- Mapped codebase structure: CLI, Server (Rust/Axum), Web (SvelteKit 5), VS Code extension
- Identified AI provider system (Anthropic, OpenAI, Google, Groq, custom)
- Located existing CVE sync, secrets detection, and SAST engines
- Built and ran
zenvra scanontest-fixtures/vulnerable_app.py - Configured Groq API (llama-3.3-70b-versatile) for AI-powered explanations
- Results: 7 hardcoded secrets detected (3 critical, 2 high, 2 medium)
- AI explanations + fix suggestions generated via Groq in <1s per finding
- Started PostgreSQL (5433) + Redis (6379) via docker compose
- Ran migrations and synced NVD/OSV vulnerability data
- Verified: Database contains CVE records for mapping
- Axum server running on
localhost:8080 /api/v1/scan— accepts code, returns scan ID/api/v1/scan/:id/events— streams results via SSE (real-time)- Tested: Secrets engine + AI enrichment working end-to-end
- SvelteKit 5 dev server running on
localhost:5174 - Created
.env.localfor environment configuration - Scan page includes SAST + Secrets engines enabled by default
- UI ready to accept code submissions
- 10+ vulnerability detection rules already implemented:
- Insecure hashing (MD5, SHA1)
- SQL Injection detection
- OS command injection
- eval() and dangerous functions
- XSS sinks (dangerouslySetInnerHTML, innerHTML)
- Path traversal
- Prototype pollution
- Insecure randomness
- Weak cryptography (DES, RC4)
- Hardcoded localhost references
- Tests: All 3 unit tests passing
- Real-world test: Detected 5 vulnerabilities in test code (SQL injection, MD5, eval, command injection)
- API integration: SAST findings streamed with AI explanations via SSE
- Created
CONFIG_GUIDE.mddocumenting all configuration options - Environment variables mapped (PUBLIC_API_URL, etc.)
- API endpoints listed with descriptions
cd zenvra
docker compose up -d postgres rediscd zenvra
set -a && source .env && set +a
cargo run -p zenvra-servercd zenvra/apps/web
pnpm devcd zenvra
set -a && source .env && set +a
cargo run -p zenvra-cli -- scan <file_or_dir>Then open http://localhost:5174 and:
- Go to Settings → AI to configure Groq API key
- Go to Scan page to submit code
- Watch real-time findings stream in
| Component | Status | Details |
|---|---|---|
| Secrets Detection | ✅ Working | AWS keys, API tokens, private keys, passwords |
| SAST Engine | ✅ Working | SQL injection, XSS, command injection, weak crypto |
| AI Explanations | ✅ Working | Groq llama-3.3-70b (fast, free tier) |
| NVD CVE Sync | ✅ Working | PostgreSQL populated with vulnerability data |
| CLI | ✅ Working | zenvra scan <path> with multiple engines |
| API Server | ✅ Working | SSE streaming, real-time results |
| Web UI | ✅ Ready | SvelteKit 5, responsive, scan submission |
| Configuration | ✅ Clean | Env vars, localStorage for AI config |
- Test Web UI — Submit vulnerable code from browser, verify findings appear
- VS Code Extension — Integrate SAST + API with inline diagnostics
- SCA Engine — Implement dependency vulnerability scanning
- AI Code Patterns — Detect common AI-generated code anti-patterns
- Production Deployment — Docker images, environment scaling
.env— Backend + AI config (Groq API, NVD key, DB URL)apps/web/.env.local— Frontend config (API URL)CONFIG_GUIDE.md— Full configuration referencecrates/scanner/src/engines/sast.rs— SAST rules (10+ patterns)crates/server/src/main.rs— Axum API serverapps/web/src/routes/scan/+page.svelte— Web scan UI
Built with ❤️ using Rust + SvelteKit + Groq AI. Ship fast. Ship safe.