_____ _ _ __ __ _
/ ____| | | | | \/ | | |
| | | |__ ___ ___| | _| \ / | __ _| |_ ___
| | | '_ \ / _ \/ __| |/ / |\/| |/ _` | __/ _ \
| |____| | | | __/ (__| <| | | | (_| | || __/
\_____|_| |_|\___|\___|_|\_\_| |_|\__,_|\__\___|
β AI Code Security Scanner with Human-in-the-Loop
Human-in-the-loop anomaly detection for AI-generated code. A professional CLI tool that scans code for security vulnerabilities, enables human review, and learns from feedback to improve detection accuracy.
pip install checkmate-ai
checkmate scan your_code.py
CheckMate was originally developed for a hackathon competition focused on human-in-the-loop anomaly detection. While we didn't win, we believe in the value of this tool and are continuing development as an open-source side project. Our goal is to build a practical, privacy-focused security scanner that helps developers catch vulnerabilities in AI-generated code.
AI-generated code is powerful but risky:
- β Hardcoded secrets (API keys, passwords)
- β Code execution vulnerabilities (eval, exec, pickle)
- β SQL injection patterns
- β No built-in security checks
CheckMate solves this with automated detection + human judgment.
Scan β Review Flags β Mark as Valid/False Positive β System Learns β Better Scans
- π Before/After Metrics - See precision improve in real-time
- β Human Feedback Loop - Mark false positives, build whitelist
- π― 31 Detection Rules - Across secrets, code execution, SQL injection
- πΎ Persistent Learning - Whitelist saves automatically
- π Multi-Language - Python & JavaScript support
pip install checkmate-aicheckmate dashboardBrowser opens automatically to http://localhost:3000 showing "Waiting for scan..."
checkmate scan demo.pyThe dashboard updates automatically showing detected flags.
- See code with syntax highlighting
- Read security explanations
- Click "Mark as Safe" to whitelist patterns
- View suggested fixes
checkmate scan demo.pyMetrics page shows precision improvement (e.g., 62% β 84%)
| Command | Purpose |
|---|---|
checkmate dashboard |
Start web UI + backend server |
checkmate scan <file> |
Scan single file |
checkmate scan file1.py file2.js |
Scan multiple files |
checkmate scan . |
Scan all .py and .js in current directory |
checkmate whitelist |
View current whitelist |
checkmate reset |
Clear all data (fresh start) |
checkmate version |
Show version info |
CheckMate delivers on all essential security scanning capabilities:
| Feature | Implementation |
|---|---|
| Problem Definition | AI code security + human review = clear, valuable problem |
| Anomaly Detection | 31 rules across 3 categories (secrets, code exec, SQL injection) |
| Human-in-Loop | Users mark valid/false positive β whitelist updates β system learns |
| Before/After Improvement | Metrics page shows precision improvement (tracked over time) |
| Explainability | Each flag shows: explanation, severity, suggested fix, line number |
| Presentation | Professional CLI, web dashboard, polished UX |
βββββββββββββββββββββββββββββββββββββββββββ
β CheckMate - Security Scan Results β
βββββββββββββββββββββββββββββββββββββββββββ€
β File: demo.py β
β Total Flags: 5 β
β β
β [CRITICAL] Hardcoded API Key (Line 15) β
β sk-1234567890abcdef β
β Use: os.environ.get('OPENAI_API_KEY') β
β [Mark as Safe] [Copy Fix] β
β β
β [DANGER] eval() Usage (Line 28) β
β eval("user_input") β
β Use: ast.literal_eval() instead β
β [Mark as Safe] [Copy Fix] β
βββββββββββββββββββββββββββββββββββββββββββ
- Precision Trend - Line chart showing improvement over time
- Stat Cards - Total scans, total flags, precision %, improvement %
- Before/After Card - Visual improvement comparison
- Per-Rule Breakdown - Accuracy by detection rule
- OpenAI API keys (
sk-...) - AWS Access Keys (
AKIA...) - Hardcoded passwords
- Private tokens, JWT secrets
- Firebase API keys
- Stripe API keys
- GitHub tokens
- And more...
eval()usageexec()usagepickle.loads()deserializationsubprocesswith shell=Trueos.system()calls- Dynamic imports
- And more...
