Turbo Broccoli

Hybrid SAST + DAST Security for Modern Web Applications

Comment

Inspiration

We’ve all heard the startup mantra: "Move fast and break things." But in the rush to ship, the first thing that usually breaks is security.

We realized that most developers in hackathons and early-stage startups skip security checks not because they don't care, but because the tools get in their way. Traditional SAST tools are slow, expensive, and often require complex CI/CD configurations that break the "flow state" of a hackathon or sprint.

We built Turbo Broccoli to bridge this gap. We wanted a tool that matches the speed of modern development one that runs instantly in the browser, respects data privacy, and turns vulnerability remediation from a chore into a one-click action.

What it does

Turbo Broccoli is a hybrid client-side security analysis engine designed to catch vulnerabilities before deployment.

  • Local Static Analysis (SAST): It uses the File System Access API to scan your local directory in real-time without uploading your entire codebase to a server. It runs both Regex-based pattern matching (for secrets, API keys) and AST-based analysis (for deeper logic flaws like SQL injection).
  • Dynamic Siege (DAST): It actively probes your running application (e.g., ngrok URL) to check for security headers, exposed .git directories, and public admin routes.
  • AI Remediation: When a vulnerability is found, it uses Google's *Gemini * model to generate context-aware code fixes, which can be applied to patch the issue instantly.
  • War Report Generation: It generates a downloadable Markdown "War Report" summarizing system integrity and detected threats.

How we built it

We built this to look like a hacking terminal but run like a modern SaaS.

  • Frontend: Next.js 16 and React 19 drive the "Glitch-Cyber" UI. We used Tailwind CSS for the cryptographic aesthetic.
  • The Brain (Static): We built a custom AST (Abstract Syntax Tree) parser using Acorn that runs entirely in the browser. This allows us to "understand" code structure, not just Regex match it.
  • The Muscle (Dynamic): We used Next.js API Routes to create a proxy server that performs active "Siege" scans (checking headers, git exposure, admin routes) to bypass CORS restrictions.
  • The Medic (AI): We integrated the @google/generative-ai SDK. We engineered specific prompts to ensure Gemini acts as a "Senior Security Engineer," returning only clean, executable code blocks for fixes.

Challenges we ran into

  • The "Browser Jail": Browsers are designed not to let websites read your file system. Implementing the File System Access API recursively while filtering out node_modules (which killed our memory usage) was a massive hurdle.
  • Handling AST in Typescript: Writing a parser that can handle both .js and .tsx syntax client-side without crashing was difficult. We had to implement strict error boundaries around our Acorn parser to ensure one bad file didn't crash the whole engine.
  • The Gemini Rate Limit: We wanted to fix everything, but AI APIs have limits. We had to build a custom in-memory rate limiter to queue our fix requests so we didn't get 429 errors from Google.

Accomplishments that we're proud of

  • Zero-Knowledge Architecture: We are incredibly proud that the Static Analysis happens 100% in-memory on the client. Your source code is never uploaded to our servers during the scan phase.
  • The "War Report": We successfully combined two completely different security paradigms (SAST & DAST) into a unified, actionable report that gives a 360-degree view of application security.
  • Gamification: We managed to turn a dry topic like security into an engaging experience with our "Cyberpunk" UI, real-time scoring system, and "Fortress" vs. "Breached" grading scale.

What we learned

  • Security is Nuanced: We learned that some bugs (like weak JWT algorithms) are best found statically, while others (like missing CORS headers) can only be truly verified dynamically. A single approach is never enough.
  • The Power of ASTs: We gained a deep appreciation for Abstract Syntax Trees. They allow you to treat code as data, unlocking powerful analysis capabilities that simple text search cannot match.
  • Browser Capabilities: We pushed the limits of modern browser APIs, realizing that the web platform is now powerful enough to host complex developer tools that previously required a desktop app.

What's next for Turbo Broccoli

  • IDE Extensions: Bringing the scanner directly into VS Code so developers see alerts as they type.
  • CI/CD Integration: Creating a GitHub Action to block pull requests if the "Security Score" drops below a certain threshold.
  • Broader Language Support: Expanding our AST parsers to support Python and Go, making Turbo Broccoli a universal tool for backend security.

Built With

Share this project:

Updates