README
¶
VGX
Open-source security scanner for AI-assisted development.
Installation • CLI Reference • API • VS Code • How It Works
The Problem
With AI coding assistants (Copilot, Cursor, Claude), developers ship code they didn't write and often don't fully understand. Studies show:
- 42% of code now has AI assistance (Sonar 2026)
- 96% of developers don't fully trust AI-generated code
- 45% of AI-generated code contains security vulnerabilities
VGX helps you know what's AI-generated and catch vulnerabilities before they hit production.
Features
| Feature | Description |
|---|---|
| AI Code Detection | Identify AI-generated code using stylometry + pattern analysis |
| Security Scanning | Vulnerability detection via Semgrep (+ optional OpenAI) |
| Pre-commit Hooks | Block insecure code before it's committed |
| VS Code Extension | Real-time AI detection in your editor |
| Offline-First | No API keys required. Your code never leaves your machine. |
| CI/CD Ready | JSON output for pipeline integration |
Installation
Quick Install (Linux/macOS)
curl -sSL https://vgx.sh/install | bash
Go Install
go install github.com/rohansx/vgx@latest
Docker
docker pull ghcr.io/rohansx/vgx:latest
docker run -v $(pwd):/code ghcr.io/rohansx/vgx detect --path /code
Build from Source
git clone https://github.com/rohansx/vgx.git
cd vgx
go build -o vgx ./cmd/vgx
CLI Reference
Commands
vgx <command> [options]
Commands:
detect Detect AI-generated code
scan Security vulnerability scan
version Print version
help Show help
vgx detect — AI Code Detection
Analyze files for AI-generated code patterns.
# Scan a directory
vgx detect --path ./src
# Scan a single file
vgx detect src/api/handler.ts
# JSON output (for CI/CD)
vgx detect --path ./src --format json
# Custom threshold (default: 70)
vgx detect --path ./src --threshold 80
Options:
| Flag | Short | Default | Description |
|---|---|---|---|
--path |
-p |
. |
Path to scan |
--format |
-f |
text |
Output format: text, json |
--threshold |
70 |
AI confidence threshold (0-100) |
Example Output:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
VGX AI Code Detection
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Files scanned: 12
AI-generated: 4
Human-written: 8
AI percentage: 33.2%
Max AI confidence: 89%
FILES
🤖 src/api/handlers.ts 89%
🤖 src/utils/fetch.ts 82%
✓ src/config.ts 28%
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🤖 4 file(s) detected as AI-generated
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
vgx scan — Security Scanning
Scan for vulnerabilities using Semgrep rules.
# Scan changed files (default)
vgx scan
# Scan all files
vgx scan --changes=false
# Scan specific files
vgx scan src/auth.ts src/api/users.ts
Options:
| Flag | Default | Description |
|---|---|---|
--changes |
true |
Scan only git-changed files |
--report |
true |
Generate markdown report |
--update-context |
true |
Update file context cache |
Detects:
- Hardcoded secrets & API keys
- SQL injection vulnerabilities
- XSS (Cross-Site Scripting)
- Insecure cryptography
- Path traversal
- Command injection
- And more via Semgrep rules
API
JSON Output Schema
Detection Result
{
"files_scanned": 12,
"ai_detected": 4,
"human_written": 8,
"max_ai_confidence": 0.89,
"ai_percentage": 33.2,
"results": [
{
"file_path": "src/api/handler.ts",
"ai_confidence": 0.89,
"confidence_level": "very_high",
"style_score": 0.82,
"pattern_score": 0.94,
"is_ai_generated": true,
"lines_of_code": 145,
"patterns": [
{
"name": "async_await_fetch",
"confidence": 0.10,
"line_start": 23,
"line_end": 35
}
]
}
]
}
Vulnerability Result
{
"file": "src/auth.ts",
"description": "Hardcoded API key detected",
"rule": "generic.secrets.security.detected-api-key",
"severity": "high",
"line": 15,
"source": "semgrep",
"recommendation": "Use environment variables for secrets"
}
Exit Codes
| Code | Meaning |
|---|---|
0 |
Success, no issues found |
1 |
Issues found (AI code or vulnerabilities) |
2 |
Error (invalid path, etc.) |
VS Code Extension
Real-time AI code detection in your editor.
Features
- Status Bar Indicator — Shows AI confidence for current file
- Inline Highlighting — Highlights AI-generated code patterns
- Workspace Scanning — Scan entire workspace for AI code
Commands
| Command | Description |
|---|---|
VGX: Detect AI Code in File |
Analyze current file |
VGX: Detect AI Code in Workspace |
Scan all files |
VGX: Security Scan File |
Run security scan |
Settings
{
"vgx.aiThreshold": 70,
"vgx.highlightAICode": true,
"vgx.showInlineConfidence": true
}
Installation
cd vscode-extension
npm install
npm run compile
# Then install via "Install from VSIX" in VS Code
How It Works
AI Detection Algorithm
VGX uses a combination of stylometry (code style analysis) and pattern matching to detect AI-generated code.
