The Security extension is an open-source Gemini CLI extension, built to enhance your repository's security posture. The extension adds a new command to Gemini CLI that analyzes code changes to identify a variety of security risks and vulnerabilities.
- AI-powered security analysis: Leverages Gemini's advanced capabilities to provide intelligent and context-aware security analysis.
- Focused analysis: Specifically designed to analyze code changes within pull requests, helping to identify and address vulnerabilities early in the development process.
- Open source: The extension is open source and distributed under the Apache 2.0 license.
- Integrated with Gemini CLI: As a Google-developed extension, it integrates seamlessly into the Gemini CLI environment, making security an accessible part of your workflow.
- Expandable scope: The extension is designed with an extensible architecture, allowing for future expansion of detected security risks and more advanced analysis techniques.
Install the Security extension by running the following command from your terminal (requires Gemini CLI v0.4.0 or newer):
gemini extensions install https://github.com/google-gemini/gemini-cli-securityThe Security extension adds the /security:analyze command to Gemini CLI which analyzes code changes on your current branch for common security vulnerabilities and provides an intelligent, Gemini-powered security report to improve the repository's security posture.
Important: This report is a first-pass analysis, not a complete security audit. Use in combination with other tools and manual review.
Note: The /security:analyze command is currently designed for interactive use. Support for non-interactive sessions is planned for a future release (tracked in issue #20).
Coming soon!
To evaluate the quality and effectiveness of our security analysis, we benchmarked the extension against a real-world dataset of known vulnerabilities.
Our evaluation process is designed to test the extension's ability to identify vulnerabilities in code changes.
- Dataset: We used the OpenSSF CVE Benchmark, a dataset containing GitHub repositories of real applications in TypeScript / JavaScript. For each vulnerability, the dataset provides the commit containing the vulnerable code (
prePatch) and the commit where the vulnerability was fixed (postPatch). - Analysis Target: For each CVE, we set up the repository, found the introducing patch with the help of archeogit, and added that patch to our local environment.
- Report Generation: We ran the
/security:analyzecommand on this diff to generate a security report. - Validation: Since the dataset has a small number of repositories, we manually reviewed all the generated security reports and compared with the ground truth to calculate the final precision and recall numbers.
We are now actively working to automate the evaluation framework and enrich our datasets by adding new classes of vulnerabilities.
Our evaluation on this dataset yielded a precision of 90% and a recall of 93%.
- Precision (90%) measures the accuracy of our detections. Of all the potential vulnerabilities the extension identified, 90% were actual security risks.
- Recall (93%) measures the completeness of our coverage. The extension successfully identified 93% of all the known vulnerabilities present in the dataset.
The Security extension scans files for the following vulnerabilities:
- Hardcoded secrets: Credentials such as API keys, private keys, passwords and connection strings, and symmetric encryption keys embedded directly in the source code
- Weak cryptographic algorithms: Weak or outdated cryptographic algorithms, including any instances of DES, Triple DES, RC4, or ECB mode in block ciphers
- Logging of sensitive information: Logging statements that might write passwords, PII, API keys, or session tokens to application or system logs
- Personally identifiable information (PII) handling violations: Improper storage, insecure transmission, or any use of PII that may violate data privacy regulations
- Insecure deserialization: Code that deserializes data from untrusted sources without proper validation, which could allow an attacker to execute arbitrary code
- Cross-site scripting (XSS): Instances where unsanitized or improperly escaped user input is rendered directly into HTML, which could allow for script execution in a user's browser
- SQL injection (SQLi): Database queries that are constructed by concatenating strings with raw, un-parameterized user input
- Command injection: Code that executes system commands or cloud functions using user-provided input without proper sanitization
- Server-side request forgery (SSRF): Code that makes network requests to URLs provided by users without validation, which could allow an attacker to probe internal networks or services
- Server-side template injection (SSTI): Instances where user input is directly embedded into a server-side template before it is rendered
- Authentication bypass: Improper session validation, insecure "remember me" functionality, or custom authentication endpoints that lack brute-force protection
- Weak or predictable session tokens: Tokens that are predictable, lack sufficient entropy, or are generated from user-controllable data
- Insecure password reset: Predictable reset tokens, leakage of tokens in logs or URLs, and insecure confirmation of a user's identity
- Gemini CLI extensions: Documentation about using extensions in Gemini CLI
- Blog post (coming soon!): More information about the Security extension
- GitHub issues: Report bugs or request features
- License: Apache License 2.0
- Security: Security Policy Apache License Version 2.0, January 2004 http://www.apache.org/licenses/
Copyright [2025] [Eric Todd Sayer]
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
[Include the full Apache License 2.0 text from your original message here]This device software is provided by Eric Todd Sayer Licensed under the Apache License, Version 2.0
PRIVACY AND SECURITY NOTICE:
- This device software is provided "AS IS" without security warranty
- User is responsible for security configuration and vulnerability testing
- User must ensure compliance with all applicable privacy laws
- Regular security updates and monitoring are recommended
- Report security vulnerabilities to: [your-security-email@domain.com]
Device-specific security guidelines: [Add any device-specific security requirements here]This project is provided by Eric Todd Sayer under the Apache License, Version 2.0.
This software is designed with privacy and security in mind, but is provided "AS IS" without warranty. Users are ultimately responsible for the security and privacy of their own systems and data.
For responsible security vulnerability disclosures, please contact: [Insert Secure Contact Method]
