Metadata-Version: 2.4
Name: prbl-scanner
Version: 0.1.0
Summary: AI code security scanner — finds what AI coding tools miss
License: MIT License
        
        Copyright (c) 2026 Prbl
        
        Permission is hereby granted, free of charge, to any person obtaining a copy
        of this software and associated documentation files (the "Software"), to deal
        in the Software without restriction, including without limitation the rights
        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
        copies of the Software, and to permit persons to whom the Software is
        furnished to do so, subject to the following conditions:
        
        The above copyright notice and this permission notice shall be included in all
        copies or substantial portions of the Software.
        
        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
        SOFTWARE.
        
Project-URL: Homepage, https://prbl-landing.vercel.app
Project-URL: Repository, https://github.com/noreplywmsplaybook-pixel/prbl-scanner
Project-URL: Bug Tracker, https://github.com/noreplywmsplaybook-pixel/prbl-scanner/issues
Project-URL: Security, https://github.com/noreplywmsplaybook-pixel/prbl-scanner/blob/main/SECURITY.md
Keywords: security,scanner,ai,vulnerability,static-analysis
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Quality Assurance
Requires-Python: >=3.10
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: requests>=2.33.0
Dynamic: license-file

# prbl-scanner

Open source vulnerability scanner for AI-generated code.

Prbl finds the security vulnerabilities that AI coding tools 
produce systematically — the patterns that exist because of 
how LLMs were trained, not because of developer mistakes.

## What it detects

- **PRBL-C001** — Hardcoded credentials and fallback secrets  
  `CWE-798 · OWASP A07 · #7 most critical web security risk`  
  Detects API keys, passwords, and tokens hardcoded directly in source
  code. Also catches the AI-specific fallback pattern:
  `process.env.SECRET || 'default_value'` where the fallback becomes
  the live secret for any deployment missing the environment variable.

- **PRBL-R001** — Weak randomness in security contexts  
  `CWE-338 · OWASP A04 · #4 most critical web security risk`  
  Flags Math.random(), random.random(), and related functions when used
  to generate tokens, session IDs, passwords, or OTPs. These functions
  are not cryptographically secure — their output is predictable.

- **PRBL-I001** — SQL injection including multi-line patterns  
  `CWE-89 · OWASP A05 · #5 most critical web security risk`  
  Detects user input concatenated or interpolated into SQL queries,
  including multi-line query construction patterns that most scanners miss.

- **PRBL-I002** — Command injection  
  `CWE-78 · OWASP A05 · #5 most critical web security risk`  
  Detects user input passed to shell commands via exec, spawn, system,
  popen, subprocess.run, and shell=True.

- **PRBL-I003** — Code injection (eval/exec)  
  `CWE-94/95 · OWASP A05 · #5 most critical web security risk`  
  Detects user input passed to eval(), exec(), new Function(), or
  compile(). Gives an attacker full code execution on the server.

- **PRBL-A001** — Missing access control including serverless handlers  
  `CWE-862 · OWASP A01 · #1 most critical web security risk`  
  Detects route handlers and serverless functions that perform sensitive
  operations (database access, payment processing, user data) with no
  visible authentication or authorization check.

- **PRBL-P001** — Hallucinated package references  
  `Emerging — no CWE · OWASP A03 · Supply Chain Failures`  
  Detects imports of packages that do not exist on PyPI or npm. AI
  models invent plausible-sounding package names. An attacker who
  registers the name with a malicious payload gets code execution on
  every machine that runs install.

## Security Standards Mapping

Every Prbl rule maps to established security standards. When a developer
asks an AI tool "how serious is this finding?" — the CWE and OWASP
category give it the full context to answer accurately.

| Rule | Name | CWE | OWASP 2025 | OWASP Rank |
|------|------|-----|------------|------------|
| PRBL-C001 | Hardcoded Credentials | CWE-798 | A07 — Authentication Failures | #7 |
| PRBL-R001 | Weak Randomness | CWE-338 | A04 — Cryptographic Failures | #4 |
| PRBL-I001 | SQL Injection | CWE-89 | A05 — Injection | #5 |
| PRBL-I002 | Command Injection | CWE-78 | A05 — Injection | #5 |
| PRBL-I003 | Code Injection | CWE-94/95 | A05 — Injection | #5 |
| PRBL-A001 | Missing Access Control | CWE-862 | A01 — Broken Access Control | #1 |
| PRBL-P001 | Hallucinated Packages | Emerging — no CWE | A03 — Supply Chain Failures | #3 |

### Why PRBL-P001 has no CWE

Hallucinated package references are a new vulnerability class created
by AI coding tools. Standard CWE scanners cannot detect this by
definition — there is no CWE entry because this failure mode did not
exist before LLMs generated code at scale. Prbl is the only scanner
that catches it.

PRBL-P001 maps to OWASP A03 (Supply Chain Failures) because a
malicious actor can register the hallucinated package name on PyPI
or npm — turning every project using that AI-generated import into
an unintentional malware distribution point.

## Why open source

Security tools that scan your code should be auditable. 
These are the exact rules Prbl uses. Nothing hidden.

## Install

pip install prbl-scanner

## Usage

prbl-scanner scan ./myproject

## JSON output

Every finding includes CWE and OWASP fields for downstream tooling:

```json
{
  "rule_id": "PRBL-C001",
  "title": "Hardcoded credential: Stripe live secret key",
  "cwe": "CWE-798",
  "owasp_category": "A07 — Authentication Failures",
  "owasp_rank": 7,
  "severity": "HIGH",
  "file": "auth/stripe.py",
  "line": 14,
  "detail": "...",
  "fix": "..."
}
```

## Validated against

74 public repos across Django, FastAPI, Express, NestJS, 
and full-stack codebases. 6.25% false positive rate.

## Contributing

Found a new AI vulnerability pattern? Open a PR.
Rule format is documented in CONTRIBUTING.md.

## License

MIT
