DEV Community

Moon sehwan
Moon sehwan

Posted on

AINAScan v1.1.1 — Web UI Live, 48 Patterns, Auto-fix (Thank You for the Traffic)

#ai #security #opensource #webdev

We've been absolutely blown away by the real-world usage over the last 48 hours.

Watching developers scan actual production files — agent.py, vibe_code.py, full FastAPI projects — deep into the night confirmed what we suspected: AI-generated code guardrails are desperately needed, and people are ready to use them.

Thank you. Seriously.

What just shipped (v1.1.1 — June 23)

Based on your scan patterns and feedback, I pushed a live hotfix + upgrade:

🌐 Web App is live

No CLI, no install. Just open the URL and drop your file:

👉 https://pleasing-transformation-production-90c2.up.railway.app

Drag. Drop. Scan. Results in under 2 seconds.

🔧 Engine upgraded to v3.9

  • 48 patterns fully active (was partially loaded before — sorry about that)
  • AINA Phase 3 causal advisor integrated — every BLOCK finding now includes an attack chain probability
  • 9 languages: Python, JS, TS, Go, Java, PHP, Ruby, Kotlin, C/C++

✨ New endpoints

  • POST /v1/fix — upload a file, get auto-fix suggestions for every BLOCK finding
  • GET /v1/public-stats — live scan counts, top patterns, github stats
  • GET /v1/board — pattern leaderboard (what's most common in real code)

🐛 MISSING_WRITE core logic improved

The AST parser now strictly catches mock-save functions that return dicts without an actual INSERT:

# Before: NOT detected (was a gap)
def save_user(name, email):
    return {"status": "saved", "id": 123}  # no INSERT anywhere

# After: BLOCK — MISSING_WRITE
# "save_user() returns dict but contains no db.execute() / INSERT / conn.commit()"
Enter fullscreen mode Exit fullscreen mode

This pattern shows up constantly in vibe-coded FastAPI backends. The function looks complete — it even returns a success response. The bug is invisible until someone tries to retrieve the data.

What's coming this week

  • Cross-file taint analysis (/v1/scan/taint) — track user input across function boundaries
  • L3 causal chains endpoint (/v1/l3/chains) — query the 133K+ causal relations directly
  • /v1/scan/multilang dedicated endpoint — per-language scan with language-specific pattern tuning

The core finding still stands

The reason developers are stress-testing this at 2am: the patterns it catches are the exact ones that survive code review.

CRITICAL  SQL_INJECTION_RISK  app.py:47
          cur.execute(f"SELECT * FROM users WHERE id='{user_id}'")
          Attack path: user_input → sql_injection → data_exfil (p=91%)

BLOCK     FAKE_ASYNC          utils.py:23
          async def fetch_data(url): return requests.get(url).json()
          # blocks the event loop under concurrent load

BLOCK     MISSING_WRITE       models.py:88
          def save_record(data): return {"status": "saved"}  # no INSERT
Enter fullscreen mode Exit fullscreen mode

Three patterns. All invisible in code review. All caught deterministically in <2 seconds.

Keep the scans coming. Every real-world finding helps tune the engine.

Try it: https://pleasing-transformation-production-90c2.up.railway.app
API: curl -X POST .../v1/scan -H "X-API-Key: vg_free_test" -F "file=@your_file.py"
GitHub: https://github.com/Moonsehwan/aina-scan

Top comments (0)