- F-string SQL queries
- String concatenation in queries
- Variable interpolation in SQL
- And more...
checkmate scan code.py
# Detects: 5 flags
# Metrics: 3 valid, 2 false positives
# Precision: 60%- Dashboard shows each flag
- User reads explanation: "eval() can execute arbitrary code"
- User decides: "This is a false positive (test code)"
- Clicks: "Mark as Safe"
- Backend saves to
whitelist.json - Pattern added:
eval("test_value") - Next scan will skip this pattern
checkmate scan code.py
# Detects: 4 flags (1 skipped via whitelist)
# Metrics: 3 valid, 1 false positive (whitelisted)
# Precision: 75% (improved!)- Precision tracked over time
- Metrics page shows trend: 60% β 75% β 84%
- Team learns what their codebase's real risks are
- CLI: Python 3.11+ with Click framework
- Detection: Regex-based (31 rules, no ML)
- Backend: FastAPI (lightweight API)
- Dashboard: Next.js 14 + React 18 + TypeScript
- UI Components: shadcn/ui + Tailwind CSS
- Data: SQLite database + JSON files
Terminal (User)
β
[checkmate scan file.py]
β
CLI Scanner (runs detectors)
β
FastAPI Backend (saves to DB)
β
Browser (Next.js Dashboard)
β
User Reviews & Marks Safe/False Positive
β
Backend Updates Whitelist + Metrics
β
Next Scan Reads Whitelist (skips patterns)
β
Precision Improves β
For detailed setup instructions, see SETUP.md
# From PyPI (recommended)
pip install checkmate-ai
checkmate dashboard
# From source
git clone https://github.com/farhann-saleem/checkmate-ai
cd checkmate
pip install -e .
checkmate dashboard-
Open Terminal 1
checkmate dashboard
Browser shows: "Waiting for scan..."
-
Open Terminal 2
checkmate scan samples/vulnerable_1.py
-
See Results (browser auto-refreshes)
- 5 flags detected
- Severity badges, code snippets, suggestions
-
Provide Feedback
- Click "Mark as Safe" on false positive
- Watch whitelist update in real-time
-
Rescan
checkmate scan samples/vulnerable_1.py
- Flag count decreased
- Metrics page shows precision improved
-
View Metrics
- Navigate to
/metrics - See precision trend chart
- Before: 60% | After: 84%
- Navigate to
checkmate/
βββ README.md # This file
βββ SETUP.md # Installation guide
βββ setup.py # PyPI packaging
βββ pyproject.toml # Modern Python standard
β
βββ checkmate/ # Main package
β βββ cli.py # CLI entry point
β βββ scanner.py # Detection engine
β βββ detectors/ # 31 detection rules
β
βββ backend/
β βββ main.py # FastAPI server
β βββ database.py # SQLite operations
β βββ models.py # Data models
β βββ routes/ # API endpoints
β
βββ dashboard/ # Next.js web UI
β βββ app/ # Pages (/, /metrics)
β βββ components/ # UI components
β
βββ data/ # JSON storage
β βββ scan_results.json
β βββ whitelist.json
β βββ feedback.json
β βββ metrics.json
β
βββ samples/ # Example vulnerable files
βββ vulnerable_1.py
βββ vulnerable_2.py
βββ vulnerable_3.js
- π¦ PyPI Package: https://pypi.org/project/checkmate-ai/
- π GitHub Repository: https://github.com/farhann-saleem/checkmate-ai
- π Setup Guide: SETUP.md
- π Product Requirements: See PRD.md
# Terminal 1
checkmate dashboard
# Terminal 2 (wait 3 seconds)
checkmate scan samples/vulnerable_1.py
# Browser shows results automatically
# Mark a false positive as safe
# Rescan to see improvementTime needed: 2 minutes total
Found a bug? Have a rule idea? Open a GitHub issue or PR!
MIT License - See LICENSE file for details
- Machine learning for adaptive rules
- More language support (Go, Java, Rust)
- Integration with CI/CD pipelines
- API for programmatic scanning
- Rule customization UI
CheckMate - Making AI-generated code safer, one scan at a time.