┌─────────────────────────────────────────────────────────────┐
│ VGX DETECTION ENGINE │
├─────────────────────────────────────────────────────────────┤
│ │
│ INPUT: Source code file │
│ │
│ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ STYLOMETRY (45%) │ │ PATTERNS (55%) │ │
│ ├─────────────────────┤ ├─────────────────────┤ │
│ │ • Naming consistency│ │ • try/catch style │ │
│ │ • Indentation │ │ • async/await fetch │ │
│ │ • Comment density │ │ • React hooks │ │
│ │ • Line length var. │ │ • Go error handling │ │
│ │ • Boilerplate ratio │ │ • Python docstrings │ │
│ │ • Empty line ratio │ │ • JSDoc comments │ │
│ └─────────────────────┘ └─────────────────────┘ │
│ │ │ │
│ └──────────┬───────────────┘ │
│ ▼ │
│ Combined Score (0-100%) │
│ │ │
│ ▼ │
│ ┌─────────────────────────┐ │
│ │ Threshold Check (70%) │ │
│ └─────────────────────────┘ │
│ │ │
│ ┌──────────┴──────────┐ │
│ ▼ ▼ │
│ 🤖 AI-Generated ✓ Human-Written │
│ │
└─────────────────────────────────────────────────────────────┘
Stylometry Features
| Feature | AI Signal | Weight |
|---|---|---|
| Naming Consistency | High consistency = AI | 20% |
| Indentation | Perfect consistency = AI | 20% |
| Boilerplate Ratio | High boilerplate = AI | 20% |
| Line Length Variance | Low variance = AI | 15% |
| Comment Density | ~15% density = AI | 10% |
| Empty Line Ratio | Consistent spacing = AI | 10% |
| Average Line Length | ~45 chars = AI | 5% |
Pattern Detection
VGX recognizes 16+ language-specific patterns commonly generated by AI:
JavaScript/TypeScript:
copilot_try_catch— Standard try/catch with console.errorasync_await_fetch— Async function with await fetcharrow_with_types— Typed arrow functionsuse_effect_deps— React useEffect with dependency arrayuse_state_destructure— React useState destructuring
Go:
go_error_check—if err != nil { return }patterngo_defer—defer file.Close()patterngo_struct_init— Multi-line struct initialization
Python:
python_docstring— Docstrings with Args/Returns/Raisespython_type_hints— Function type annotations
Pre-commit Hook
Block AI code or vulnerabilities before commit.
Setup
# Create hook
cat > .git/hooks/pre-commit << 'EOF'
#!/bin/bash
vgx scan --changes=true
if [ $? -ne 0 ]; then
echo "VGX: Commit blocked due to security issues"
exit 1
fi
EOF
chmod +x .git/hooks/pre-commit
With pre-commit framework
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: vgx-scan
name: VGX Security Scan
entry: vgx scan --changes=true
language: system
pass_filenames: false
Configuration
VGX works out of the box with zero configuration.
Environment Variables
| Variable | Description |
|---|---|
OPENAI_API_KEY |
Enable AI-enhanced scanning (optional) |
SEMGREP_RULES |
Custom Semgrep rules (default: p/security-audit) |
Example .env
# Optional: Enhanced scanning with OpenAI
OPENAI_API_KEY=sk-...
# Optional: Custom Semgrep rules
SEMGREP_RULES=p/security-audit,p/secrets
Project Structure
vgx/
├── cmd/
│ └── vgx/
│ └── main.go # CLI entrypoint
├── pkg/
│ ├── detection/
│ │ ├── detector.go # Main detector
│ │ ├── stylometry.go # Style analysis
│ │ └── patterns.go # Pattern matching
│ ├── scanner/
│ │ ├── scanner.go # Vulnerability scanner
│ │ ├── semgrep.go # Semgrep integration
│ │ └── openai.go # OpenAI integration
│ ├── context/
│ │ └── manager.go # File context & caching
│ ├── cache/
│ │ └── cache.go # Scan result cache
│ └── types/
│ └── types.go # Shared types
├── vscode-extension/
│ └── src/
│ └── extension.ts # VS Code extension
├── website/
│ └── index.html # Landing page
├── scripts/
│ └── install.sh # Installer script
└── .github/
└── workflows/
└── release.yml # CI/CD
Requirements
- Go 1.22+ (for building)
- Semgrep (optional, for security scanning)
# Install Semgrep (optional)
pip install semgrep
# or
brew install semgrep
Contributing
Contributions welcome! Please read our contributing guidelines.
# Clone
git clone https://github.com/rohansx/vgx.git
cd vgx
# Build
go build -o vgx ./cmd/vgx
# Test
go test ./...
# Run
./vgx detect --path ./pkg
License
MIT License — see LICENSE
Links
- Website: vgx.sh
- GitHub: github.com/rohansx/vgx
- Author: @rohansx
Built for developers who ship AI-assisted code responsibly.
Directories
Click to show internal directories.
Click to hide internal directories.