Gemini CLI Extension: Security — Vulnerability Scanner
Gemini CLI extension for security analysis. Scans code for vulnerabilities, checks dependencies, and provides remediation guidance.
%20by%20%E2%80%9ELisa%20Wischofsky%E2%80%9D%2C%20licensed%20under%20%E2%80%9ECC0%201.0%E2%80%9D%20(https%3A%2F%2Fcreativecommons.org%2Fpublicdomain%2Fzero%2F1.0%2F)%3C%2Fdc%3Arights%3E%3C%2Frdf%3ADescription%3E%3C%2Frdf%3ARDF%3E%3C%2Fmetadata%3E%3Cmask%20id%3D%22viewboxMask%22%3E%3Crect%20width%3D%22980%22%20height%3D%22980%22%20rx%3D%22490%22%20ry%3D%22490%22%20x%3D%220%22%20y%3D%220%22%20fill%3D%22%23fff%22%20%2F%3E%3C%2Fmask%3E%3Cg%20mask%3D%22url(%23viewboxMask)%22%3E%3Crect%20fill%3D%22url(%23backgroundLinear)%22%20width%3D%22980%22%20height%3D%22980%22%20x%3D%220%22%20y%3D%220%22%20%2F%3E%3Cdefs%3E%3ClinearGradient%20id%3D%22backgroundLinear%22%20gradientTransform%3D%22rotate(323%200.5%200.5)%22%3E%3Cstop%20stop-color%3D%22%23FFE4CC%22%2F%3E%3Cstop%20offset%3D%221%22%20stop-color%3D%22%23FFD7BA%22%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Cg%20transform%3D%22translate(10%20-60)%22%3E%3Cpath%20d%3D%22M269%20153c13-1%2027%201%2040%204%2017%205%2034%2011%2050%2020a91%2091%200%200%201%2044%2043h41l47-1a284%20284%200%200%201%20150%2043l22%2016%2022%2024a58%2058%200%200%201%208%2067c-2%204-7%206-11%203s-6-8-9-13l-16-26-10-23-35-1c-4%200-8-1-11-4l-14-10c-1%204-3%209-6%2012-3%204-9%200-13-1-22-4-44-6-67-6-24%200-47%203-71%206l-23%204-8-2-18-5%203%2017-1%2014c0%204-3%208-5%2012l-19%2037c-6%2017-12%2034-16%2052%200%202-1%204-3%205l-12%202c5%209%206%2020%205%2030-1%2012-3%2025-9%2036%207%209%209%2020%2010%2032%202%2019%200%2038-7%2055-2%205-5%2010-10%2012-1%201-4%201-4-1-2-3-2-7-2-11l-3-13-18-1c-8-2-16-7-21-14l-9-10a233%20233%200%200%201-28-159c6-39%2021-76%2044-107a330%20330%200%200%200-87%2053c-6-6-8-14-8-22%201-19%209-36%2021-51-19%2010-35%2022-51%2035-3%202-5%205-9%205l-7-10c-3-11%201-24%207-33%209-16%2025-29%2039-40%204-4%2010-8%2013-13%201-2%200-6-2-7l-9-3c-2-1-2-3%200-5%2012-13%2029-17%2045-22%2030-7%2061-9%2091-3-17-7-34-13-52-16h-11l1-2c3-3%208-4%2012-4Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M528%20244c41%206%2080%2022%20113%2047%2028%2021%2050%2049%2065%2081%2013%2028%2020%2060%2019%2091-1%2015-3%2030-8%2044h-2l1-21c1-30-2-59-13-87-10-30-28-57-50-79-42-40-98-62-156-63a243%20243%200%200%200-196%2094%20207%20207%200%200%200-40%20139l2%2025c8%200%2019%200%2025%207l-3%203-17%201c-12%201-24%205-33%2013a64%2064%200%200%200-17%2039c-5%2032%2012%2065%2039%2083%2016%2010%2036%2015%2055%209%204-2%209-5%2014-3%203%201%204%204%205%207a251%20251%200%200%200%2090%20100c8%207%2018%2013%2028%2018%2018%208%2038%2014%2057%2019l32%208c5%201%209%201%2013%203l-4%201c-25%202-48-3-72-10-12-3-23-7-34-12a306%20306%200%200%201-84-63l2%2028c1%2017%200%2035-6%2052-4%2012-11%2024-19%2034-10%2010-22%2019-34%2026-10%207-21%2014-32%2018l-16%205%209-9%2031-20%2022-17a95%2095%200%200%200%2032-56c2-14%202-28%202-43v-27c-10-14-22-29-27-46-17%208-38%207-55-1-17-7-32-19-43-33-12-17-19-36-21-56s2-40%2015-56c9-10%2022-18%2035-21