AVA - Advanced Vulnerability Analyzer

An AI-powered web application that analyzes code snippets, URLs, and entire GitHub repositories for security vulnerabilities using advanced machine learning models. The system detects common security issues including XSS, SQL injection, command injection, and other OWASP Top 10 vulnerabilities.

Features

Core Functionality

The application provides comprehensive security analysis through an intuitive web interface. Users can submit either code snippets or URLs for analysis, and the AI-powered backend examines the input for potential security vulnerabilities. The system categorizes findings by severity level (Critical, High, Medium, Low) and provides detailed explanations along with remediation recommendations.

Code Analysis supports multiple programming languages including JavaScript, HTML, Python, PHP, SQL, Java, and C#. The analyzer can detect various vulnerability types such as Cross-Site Scripting (XSS), SQL Injection, Command Injection, Path Traversal, Insecure Deserialization, Authentication Issues, Cryptographic Weaknesses, Information Disclosure, and CSRF vulnerabilities. Each detected issue includes the vulnerability type, severity rating, detailed description, code location, and specific remediation steps.

URL Scanning examines web application URLs for security misconfigurations and potential vulnerabilities. The analysis covers protocol security (HTTP vs HTTPS), exposed sensitive parameters, parameter tampering risks, open redirect vulnerabilities, information disclosure through URL structure, and potential IDOR (Insecure Direct Object Reference) issues.

Scan History maintains a complete record of all security scans performed by each user. The system stores scan submissions, analysis results, and vulnerability findings in a persistent database, allowing users to review past analyses and track security improvements over time.

Technical Architecture

The application follows a modern full-stack architecture with clear separation of concerns. The frontend is built with React 19, utilizing Tailwind CSS 4 for styling and shadcn/ui components for a consistent user interface. The dark theme with cyan accents provides a professional security-focused aesthetic. The backend uses Node.js with Express 4 and tRPC 11 for type-safe API communication. The database layer employs MySQL with Drizzle ORM for schema management and migrations. Authentication is handled through JWT-based session management with Manus OAuth integration.

The AI integration leverages the Manus built-in LLM service, which provides access to advanced language models for vulnerability analysis. The system uses structured JSON output with defined schemas to ensure consistent and parseable results. Input validation enforces a 50KB size limit for code snippets and validates URL formats before processing.

Prerequisites

Before running the application, ensure you have the following installed on your system:

• Node.js version 22.x or higher
• pnpm version 10.x or higher
• MySQL 8.0 or compatible database (TiDB, MariaDB)
• Docker and Docker Compose (optional, for containerized deployment)

Installation

Local Development Setup

Clone the repository and navigate to the project directory:

git clone <repository-url>
cd ava-scanner

Install dependencies using pnpm:

pnpm install

Configure environment variables by creating a .env file in the project root:

# Database Configuration
DATABASE_URL=mysql://username:password@localhost:3306/vuln_analyzer

# Authentication
JWT_SECRET=your-secure-random-string-here

# Manus Platform (if using built-in AI)
BUILT_IN_FORGE_API_URL=https://api.manus.im
BUILT_IN_FORGE_API_KEY=your-api-key-here

# OAuth Configuration (for Manus Auth)
OAUTH_SERVER_URL=https://api.manus.im
VITE_OAUTH_PORTAL_URL=https://portal.manus.im
VITE_APP_ID=your-app-id

Initialize the database schema:

pnpm db:push

Start the development server:

pnpm dev

The application will be available at http://localhost:3000.

Docker Deployment

For containerized deployment, use Docker Compose to start both the application and database:

docker-compose up -d

This command starts the MySQL database and the application container. The database will be initialized automatically on first run. Access the application at http://localhost:3000.

To stop the containers:

docker-compose down

To view logs:

docker-compose logs -f app

Usage

Submitting a Code Scan

Navigate to the Scanner page and select the "Code Snippet" tab. Choose the programming language from the dropdown menu (JavaScript, HTML, Python, PHP, SQL, Java, C#, or Other). Paste your code into the editor, which supports up to 50KB of code. Click "Start Scan" to submit the code for analysis.

