STREET FIX: Community Resource Sharing App for Informal Settlements

John Sambani — Mon, 02 Mar 2026 04:35:41 +0000

This is a submission for the DEV Weekend Challenge: Community

The Community

Street Fix is built for residents of informal settlements in Blantyre, Malawi—communities like Mbayani, Chirimba, and Ndirande where over 40% of the city's population lives.

These neighborhoods face daily challenges: broken communal water points, irregular waste collection, limited knowledge of working facilities, and lack of centralized communication between neighbors. Street Fix bridges this gap by empowering residents to report issues, share resources, and strengthen community bonds.

What I Built

Street Fix is a full-stack community resource sharing platform with:

🚨 Report Issues

Document broken water points, sanitation problems, and waste issues with photos and GPS coordinates.

🗺️ Community Map

Interactive map showing reported issues (color-coded by category/status),health clinics, and waste collection points.

💬 Forum

Community discussion board for sharing tips, asking questions, and organizing initiatives.

🌟 Shoutouts

Public recognition feature to thank helpful neighbors and celebrate community spirit.

🛠️ Admin Dashboard

Monitor issues, update statuses, add community resources, and moderate content.

Demo

Live Site: https://street-fix-five.vercel.app

Code

github code: https://github.com/Johsam-f/street-fix

How I Built It

Tech Stack

Next.js 16 (App Router) + React 19 + TypeScript
Tailwind CSS + shadcn/ui for styling
Supabase for database, auth, and file storage with Row Level Security
Leaflet.js + OpenStreetMap for interactive maps
react-hook-form + Zod for form validation
Deployed on Vercel

Key Decisions

Server-first with React Server Components for better performance
Progressive enhancement so forms work even on slow connections
Security by design with RLS policies and server-side validation

Building better communities, one fix at a time. 🏘️✨

scry: Security Scanner Built with GitHub Copilot CLI

John Sambani — Sun, 15 Feb 2026 11:57:40 +0000

This is a submission for the GitHub Copilot CLI Challenge

What I Built

scry is a command-line security scanner that reveals hidden risks in JavaScript and Node.js codebases. It detects 8 critical vulnerability categories and provides:

Clear explanations of why each issue matters
Actionable fixes with secure code examples
Educational context for developers learning security best practices
Multiple output formats (table, JSON, markdown, compact) for flexible CI/CD integration

The tool scans for hardcoded secrets, JWT token misuse, insecure cookies, dangerous eval() usage, CORS misconfiguration, exposed environment files, weak cryptography, and poor password handling. All common pitfalls that security tools often miss in real world codebases.

How I Built It

Tech Stack: TypeScript, Node.js, Bun (runtime)

Architecture: Rule based detection engine with modular security rules, configurable patterns, and file scanning with severity filtering.

I created scry because most security scanners either overwhelm developers with noise or fail to educate them on why something is risky. scry balances these by providing focused, high signal security findings with educational explanations that help developers understand vulnerabilities, not just fix them.

See It In Action

Table Output (default):

With Explanations (--explain):

JSON Output (--output json):

Compact Output (--output compact):

Markdown Output (--output markdown):

How GitHub Copilot CLI Helped

This is where GitHub Copilot CLI made a massive difference. Rather than manually researching and implementing everything, Copilot helped me in three critical ways:

1. Structured Security Research (Password Handling Plan)

I asked Copilot CLI: "What are practices considered poor password handling?"

Instead of getting a wall of text, Copilot organized vulnerabilities into actionable categories:

Storage Issues:

Plaintext password storage
Weak hashing (MD5, SHA1)
Missing/reused salts

Transmission Problems:

HTTP vs HTTPS exposure
Passwords in logs or URLs
Client side leaks

Implementation Flaws:

No rate limiting on login attempts
Weak password requirements
Custom crypto implementations

This structure directly informed my detection rules each category became a specific regex pattern in the passwordSecurity rule. Instead of 3 hours of scattered research, I had a structured implementation roadmap in minutes.

Key insight: Copilot's categorization was far better than raw OWASP lists because it mapped directly to detectable patterns in code.

see full research:

2. Comprehensive Code Auditing (Critical Bug Discovery)

Using Copilot CLI for holistic code analysis, I discovered critical issues that would take 10+ hours of manual review to find:

Regex State Management Bug: Global regex patterns with the /g flag reused across loop iterations, causing inconsistent results JavaScript specific behavior nearly invisible without cross file analysis
Silent Error Swallowing: File read failures caught in try catch but never logged, causing scan failures to go completely undetected
Regex DoS Vulnerability: Backtracking patterns susceptible to denial of service attacks on adversarial input
False Positive Floods: 40 character hex patterns matching Git commit SHAs, flooding results with noise

These issues are extremely difficult for humans to spot because they require:

Cross file context and async pattern recognition
Regex/JavaScript runtime expertise
Security mindset for adversarial input thinking

After fixing these critical issues guided by Copilot's analysis:

[+] Eliminated 40% false positives in findings
[+] Ensured scan reliability (no silent failures)
[+] Prevented DoS vulnerabilities

See full analysis: docs/copilot workings/code-analysis-for-improvements/notes.md

3. Implementation Planning with AI Insights

For complex features like password handling detection, I used Copilot to think through edge cases and implementation details before coding. This prevented costly refactors and ensured the detection rules covered real world vulnerable patterns, not just theoretical ones.