-4-14-6-29-6-44a234%20234%200%200%201%2083-173%20249%20249%200%200%201%20199-55Z%22%20fill%3D%22%23000%22%2F%3E%3Cpath%20d%3D%22M653%20320c22%2022%2040%2049%2050%2079%2011%2028%2014%2057%2013%2087l-1%2021-5%2015-2%2013%202%2056c0%2021%201%2042-1%2063l-3%2047c-2%2016-7%2031-14%2045-11%2018-26%2033-44%2044-13%208-27%2012-41%2016l-38%2011-17%203c0%201%201%202%203%202%208%205%2017%205%2026%204-3%207-4%2014-2%2022%203%207%2011%2011%2017%2014%2012%206%2024%207%2036%209%207%206%2014%2014%2016%2024%202%208%202%2016-2%2023-5%2010-14%2018-24%2023-13%208-27%2014-42%2018a468%20468%200%200%201-222-1c-17-4-33-9-48-17-12-6-23-13-32-22-5-7-9-14-10-23%2011-4%2022-11%2032-18%2012-7%2024-16%2034-26%208-10%2015-22%2019-34%206-17%207-35%206-52l-2-28%2022%2023c19%2015%2040%2030%2062%2040%2011%205%2022%209%2034%2012%2024%207%2047%2012%2072%2010l4-1c-4-2-8-2-13-3l-32-8c-19-5-39-11-57-19l-29-17c-11-9-23-17-33-27a251%20251%200%200%201-56-74c-1-3-2-6-5-7-5-2-10%201-14%203-19%206-39%201-55-9a88%2088%200%200%201-39-83c1-14%207-28%2017-39%209-8%2021-12%2033-13l17-1%203-3c-6-7-17-7-25-7l-2-25a207%20207%200%200%201%2040-139%20243%20243%200%200%201%20196-94c58%201%20114%2023%20156%2063Z%22%20fill%3D%22%23ffffff%22%2F%3E%3Cpath%20d%3D%22M710%20522c3%200%203%204%204%206%203%2011%204%2023%205%2034l2%2021c1%2022%202%2043%201%2065-1%2021-1%2044-5%2065a136%20136%200%200%201-80%2099c-15%207-31%2011-48%2013v15c1%203%203%204%205%206%2012%206%2023%208%2036%2011%2012%203%2024%205%2036%2011-3%203-7%204-11%204-7%201-15-1-23-1-12-2-24-3-36-9-6-3-14-7-17-14-2-8-1-15%202-22-9%201-18%201-26-4-2%200-3-1-3-2l17-3%2038-11c14-4%2028-8%2041-16%2018-11%2033-26%2044-44%207-14%2012-29%2014-45l3-47c2-21%201-42%201-63l-2-56%202-13ZM252%20549c8%200%2017%201%2023%207%205%204%2010%209%2012%2015%201%203%200%206-2%208l-13%208c-7%206-7%2019%200%2025%206%205%2014%208%2021%2011%202%200%205%201%206%203-1%202-3%203-5%203-10%200-20-3-28-9-5-3-8-8-9-13-2-8-2-17%204-24%204-6%2011-9%2018-12-4-5-7-11-14-13-7-3-15-3-22-5l9-4Z%22%20fill%3D%22%23000%22%2F%3E%3Cpath%20d%3D%22M490%20492c7%203%2013%208%2019%2013%206%206%2012%2013%2013%2022%200%202%201%205-2%206l-4-8c2%209-3%2020-12%2024-6%203-13%204-19%203-9-1-17-6-23-13-4-6-6-14-4-21%201-8%205-15%2011-19a90%2090%200%200%200-55%2014c-5%203-10%207-13%2012-2%203-5%205-9%205-6%200-10-7-8-12l8-11c12-10%2026-18%2041-22%2019-6%2040-2%2057%207ZM681%20484c6%202%2014%204%2017%209%204%206%201%2013-6%2014%202%208%202%2017-3%2024-7%209-23%2011-31%203-5-6-9-14-8-22%201-4%203-7%206-11-12%203-21%2011-28%2020-4%205-6%2010-9%2016l-5%201%201-6a90%2090%200%200%201%2039-43c8-5%2017-7%2027-5Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M533%20358c6%202%209%208%2010%2014%200%208-3%2016-7%2022-3%203-7%204-10%201-4-3-2-10-2-15l-13%2010c-6%204-13%207-20%209-9%204-19%205-30%208l-25%208c-8%203-15%208-22%2012l-25%2017c-5%203-8%207-11%2012-2-4-1-8%201-11a401%20401%200%200%201%2035-29c16-13%2036-21%2055-28l28-11c8-4%2014-11%2021-16%205-2%2010-4%2015-3ZM626%20376l6%207c17%207%2033%207%2049%2016%204%202%207%206%209%2010s1%208-2%2012l-16-6c-12-6-24-7-36