Metadata-Version: 2.4
Name: critik
Version: 0.4.0
Summary: AI-powered code security scanner — catch what Copilot ships and Snyk overcharges for
Project-URL: Homepage, https://critik.dev
Project-URL: Repository, https://github.com/AlexlaGuardia/critik
Project-URL: Issues, https://github.com/AlexlaGuardia/critik/issues
Author-email: Alex LaGuardia <alex@alexlaguardia.dev>
License-Expression: MIT
License-File: LICENSE
Keywords: ai,copilot,cursor,scanner,security,vibe-coding
Classifier: Development Status :: 3 - Alpha
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Quality Assurance
Requires-Python: >=3.10
Provides-Extra: ai
Requires-Dist: groq>=1.0; extra == 'ai'
Provides-Extra: dev
Requires-Dist: groq>=1.0; extra == 'dev'
Requires-Dist: pytest>=7.0; extra == 'dev'
Requires-Dist: pyyaml>=6.0; extra == 'dev'
Provides-Extra: rules
Requires-Dist: pyyaml>=6.0; extra == 'rules'
Description-Content-Type: text/markdown

# Critik

Security scanner for vibe-coded apps. Catch what Copilot ships and Snyk overcharges for.

```bash
pip install critik
critik scan .
```

## What it catches

- **Hardcoded secrets** — AWS keys, API tokens, database URLs, private keys (16 patterns)
- **SQL injection** — f-strings and string concatenation in execute() calls
- **Command injection** — eval(), exec(), os.system(), subprocess with shell=True
- **XSS vectors** — dangerouslySetInnerHTML, document.write(), eval() in JS
- **Missing auth** — FastAPI/Express routes without authentication middleware
- **Insecure config** — DEBUG=True, CORS wildcard, insecure cookies
- **Exposed .env** — real secrets in .env files, missing .gitignore entries

## Usage

```bash
# Scan current directory
critik scan .

# Scan specific path
critik scan ./src

# JSON output (for CI/CD)
critik scan . --format json

# Only show critical and high
critik scan . --severity high

# Quiet mode (summary only)
critik scan . --quiet
```

## Exit codes

- `0` — No critical or high findings
- `1` — Critical or high findings detected
- `2` — Scanner error

## Supported languages

- Python (.py)
- JavaScript (.js, .jsx)
- TypeScript (.ts, .tsx)
- Environment files (.env)
- Config files (.json, .yaml, .toml)

## Ignore patterns

Create a `.critikignore` file in your project root:

```
# Skip test fixtures
tests/fixtures/*
# Skip generated code
generated/*
```

## GitHub Action

Add to `.github/workflows/critik.yml`:

```yaml
name: Critik
on: [push, pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: '3.12'
      - run: pip install critik
      - run: critik scan .
```

For GitHub Code Scanning integration (findings appear inline on PRs):

```yaml
      - run: critik scan . --format sarif > critik.sarif
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: critik.sarif
```

## Why Critik?

53% of teams that shipped AI-generated code discovered security issues that passed review. The vibe coding era needs a security scanner that's:

- **Fast** — scans in milliseconds, not minutes
- **Offline** — no API calls, no code leaving your machine
- **Free** — open source, zero dependencies
- **Focused** — catches real issues, not style nits

## License

MIT
