Skip to content

Grenish/crack-code

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

82 Commits
examples
examples
Β 
Β 
src
src
Β 
Β 
.gitignore
.gitignore
Β 
Β 
README.md
README.md
Β 
Β 
bun.lock
bun.lock
Β 
Β 
marketplace.md
marketplace.md
Β 
Β 
package.json
package.json
Β 
Β 
tsconfig.json
tsconfig.json
Β 
Β 

Repository files navigation

Crack Code

AI-powered security auditor for your codebase.

Scans for vulnerabilities, explains findings with exact code references, and optionally applies fixes β€” all from your terminal.

npm version license bun

Features

  • πŸ›‘οΈ Security-first β€” finds injections, hardcoded secrets, auth flaws, SSRF, XSS, and more
  • πŸ€– Provider-agnostic β€” Anthropic, Azure, Google, OpenAI, OpenRouter, Vertex AI, or Ollama with one flag
  • πŸ”’ Read-only by default β€” never modifies files unless you explicitly allow it
  • ⚑ Streaming β€” results appear in real-time as the AI analyzes
  • 🧰 Agentic β€” reads files, lists directories, runs commands, writes fixes, and maintains shell context
  • πŸ” Permission-gated β€” every destructive action requires your approval
  • πŸ’¬ Interactive + one-shot β€” use as a REPL or a single command
  • πŸ–₯️ Persistent shell β€” virtual terminal maintains working directory and environment across commands

Install

bun install -g crack-code

Requires Bun v1.0+

Quick Start

# First run β€” setup wizard picks provider, model, and API key
crack-code

# One-shot scan
crack-code "scan this project for vulnerabilities"

# Target specific code
crack-code "check src/auth/ for authentication flaws"

# Interactive REPL
crack-code -i

# Enable file editing
crack-code --allow-edits "fix the SQL injection in src/db.ts"

# Skip permission prompts (use with caution)
crack-code --yolo "scan and fix everything"

CLI Options

-i, --interactive          Force interactive REPL mode
--setup                    Re-run the setup wizard
--allow-edits              Enable file writing (read-only by default)
--provider <name>          Override provider (anthropic, azure, google, openai, openrouter, ollama, vertex)
--model <name>             Override model
--key <key>                Override API key
--policy <policy>          Permission policy (ask, skip, allow-all, deny-all)
--scan <glob>              Only scan files matching this pattern
--max-steps <n>            Max agent steps (default: 30)
--max-tokens <n>           Max output tokens per response (default: 16384)
-h, --help                 Show help
-v, --version              Show version

REPL Commands

Command Description
/help Show available commands
/exit Exit the REPL
/clear Clear conversation history
/usage Show token usage for this session
/permission Choose read-only or edit mode
/model Show or change the active model
/provider Configure a provider and update credentials
/policy Show or set permission policy
/compact Summarize conversation to reduce context size

Tip: Use ? prefix for quick asks (e.g., ? what's a security best practice?)

Tools

The AI agent has access to these tools during analysis:

Tool Description Approval
read_file Read file contents with line numbers No
list_files List files matching a glob pattern No
virtual_terminal Execute shell commands with persistent context Yes
run_command Execute isolated shell commands Yes
write_file Write/overwrite files (edit mode) Yes

Virtual Terminal Tool

The virtual_terminal tool maintains shell context across commands β€” your working directory and environment variables persist between invocations. Perfect for multi-step workflows:

# Instead of repeating paths:
run_command "cd src/auth && npm install"
run_command "cd src/auth && npm test"

# Use persistent context:
virtual_terminal "cd src/auth"
virtual_terminal "npm install"
virtual_terminal "npm test"

Built-in commands: cd <path>, pwd, env, env KEY=VALUE, unset KEY, history

Providers

Anthropic

  • Model: claude-opus-4-1, claude-3-5-sonnet-20241022, claude-3-haiku-20240307
  • Env var: ANTHROPIC_API_KEY
  • Best for: Deep reasoning, security analysis, code review

Azure OpenAI

  • Env vars: AZURE_API_KEY, AZURE_RESOURCE_NAME
  • Setup: Requires Azure resource name (e.g., myorg-openai)
  • Best for: Enterprise deployments, compliance requirements