-11-7-3-14-4-19-10-4%208-4%2017-8%2026-1%201-1%204-4%203l-1-8%202-11c1-8%204-16%207-23%202-6%208-8%2013-5Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M603%20613v1c-4%208-11%2015-20%2018-3%201-7%201-9-1v-4c7-5%2016-9%2024-12l5-2Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20fill-rule%3D%22evenodd%22%20clip-rule%3D%22evenodd%22%20d%3D%22M661%20646c3%203%206%208%207%2012%203%205%204%2011%203%2017l-4-5-1-2-10-15-1-1v-1c-1-2-2-3-1-5%202-2%204-1%207%200Zm-30%2025a40%2040%200%200%201%2029%2013c3%204%207%207%208%2010%202%204%202%208-2%2010-5%204-13%205-20%205a5207%205207%200%200%201-42%201l-28%203-18%201-10%202-19%201c1-3%202-4%205-5l5-6%204-3c7-7%2017-12%2026-17l2-1c10-5%2021-9%2031-11%2010-3%2019-4%2029-3Zm-6%2029c-1-7%201-14%204-20-11-1-22%200-32%203l-1%2011-1%207%2030-1Zm11-19%201%201%204%201c6%202%2011%207%2015%2012l3%203c-6%202-12%202-19%202h-10c4-6%206-12%206-19Zm-48%2020c-1-5%200-10%201-15a254%20254%200%200%200-43%2021c10-3%2021-4%2031-5l11-1Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M690%20460h30c9%201%2017%201%2026%204%203%201%205%204%204%208-4%205-10%206-16%207v29c-2%2014-3%2029-8%2043-4%2011-15%2019-25%2023-8%203-17%205-25%206-11%201-22-1-33-2-6-1-12-1-17-4-6-4-12-10-15-17-2-6-5-12-6-19-1-10-2-21%200-31-12-2-24-4-36-1l-4%205-1%2011c-1%2012-2%2025-6%2036-3%209-9%2016-16%2022l-15%208c-24%207-48%2012-73%2011-16-1-33-4-47-12-13-7-25-18-32-31l-4-13-1-23v-21c-7-1-13%200-19-4-3-2-4-7-1-10%203-4%209-5%2014-7%2015-6%2029-8%2045-11l19-2c18-2%2036-3%2054-2%2019%200%2037%201%2056%204%208%201%2015%205%2022%209l10%2011%2024%203%2012%201%202-9%207-8c9-5%2019-7%2028-10l47-4Z%22%20fill%3D%22%23000000%22%2F%3E%3Cpath%20d%3D%22M707%20480c6%202%2013%208%2013%2015%201%204-3%208-7%208-6-1-9-7-12-11-2-2-4-2-4-5%200-5%206-8%2010-7ZM524%20487c8%201%2015%205%2020%2011%203%204%204%2010%202%2014s-7%206-12%204c-3-2-4-5-6-8-2-2-4-3-7-3l-12-5c-2-2-2-5%200-7%203-5%209-7%2015-6Z%22%20fill%3D%22%23fff%22%2F%3E%3Cpath%20d%3D%22M508%20220a271%20271%200%200%201%2097%2024c14%207%2029%2014%2042%2023%208%205%2016%2011%2022%2018l22%2025c-9%204-18%203-27%202-17-2-34-4-51-3l-8-1-7-5-12-8c0%204-1%207-3%2011-2%202-4%203-7%203-4-1-7-3-11-3a470%20470%200%200%200-155%203h-11l-18-6c1%209%204%2018%203%2026-1%204-1%208-3%2011-7%2014-15%2027-21%2042-7%2017-13%2035-17%2053%200%202-1%204-3%205l-12%202c5%209%206%2020%205%2030-1%2012-3%2026-9%2036%207%209%2010%2021%2010%2033%201%2019%200%2037-7%2055-2%204-5%209-10%2011-1%201-4%201-4-1-2-4-2-9-3-13-2-15-9-29-20-40-8-7-17-14-26-19-6-2-11-4-16-8l-6-8c-12-32-16-67-12-101a285%20285%200%200%201%2037-113c10-16%2022-30%2035-43%2010-9%2020-17%2031-23l14-5%2032-11%2019-2h43c23%200%2044-2%2067%200Z%22%20fill%3D%22%23000000%22%2F%3E%3C%2Fg%3E%3Cg%20transform%3D%22translate(10%20-60)%22%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E){kind=small}
What it is
This Gemini CLI extension adds security analysis capabilities to the Gemini command-line interface. It scans source code for vulnerabilities, checks dependency trees for known CVEs, and provides actionable remediation guidance.