The system will process the code using AI-powered analysis, typically completing within 10-30 seconds depending on code complexity. Once analysis is complete, you will be redirected to the results page showing all detected vulnerabilities.

Example: Detecting XSS Vulnerability

<div id="output"></div>
<script>
  const userInput = location.search.split('=')[1];
  document.getElementById('output').innerHTML = userInput;
</script>

This code demonstrates a reflected XSS vulnerability where user input from the URL is directly inserted into the DOM without sanitization. The analyzer will identify this as a high-severity issue and recommend using textContent instead of innerHTML or implementing proper input sanitization.

Example: Detecting SQL Injection

const userId = req.query.id;
const query = `SELECT * FROM users WHERE id = ${userId}`;
db.query(query, (err, results) => {
  res.json(results);
});

This code concatenates user input directly into a SQL query, creating a critical SQL injection vulnerability. The analyzer will flag this issue and recommend using parameterized queries or prepared statements.

Submitting a URL Scan

Navigate to the Scanner page and select the "URL Scan" tab. Enter the complete URL including the protocol (http:// or https://). Click "Start Scan" to analyze the URL for security issues.

The system examines the URL structure, protocol, parameters, and common vulnerability patterns. Results are displayed on the results page with severity ratings and recommendations.

Example URL Analysis

http://example.com/api/user?id=123&token=abc123

The analyzer will identify multiple issues: use of insecure HTTP protocol (Medium severity), potential IDOR vulnerability through exposed user ID (High severity), and authentication token in URL parameters (High severity). Recommendations will include migrating to HTTPS, implementing proper access controls, and moving sensitive tokens to headers.

Viewing Results

The results dashboard displays a summary of detected vulnerabilities with counts by severity level (Critical, High, Medium, Low). Each vulnerability is presented in an expandable accordion with the following information:

• Issue Type: Category of vulnerability (e.g., XSS, SQL Injection)
• Severity: Risk level with color-coded badge
• Title: Brief summary of the issue
• Description: Detailed explanation of the vulnerability
• Location: Where in the code the issue was found
• Remediation: Step-by-step instructions to fix the vulnerability
• CVSS Score: Industry-standard vulnerability scoring (when applicable)

Accessing Scan History

Navigate to the History page to view all previous scans. Each scan entry shows the scan type (Code or URL), target information, status (Pending, Completed, Failed), and timestamp. Click "View Results" on any completed scan to see the full vulnerability report.

API Documentation

tRPC Endpoints

The application uses tRPC for type-safe API communication. All endpoints are accessible under /api/trpc.

Authentication Endpoints

• auth.me (Query): Returns the current authenticated user information
• auth.logout (Mutation): Logs out the current user and clears the session

Scan Endpoints

• scans.submit (Mutation): Submits a new vulnerability scan

  • Input: { scanType: "code" | "url", targetUrl?: string, codeSnippet?: string, language?: string }
  • Returns: { scanId: number }

• scans.getById (Query): Retrieves a specific scan with vulnerabilities

  • Input: { scanId: number }
  • Returns: { scan: Scan, vulnerabilities: Vulnerability[] }

• scans.getResults (Query): Gets scan results with severity summary

  • Input: { scanId: number }
  • Returns: { scan: Scan, vulnerabilities: Vulnerability[], severityCounts: object, totalVulnerabilities: number }

• scans.getHistory (Query): Retrieves all scans for the authenticated user

  • Returns: Scan[]

Database Schema

users table stores authenticated user information with fields for id, openId (OAuth identifier), name, email, loginMethod, role (user or admin), and timestamps.

scans table records vulnerability scan submissions with fields for id, userId, scanType (url or code), targetUrl, codeSnippet, language, status (pending, completed, failed), errorMessage, and timestamps.

vulnerabilities table stores detected security issues with fields for id, scanId, issueType, severity (low, medium, high, critical), title, description, location, remediation, cvssScore, and createdAt timestamp.