Google Gemini

  • Env var: GOOGLE_GENERATIVE_AI_API_KEY
  • Model: gemini-2.0-flash, gemini-1.5-pro
  • Best for: Broad analysis, cost-effective scanning

OpenAI

  • Env var: OPENAI_API_KEY
  • Model: gpt-4-turbo, gpt-4o, gpt-4o-mini
  • Best for: Reliable analysis, well-tested tooling

OpenRouter

  • Env var: OPENROUTER_API_KEY
  • Support: Access to 100+ models (Anthropic, OpenAI, Meta, Mistral, etc.)
  • Best for: Model flexibility, frontier model access

Vertex AI

  • Auth: Google Cloud service account JSON
  • Env vars: GOOGLE_CLOUD_PROJECT, GOOGLE_CLOUD_LOCATION, GOOGLE_APPLICATION_CREDENTIALS
  • Model: gemini-2.0-flash, gemini-1.5-pro
  • Best for: GCP-native deployments, managed infrastructure

Ollama

  • Env var: OLLAMA_ENDPOINT (default: http://localhost:11434)
  • Models: Any local model supporting tool calling (Llama 2, Mistral, etc.)
  • Best for: Private scanning, no API costs, full control

Configuration

Config is stored at ~/.crack-code/config.json and created automatically on first run.

# Re-run setup anytime
crack-code --setup

# Change provider and credentials
crack-code /provider

Environment Variables

Variable Provider Purpose
ANTHROPIC_API_KEY Anthropic API authentication
AZURE_API_KEY Azure API key for Azure OpenAI
AZURE_RESOURCE_NAME Azure Azure resource name
GOOGLE_GENERATIVE_AI_API_KEY Google API key for Gemini
OPENAI_API_KEY OpenAI API key for GPT models
OPENROUTER_API_KEY OpenRouter API key for model access
OLLAMA_ENDPOINT Ollama Local endpoint (optional)
GOOGLE_APPLICATION_CREDENTIALS Vertex AI Service account JSON path
GOOGLE_CLOUD_PROJECT Vertex AI GCP project ID
GOOGLE_CLOUD_LOCATION Vertex AI Region (default: us-central1)

If set, the setup wizard will detect and offer to use them.

Piped Input

# Pipe code directly for analysis
cat src/db.ts | crack-code

# Pipe with custom prompt
cat src/auth.ts | crack-code "find authentication vulnerabilities"

Examples

Security Audit

crack-code "scan src/ for vulnerabilities and explain findings"

Fix Mode

crack-code --allow-edits "find and fix SQL injections in src/database/"

Targeted Analysis

crack-code --scan "src/auth/**/*.ts" "check for authentication flaws"

Interactive Mode

crack-code -i
# Then ask questions like:
# > scan for hardcoded secrets
# > check the auth module for vulnerabilities
# /permission   (choose edit mode)
# /model      (change model)
# /provider   (change provider)

Upcoming Features

  • πŸ›οΈ Tool Marketplace β€” discover, install, and publish custom tools for community audits
  • πŸ“Š Enhanced Analytics β€” vulnerability heatmaps and trend analysis
  • πŸ”„ Auto-remediation β€” batch apply fixes across codebase
  • πŸ“ Project Profiles β€” save audit configurations per project

Architecture

  • Runtime: Bun (fast, all-in-one)
  • AI SDK: Vercel AI SDK (multi-provider support)
  • Validation: Zod (type-safe schemas)
  • Terminal: Custom REPL with streaming markdown support
  • Permissions: Session-based approval gating

Troubleshooting

"No API key found"

crack-code --setup          # Run setup wizard
# or set env var and run:
crack-code

Model not available

# Try a different model:
crack-code --model "gpt-4-turbo"

# List available models during setup:
crack-code --setup

Permission denied errors

# Approve all actions in current session:
crack-code --policy allow-all

# Approve each action individually (default):
crack-code --policy ask

License

MIT

About

Crack code is a simple CLI tool that uses AI to find the vulnerabilities in your codebase by scanning it smartly.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages