Gemini Bug Hunter is an AI-first CLI tool that helps developers find, understand, and fix security vulnerabilities in their codebases using Gemini 2.5 and Gemini 3 (Next Gen) as the core intelligence engine.
Inspired by tools like Gemini-CLI and Claude-Code, Gemini Bug Hunter brings ethical hacking and AppSec workflows directly into the developer terminal.
Security tools are often:
- Too noisy
- Too complex
- Too disconnected from developer workflows
Gemini Bug Hunter solves this by using Gemini 2.5 and Gemini 3 (Next Gen) as the main reasoning engine to:
- Understand code context
- Detect vulnerabilities
- Explain real-world risks
- Propose secure fixes
- Apply safe auto-remediations
Gemini 3 is not an assistant โ it is the brain of the system.
All vulnerability analysis, risk reasoning, and fix generation are driven by Gemini 3.
- Node.js (v18+)
- JavaScript (ES2022+)
- Gemini 2.5 Flash and Gemini 3 (Next Gen Analysis Engine)
- Premium CLI Experience (ASCII Art, Animations, Gradients)
- CLI Framework:
commander - Output Styling:
chalk,cli-table3,boxen - File traversal:
glob - Config:
.env+default.js
- Node.js 18 or higher
- Gemini API Key (Get one here)
- Gemini Model: Uses
gemini-2.5-flashby default (configurable)
# Clone the repository
git clone https://github.com/holasoymalva/gemini-bug-hunter.git
cd gemini-bug-hunter
# Install dependencies
npm install
# Configure environment
cp .env.example .env
# Edit .env and add your GEMINI_API_KEY
# Test installation
npm start doctorTo use gbh from anywhere in your terminal:
# 1. Install globally
npm install -g gemini-bug-hunter
# 2. Set your API Key globally (Run once)
gbh config set-key <YOUR_GEMINI_API_KEY>
# 3. Ready to scan!
gbh scan# Scan current directory
gbh scan
# Scan specific file or directory
gbh scan ./src
# Output to JSON file
gbh scan --output report.json
# JSON output to stdout
gbh scan --json
# Interactive Auto-Fix Mode
gbh scan --fixNote: The
--fixoption will interactively prompt you to apply AI-generated fixes for each vulnerability found.
gbh doctorgbh configgbh explain "SQL Injection"
gbh explain "XSS"- Collect - Scans project files based on configured patterns
- Sanitize - Redacts secrets and sensitive data
- Analyze - Sends code to Gemini 3 with structured prompts
- Parse - Extracts structured vulnerability data
- Score - Calculates risk scores using weighted algorithms
- Report - Displays beautiful, actionable reports
Gemini receives a carefully crafted system prompt that instructs it to:
- Act as a professional ethical hacker
- Focus on OWASP Top 10 vulnerabilities
- Avoid false positives
- Return structured JSON responses
- Provide actionable recommendations
{
"projectRiskScore": 0-100,
"riskLevel": "LOW|MEDIUM|HIGH|CRITICAL",
"summary": "string",
"vulnerabilities": [
{
"id": "string",
"title": "string",
"severity": "LOW|MEDIUM|HIGH|CRITICAL",
"confidence": 0-1,
"category": "string",
"file": "string",
"line": number,
"description": "string",
"impact": "string",
"exploitationScenario": "string",
"recommendation": "string",
"secureCodeExample": "string",
"autoFixSafe": boolean
}
]
}The tool calculates risk scores using:
- Severity (40% weight) - CRITICAL, HIGH, MEDIUM, LOW
- Confidence (30% weight) - How certain is the detection
- Exploitability (20% weight) - How easy to exploit
- Impact (10% weight) - Business impact
Final score: 0-100%
โ
Explicit consent before sending code to Gemini
โ
Automatic secret redaction (API keys, passwords, tokens)
โ
No remote storage of source code
โ
Configurable privacy settings
gemini-bug-hunter/
โโโ cli/
โ โโโ index.js # Main CLI entry point
โโโ engine/
โ โโโ gemini/
โ โ โโโ client.js # Gemini API client
โ โโโ scanner/
โ โ โโโ scanner.js # Code scanner
โ โโโ risk/
โ โโโ calculator.js # Risk scoring
โโโ reporter/
โ โโโ console.js # CLI reporter
โโโ config/
โ โโโ default.js # Default configuration
โโโ .env.example # Environment template
โโโ package.json
โโโ README.md
- SQL Injection
- XSS (Cross-Site Scripting)
- CSRF (Cross-Site Request Forgery)
- Authentication Issues
- Authorization Issues
- Sensitive Data Exposure
- Security Misconfiguration
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
- Command Injection
- Path Traversal
- Hardcoded Secrets
- Weak Cryptography
- Race Conditions
๐ก๏ธ GEMINI BUG HUNTER REPORT
๐ Risk Assessment
Risk Score: 81% โโโโโโโโโโโโโโโโโโโโ
Risk Level: HIGH
Summary: Found 3 vulnerabilities including 1 CRITICAL issues requiring immediate attention
๐ฏ Severity Breakdown
โ CRITICAL: 1
โ HIGH: 1
โ MEDIUM: 1
๐ Detected Vulnerabilities
๐ด [1] SQL Injection in User Query
File: src/users.js:42
Category: SQL Injection
Severity: CRITICAL | Confidence: 95%
User input is directly concatenated into SQL query without sanitization.
โ ๏ธ Impact: Attackers can extract or manipulate database data.
โ Fix: Use parameterized queries and input validation.
โจ Auto-fix available
- Auto-fix implementation (Interactive Mode)
- GitHub Actions integration
- CI/CD security gates
- PR comment integration
- Historical risk tracking
- Multi-language support (Python, Java, Go)
- Enterprise mode with team features
- Custom rule definitions
- Integration with SAST tools
Contributions are welcome! Please feel free to submit a Pull Request.
MIT License - see LICENSE file for details
- Powered by Google Gemini 2.5 and Gemini 3 Flash
- Inspired by OWASP Top 10
- Built for the developer community
- ๐ง Issues: GitHub Issues
- ๐ Documentation: This README
- ๐ API Key: Get Gemini API Key
Made with โค๏ธ by @holasoymalva