DEV Community

Humza Inam
Humza Inam

Posted on

Building SafeScript: Our Journey Creating a Security Tool for AI-Generated Code

#security #vscode #extensions #c

What six engineering students learned about security, AI, and teamwork over eight months

When our team started this capstone project, we had a simple observation: AI code generators like ChatGPT and GitHub Copilot are incredibly powerful, but they sometimes produce code with security vulnerabilities. What if we could catch those issues right in the IDE, as developers write?

Eight months later, we've built SafeScript, a VS Code extension that analyzes C code for common security vulnerabilities in real-time. Here's what we learned along the way.

The Problem We Tackled

AI-powered code generation has revolutionized development, but it comes with a catch. These tools can generate code that lacks essential safeguards against vulnerabilities like buffer overflows, path traversal, or insecure API calls. Developers might trust the generated code without thoroughly validating its security implications.

We wanted to build something that would help developers catch these issues early, without disrupting their workflow.

Why We Focused on C

We narrowed our scope to C for a good reason: it's notoriously unsafe. With no memory safety, unprotected pointers, and manual resource handling, C is prone to critical vulnerabilities like buffer overflows, use-after-free, and integer overflows.

By focusing on C, we could leverage language-specific syntax parsing to enable accurate, fine-grained analysis rather than relying on generic patterns.

This constraint actually helped us. Instead of building a shallow tool for many languages, we could create something truly useful for C developers.

The Technical Journey

From Line-by-Line to Method-Level Analysis

Our first version analyzed code line by line. It worked, but we quickly hit a wall: too many false positives. The tool would flag code as insecure without understanding the broader context of the function.

The breakthrough came when we switched to method-level analysis using Tree-sitter, an AST parser. This allowed us to:

  • Track buffer sizes throughout a function
  • Detect whether input validation was actually happening
  • Understand pointer relationships and memory usage patterns
  • Provide context-aware warnings that made sense

The difference was night and day. Our false positive rate dropped significantly, and the feedback became actually useful for developers.

What SafeScript Detects

We implemented detection for over 10 types of C-specific vulnerabilities:

  • Unsafe functions like strcpy, gets, sprintf with suggestions for safer alternatives
  • Buffer overflows through AST analysis of array indexing and memory operations
  • Hardcoded credentials and sensitive values
  • Heap overflows, race conditions, weak hashing, integer overflows
  • Each mapped to their corresponding CWE

The Architecture

We built SafeScript using a modular factory pattern. Each security check is its own class implementing a common interface, making it easy to add new tests or maintain existing ones independently.

Tech stack: TypeScript, VS Code API, Tree-sitter, Jest

The UI includes three key panels:

  1. Security Analysis Panel – Shows detected issues with CWE/CVE details
  2. AI Suggestion History – Tracks AI-generated improvements
  3. Dual-mode Interface – Analyze existing code or generate new secure code

The Challenges

Server Security Wake-Up Call

We had a critical security issue early on. Our server was accepting direct requests without filtering, running everything as root. Anyone with the IP address could send malicious requests.

The fix? We implemented a reverse proxy that filters requests before they hit the main server. It was a humbling reminder that security tools need to be secure themselves.

The Machine Learning Pivot

Originally, we planned to implement a deep learning model for vulnerability detection. Reality check: we didn't have the time, compute resources, or training data.

Instead, we pivoted to a shallow Random Forest model that classifies code by CWE category. It's not as ambitious, but it works and gave us room to focus on what mattered most: the core detection engine.

UI: Harder Than It Looks

We underestimated UI development. Building an intuitive interface in VS Code's constrained environment took multiple iterations. What seemed simple on paper—showing vulnerabilities and suggestions—required careful design to avoid overwhelming developers.

Key Stats

  • 8 months of development
  • 4 agile sprints
  • 10+ vulnerability types detected
  • Under 3 seconds analysis time
  • 161 story points completed
  • $850 in free credits spent on server hosting

What We Learned

Start with an MVP, Really

We spent too long perfecting security rules before getting user feedback. If we could do it again, we'd ship a working prototype faster and iterate based on actual usage.

Constraints Are Liberating

Focusing exclusively on C might seem limiting, but it allowed us to build something genuinely useful instead of a mediocre multi-language tool.

Communication Makes or Breaks Teams

With six people juggling different schedules and skills, clear communication was essential. Regular standups, detailed sprint retrospectives, and thorough documentation kept us aligned.

Testing Prevents Embarrassment

Unit testing with Jest caught issues before they hit production. Our regression tests were crucial for reducing false positives as we refined detection rules.

What's Next

SafeScript is live, but we're not done. Future improvements we're considering:

  • Dynamic code analysis for runtime vulnerability detection
  • Project-level analysis across multiple files
  • Deeper machine learning integration for autonomous code fixes

Try It Yourself

SafeScript is available now on the VS Code Marketplace. If you write C code or work with AI-generated code, give it a try and let us know what you think.

Final Thoughts

This project taught us that building developer tools isn't just about the technology—it's about understanding workflows, earning trust, and making security feel like a helpful assistant rather than a nagging critic.

Looking back, we're proud of what we built. SafeScript started as a class project and became a real tool that addresses a genuine need in modern software development. The journey taught us more about engineering, security, and collaboration than any lecture could.

To anyone building developer tools: start small, focus on real problems, and don't be afraid to pivot when reality challenges your assumptions. The best tools emerge from iteration, not perfection.

Built by Team 13
York University - Lassonde School of Engineering
Capstone Project 2024-2025

This article was structured with AI assistance from our technical capstone report. All content, data, and experiences are from our team's actual development of SafeScript.

Connect with me on Linkedin
https://www.linkedin.com/in/humza-inam/

Top comments (0)