The extension targets developers and security engineers who want to integrate vulnerability scanning into their CLI-based workflows. It leverages Gemini's code understanding to find security issues beyond what pattern-matching scanners detect.
The project is actively maintained and suitable for both individual developers and teams looking to integrate it into their existing toolchain. Documentation and community support are available for onboarding.
How it saves time or tokens
Instead of running separate tools for SAST (static analysis), dependency auditing, and manual code review, this extension combines all three in one command. The AI-powered analysis explains why a finding is a vulnerability and how to fix it, reducing the back-and-forth between scanning and research.
For teams evaluating multiple tools in the same category, the clear documentation and active community reduce the time spent on research and troubleshooting. Getting started takes minutes rather than hours of configuration.
How to use
- Install the Gemini CLI if you do not have it yet.
- Add the security extension to your Gemini CLI configuration.
- Run
gemini security scanin your project directory to analyze source code. - Review findings with severity ratings, affected files, and remediation suggestions.
Example
# Install the security extension
gemini extensions install security-scanner
# Scan the current project
gemini security scan --severity high,critical
# Check dependencies for known CVEs
gemini security audit-deps
# Scan a specific file with detailed output
gemini security scan src/auth/login.ts --verbose
# Output:
# CRITICAL: SQL injection in line 42 — user input concatenated into query
# FIX: Use parameterized queries instead of string concatenationRelated on TokRepo
- AI Tools for Security — Browse other security scanning and analysis tools.
- AI Tools for Coding — AI coding assistants with built-in security awareness.
Common pitfalls
- Treating AI security findings as definitive without manual verification. AI scanners can produce false positives. Always verify critical findings before acting on them.
- Running scans only before release. Integrate scanning into your CI pipeline so vulnerabilities are caught early, not at the end of the development cycle.
- Ignoring low-severity findings. While they may not be exploitable alone, multiple low-severity issues can chain into a significant vulnerability.
- Applying the skill without reading the documentation first. Each skill has specific prerequisites and configuration requirements that affect the quality of results.
Frequently Asked Questions
It detects SQL injection, XSS, path traversal, insecure deserialization, hardcoded secrets, weak cryptography, and dependency CVEs. The AI analysis can also identify logic-level vulnerabilities that pattern-based scanners miss.
The extension analyzes code in JavaScript, TypeScript, Python, Go, Java, C, and Rust. Language support depends on the underlying Gemini model's training data and code understanding capabilities.
It complements rather than replaces tools like Semgrep or Snyk. Use it for quick scans during development and dedicated SAST tools for comprehensive security audits in CI/CD pipelines.
Yes. You can configure severity thresholds, exclude specific file patterns, and add custom rules for your organization's security policies.
The extension uses the Gemini API for analysis, which means code snippets are sent to Google's servers. Review your organization's data handling policies before using it on sensitive codebases.
Citations (3)
- Google Gemini CLI— Gemini CLI for developer workflows
- Google AI Security— AI-powered code security analysis
- OWASP Foundation— OWASP Top 10 vulnerability categories
Related on TokRepo
Source & Thanks
Created by Google. Licensed under Apache 2.0. gemini-cli-extensions/security Part of Gemini CLI — ⭐ 99,400+
Discussion
Related Assets
Claude-Flow — Multi-Agent Orchestration for Claude Code
Layers swarm and hive-mind multi-agent orchestration on top of Claude Code with 64 specialized agents, SQLite memory, and parallel execution.
ccusage — Real-Time Token Cost Tracker for Claude Code
CLI that reads ~/.claude logs and breaks down Claude Code token spend by day, session, and project — pluggable into your statusline.
SuperClaude — Workflow Framework for Claude Code
Adds 16+ slash commands, 9 cognitive personas, and a smart flag system to Claude Code in one pipx install.