Testing

The project includes comprehensive test coverage for all core functionality. Run the test suite with:

pnpm test

The test suite covers:

• Code snippet submission and validation
• URL submission and format validation
• Vulnerability detection for XSS, SQL injection, and other issues
• Scan result retrieval and authorization
• User scan history
• Input validation and size limits
• Error handling for failed analyses

Configuration

Environment Variables

Variable	Description	Required
DATABASE_URL	MySQL connection string	Yes
JWT_SECRET	Secret key for JWT token signing	Yes
BUILT_IN_FORGE_API_URL	Manus AI API endpoint	Yes (for AI features)
BUILT_IN_FORGE_API_KEY	Manus AI API key	Yes (for AI features)
OAUTH_SERVER_URL	OAuth server URL	Yes (for authentication)
VITE_OAUTH_PORTAL_URL	OAuth login portal URL	Yes (for authentication)
VITE_APP_ID	Application ID for OAuth	Yes (for authentication)
NODE_ENV	Environment mode (development/production)	No

AI Model Configuration

The application uses the Manus built-in LLM service by default, which provides access to advanced language models without requiring separate API keys. The AI analysis uses structured JSON output with defined schemas to ensure consistent vulnerability detection.

For custom AI integration, modify server/vulnerabilityAnalyzer.ts to use alternative AI providers such as OpenAI, Anthropic, or Hugging Face. The analyzer functions analyzeCodeSnippet and analyzeUrl can be adapted to work with any LLM API that supports structured output.

Security Considerations

This application analyzes code for vulnerabilities but should not be considered a replacement for comprehensive security audits or penetration testing. The AI-powered analysis provides valuable insights but may not detect all security issues or may produce false positives.

Important Security Notes:

• Always validate and sanitize user input on both client and server sides
• Use parameterized queries for all database operations
• Implement proper authentication and authorization checks
• Keep dependencies updated to patch known vulnerabilities
• Use HTTPS in production environments
• Implement rate limiting to prevent abuse
• Store sensitive credentials in environment variables, never in code
• Regularly review and update the AI prompts to improve detection accuracy

Troubleshooting

Database Connection Issues

If you encounter database connection errors, verify that MySQL is running and the connection string in DATABASE_URL is correct. Check that the database user has appropriate permissions to create tables and execute queries. Run pnpm db:push to ensure the schema is up to date.

AI Analysis Failures

If scans fail with AI-related errors, verify that the BUILT_IN_FORGE_API_KEY is valid and the API endpoint is accessible. Check the server logs for detailed error messages. Ensure your API key has sufficient quota for LLM requests.

Module Resolution Errors

If you see TypeScript or module import errors, try restarting the development server with pnpm dev. Clear the node_modules directory and reinstall dependencies with pnpm install if issues persist.

Port Already in Use

If port 3000 is already in use, either stop the conflicting service or modify the port in server/_core/index.ts and update the Docker configuration accordingly.

Contributing

Contributions are welcome! Please follow these guidelines:

1. Fork the repository and create a feature branch
2. Write tests for new functionality
3. Ensure all tests pass with pnpm test
4. Follow the existing code style and conventions
5. Update documentation for any API or feature changes
6. Submit a pull request with a clear description of changes

License

This project is licensed under the MIT License. See the LICENSE file for details.

Acknowledgments

This application was built using the Manus platform, which provides integrated AI services, authentication, and deployment infrastructure. The vulnerability detection leverages advanced language models to identify security issues in code and web applications.

Support

For issues, questions, or feature requests, please open an issue on the project repository or contact the development team.

---

Version: 1.0.0
Last Updated: February 2026
Author: Manus AI

Built With

• css
• dockerfile
• html
• javascript
• typescript