Inspiration
As a security champion lead, I have used tools like Checkmarx and Semgrep. They are phenomenal tools, but a common challenge is security awareness and ensuring that developers don't treat SAST reports like checkboxes. I wanted to try to build a tool over the weekend with Bolt that would replace checkboxes with educational opportunities, while offering basic secure coding guidance.
What it does
Bring your own AI API Key and conduct a secure code analysis of a code snippet or multiple files. The analysis produces an educational presentation of potential vulnerabilities, discussing business impact, threat scenarios, example payloads, and gets to the bottom of "WHY" it's a vulnerability and how easy it is to exploit. The analysis provides concrete security controls and example code to remediate issues. Quickly export the analysis as PDF, MD, or JSON. No registration or account needed - application state is stored locally, with the option to encrypt your API keys at rest. Bring a key, bring some code, and get a report in under 60 seconds.
How we built it
I identified common painpoints as a security champion lead. I used them to brainstorm a PRD with Claude and then created a master-prompt that I fed Bolt. From there, I iterated with Bolt, speaking to it like an architect. After about 8 hours using Bolt, I was able to complete an MVP for Schemerhorn.
Challenges we ran into
Figuring out the data model of the report posed some interesting challenges, because we don't want to create the illusion that the generated analysis is definitive. It is recommendations/guidance only. So I removed things like letter grades and moved toward risk-based categorization with the AI generating a confidence level. I also wanted to handle edge cases (like invalid API keys or network errors) gracefully, and surface useful error/warn/info modals to the user to improve the UX. Along the way, I noticed that some of the AI Providers don't return accurate status codes sometimes, which threw me off. For example: I was expecting a 401 from Google when an invalid API Key was specified, but they sent a different status code that I did not expect.
Accomplishments that we're proud of
I am proud to offer a free application that anybody can use with no account needed. They can bring their own API key and it will be stored in localStorage encrypted (the user can specify a key). I enjoy bringing education to security and engineering challenges - I am therefore proud of creating a product that can translate checkbox fatigue into fun+fast educational opportunities.
What we learned
This was an opportunity for me to learn about Bolt, Netlify, and related tools/services for building and shipping fully functional MVPs. I accomplished this in 8 hours and had a lot of fun.
What's next for Schermerhorn Secure Code Analyzer
AI powered software composition analysis, and then perhaps some integrations for code import or automated scanning based on triggers.
Built With
- anthropic-api
- axios
- bolt
- chatgpt
- claude
- framer-motion
- gemini
- javascript
- jspdf
- lucide-react
- monaco-editor
- node.js
- openai-api
- radix-ui
- react
- react-hook-form
- recharts
- sonner
- tailwind-css
- typescript
- vite
- zod
- zustand
Log in or sign up for Devpost to join the conversation.