How We Built An AI-Assisted Dependency Vulnerability Scanner

#kiro #kirohackathon #productivity #kirodotdev

When working across different projects, one recurring frustration always slowed us down: dependency vulnerabilities. Finding out which package version was vulnerable, where it was used in the codebase, and how to fix it often took hours. Security alerts from platforms were helpful but rarely gave enough context to act quickly.

That pain point led us to build Astra — an open-source tool that scans repositories for vulnerabilities, unused/outdated dependencies, and shows exactly where those dependencies are being used. On top of that, Astra integrates AI-powered fixes to help developers stay in control while resolving issues faster.

What is Astra?

Astra is a dependency vulnerability scanner and repository management system that:

Scans repositories and identifies dependencies
Checks them against the OSV.dev vulnerability database
Highlights outdated or unused dependencies
Shows where in the codebase each dependency is used
Suggests AI-powered fixes by creating safe patch branches

And it all comes with an interactive dashboard UI to make the results clear and actionable.

How We Built It

Frontend: React + Vite + Recharts for clean, interactive visuals
Desktop: Electron wrapper for cross-platform support
Backend: Node.js + Express + MongoDB to handle scanning and storage
Vulnerability Data: OSV.dev API with batch queries for speed
Code Usage Detection: Tree-sitter for static analysis
AI Fixes: Gemini CLI integration to propose safe code patches

Challenges We Faced

Scaling scans for large repos → solved by skipping junk folders and .gitignore entries (cut ~80% of files).
Batch querying OSV API reliably with large dependency sets.
Multi-ecosystem support (npm + pip in the MVP).
AI patches overwriting developer intent → solved with a patch-branch workflow that keeps developers in control.

What We’re Proud Of

A working prototype with real-world value.
Integrated AI code suggestions safely.
A clean and intuitive dashboard UI.
Multi-ecosystem support (JavaScript + Python) in the first MVP.

What We Learned

The complexity of supply chain security.
Using Tree-sitter for static code analysis.
Combining static analysis with real vulnerability data (OSV).
Designing AI-assisted developer tools.

How Kiro Helped

Kiro was used throughout Astra’s development as a coding partner. It played a huge role in:

Designing the system architecture
Setting up the project structure
Guiding both backend and frontend development
Building APIs, integrating MongoDB, and connecting with OSV.dev
Creating a responsive React UI with desktop support
Debugging issues and improving security best practices

We structured conversations with Kiro iteratively: breaking down the project into smaller tasks (architecture → backend → frontend), refining ideas step by step, and fixing blockers quickly.

The most impressive help came from:

The prompt template for fixing vulnerabilities, which streamlined scanning logic.
The high-quality UI code, which made the dashboard clean and production-ready.

Demo Video

Try It Yourself

🔗 GitHub Repo: Astra on GitHub
🔗 Devpost Submission: Astra on Devpost

What’s Next for Astra

Support for more ecosystems (Go, Java).
Smarter AI suggestions ranked by exploitability.
DevOps pipeline integration to test fixes in staging.
Team dashboards for monitoring across orgs.
Faster code usage detection with Tree-sitter optimization.

With Astra, we wanted to turn the hours of frustration we and our peers faced into a tool that makes security approachable, actionable, and even a little exciting to work with.