Installation & Usage

Install from npm:

# Global installation
npm install -g @johsam-f/scry

# Or use with npx (no installation required)
npx @johsam-f/scry scan .

Basic commands:

# Scan current directory
scry scan .

# Scan specific path  
scry scan ./src

# Show explanations and fixes
scry scan . --explain --fix

# Output as JSON for CI/CD
scry scan . --output json

# Strict mode (exit code 1 if issues found)
scry scan . --strict

For a complete command reference, see commands.md.

What scry Detects (8 Security Rules)

Hardcoded Secrets - API keys, tokens, AWS credentials
JWT in Client Storage - localStorage/sessionStorage token exposure
Insecure Cookies - Missing httpOnly, secure, sameSite flags
eval() Usage - Dangerous dynamic code execution
CORS Misconfiguration - Overly permissive allow-origins
.env Exposure - Credentials in version control
Weak Cryptography - MD5, SHA1, unsalted hashing
Password Security - Plaintext storage, weak validation, insecure transmission

Example Output

Severity | Rule               | File          | Line | Message
---------|--------------------| --------------|------|---------------------
  HIGH   | hardcoded-secrets  | src/config.ts | 14   | Hardcoded API key
  HIGH   | jwt-storage        | src/auth.ts   | 28   | JWT in localStorage
 MEDIUM  | cors-config        | src/server.ts | 45   | Permissive CORS

✓ Summary: 3 issues found in 847 files (2.3s)

Vulnerable Code Example

Here's code that scry detects:

// Password Security Issue
const users = {
  admin: "password123",  // [x] scry flags: plaintext password storage
  user: "letmein"       // [x] weak password
};

// Hardcoded Secrets
const apiKey = "ghp_abcd1234efgh5678ijkl9012mnop3456qrst";  // [x] GitHub token exposed

// JWT Misuse
localStorage.setItem('token', jwtToken);  // [x] JWT in client-side storage

// Insecure Cookies
res.setHeader('Set-Cookie', `session=${token}`);  // [x] Missing httpOnly flag

// CORS Problem  
app.use(cors({ origin: '*' }));  // [x] Allows all origins

scry catches all of these and provides fix suggestions with secure alternatives.

Key Learnings

When Building Security Tools, AI Helps Most With:

Comprehensive Analysis - AI can audit entire codebases for subtle cross-file bugs that humans miss in isolated code review
Security Research - Structuring vulnerability categories helps map abstract security concepts to detectable patterns
Edge Case Discovery - AI patterns can surface non-obvious issues (regex state mutations, silent errors) that only emerge through holistic analysis
Implementation Planning - Thinking through complex features before coding prevents costly refactors

Important Development Principle:

During this project, I learned that avoiding parallel implementations is critical when using AI assistance. Implementing multiple features simultaneously with AI help leads to confusion and makes it harder to track changes and identify issues. By focusing on one implementation at a time and thoroughly testing each change, I maintained code quality and clarity.

Beyond the Tool:

Building scry taught me that security tools work best when they educate, not just alert. Developers shouldn't just fix vulnerabilities they should understand why they matter. That's where good tooling and clear explanations create lasting impact.

The Full Story

The detailed documentation of how I used GitHub Copilot CLI including screenshots, prompts, analysis results, and implementation decisions is available in the repository:

docs/copilot workings/ contains:

Password handling strategy (password-handling-plan/)
Critical bug audits (code-analysis-for-improvements/)
Implementation planning notes with AI insights
And much more!

Try It Out

scry is open source and ready to scan your codebase:

npx @johsam-f/scry scan .

Or install locally/globally from npm:

npm install -g @johsam-f/scry

npm install @johsam-f/scry

or without installation:

npx @johsam-f/scry scan .

Contributions welcome! GitHub Repo

Please feel free to ask, suggest improvements, give me some developer love, some advice, or whatever you feel like sharing with me, or just say hi!

This is a submission for the GitHub Copilot CLI Challenge

DEV Community: John Sambani

STREET FIX: Community Resource Sharing App for Informal Settlements

The Community

What I Built

🚨 Report Issues

🗺️ Community Map

💬 Forum

🌟 Shoutouts

🛠️ Admin Dashboard

Demo

Code

How I Built It

Tech Stack

Key Decisions

scry: Security Scanner Built with GitHub Copilot CLI

What I Built

How I Built It

See It In Action

How GitHub Copilot CLI Helped

1. Structured Security Research (Password Handling Plan)

2. Comprehensive Code Auditing (Critical Bug Discovery)

3. Implementation Planning with AI Insights

Installation & Usage

What scry Detects (8 Security Rules)

Example Output

Vulnerable Code Example

Key Learnings

When Building Security Tools, AI Helps Most With:

Important Development Principle:

Beyond the Tool:

The Full Story

Try It Out