused dependencies
  • Where exactly those dependencies are used in the codebase

It then visualizes the results in an interactive dashboard, and if a fix is possible, Astra can create a new branch with AI-suggested patches so the developer stays in control.

How we built it

  • Frontend: React + Vite + Recharts for fast, interactive visuals
  • Desktop: Electron wrapper for cross-platform support
  • Backend: Node.js + Express + MongoDB for scanning pipeline and storage
  • Vulnerability Data: OSV.dev API with batch queries for speed
  • Code Usage Detection: Tree-sitter for finding where packages are used in source code
  • AI Fixes: Gemini CLI integrated to simulate safe code changes in a separate branch

Challenges we ran into

  • Keeping scans fast for large repos, solved by skipping .gitignore + junk folders (cut ~80% of unnecessary files).
  • Making OSV API batch queries reliable under large dependency sets.
  • Handling different ecosystems like npm and pip with one unified interface.
  • Getting AI to provide useful fixes without overwriting developer intent — solved by introducing a patch-branch workflow.

Accomplishments that we're proud of

  • Built a working prototype.
  • Successfully integrated AI code suggestions while keeping the developer in full control.
  • Designed a clean and intuitive dashboard UI that makes security data easy to understand.
  • Enabled multi-ecosystem support in the very first MVP (JavaScript + Python).

What we learned

  • The complexity of software supply chain security.
  • What is Tree-sitter.
  • How to combine static analysis (Tree-sitter) with dynamic vulnerability data (OSV) for meaningful results.
  • How to design AI-assisted tools.

What's next for Astra

  • Add support for more ecosystems (Go, Java).
  • Improve AI suggestions by ranking fixes based on real-world exploitability.
  • Deeper integration with DevOps pipelines so fixes can be tested in staging automatically.
  • Add team dashboards where organizations can monitor dependency health across all projects in real time.
  • Optimize Tree-sitter further to make code usage detection near-instant for very large codebases.

Built With

Share this project:

Updates