GooseGuard

Inspiration

With the explosion of "vibe coding" (building full-stack apps through AI prompts) the web has seen a surge of deployed projects with little to no security review. Recent high-profile breaches of vibe-coded sites exposed SQL injections, leaked API keys, missing CSRF protections, and wide-open headers. These were shipped to production by developers who trusted their AI copilot to handle security.

We asked ourselves: what if learning about security didn't feel like reading a textbook, but like a boss fight?

That’s how GooseGuard was born. We wanted to gamify security education by pitting an adversarial "Rogue Goose" against your app’s "Guardian Goose" in a real-time animated battle. Every punch, block, and dodge maps to an actual attack vector and defense strategy for your codebase. No generic checklists or dry PDFs, just a goose fight that teaches you how your app can be broken, and then fixes it for you.

What it does

GooseGuard is an interactive security platform where you submit your GitHub repo URL and watch an animated goose battle unfold in real time.

• Submit your project: Provide your GitHub repo URL, a brief app description, and choose your battle duration (4–12 rounds).
• Watch the fight: A Phaser-powered arena renders two goose fighters. The Rogue Goose (attacker) launches context-aware attacks based on your tech stack, while the Guardian Goose (defender) attempts to block or patch each vulnerability.
• Track it live: A real-time HUD shows HP bars, a threat radar, and a live exchange feed narrating attack vectors (XSS, SQLi, SSRF, etc.) and corresponding defenses.
• Get your report: Post-battle, GooseGuard generates a detailed security report with severity rankings, CWE classifications, a security score, and prioritized recommendations.
• Push fixes automatically: With one click, GooseGuard creates a new branch on your repo with actual code patches applied, then opens a Pull Request with all fixes bundled together.

How we built it

• Frontend: Built with React 19 and Vite 8. The arena is powered by Phaser 3, featuring custom spritesheet animations (punch, block, dodge, etc.) wired to backend events via a custom useWebSocket hook.
• Backend: FastAPI manages the real-time stream. The core logic runs an adversarial red/blue simulation:
  • classifier.py: Analyzes the app description to determine the attack surface (auth, database, etc.).
  • Attacker agent: Generates context-aware kill chains and payloads using Anthropic Claude or OpenAI.
  • Defender agent: Produces mitigations and diff-style code patches.
• Git Integration: branch_battle.py and pr_bot.py handle shallow clones and use the GitHub REST API to manage branch creation and automated Pull Requests.
• Security Auditing: Includes regex-based secrets scanning, risky code pattern detection (e.g., eval, dangerouslySetInnerHTML), dependency hygiene checks, and HTTP header analysis.

Challenges we ran into

• Visual Sync: Mapping structured AI logic to smooth Phaser animations over WebSockets was a balancing act. Ensuring screen shakes and HP transitions felt "weighty" while staying in sync with the simulation required precise event sequencing.
• Patch Validity: LLM-generated diffs often included placeholders or incorrect paths. We built validation layers to reject "comment-only" changes and implemented a "retest" mechanic where the attacker re-probes vectors after a patch.
• The Duality of Agents: We had to ensure the battle worked seamlessly in both Live mode (AI-powered) and Simulated mode (deterministic templates) so the frontend experience remained consistent regardless of API availability.

Accomplishments that we're proud of

• The Full Loop: We successfully connected the flow from a raw GitHub URL to an animated battle, ending in a functional Pull Request with real security patches.
• Context-Aware Combat: The Rogue Goose doesn't just guess; it targets your specific app surfaces (e.g., focusing on file uploads if your app description mentions them).
• Professional Reporting: The print-ready report looks professional enough to hand to a security team, despite the playful "goose" exterior.

What we learned

• Gamification is Effective: Watching your app "take hits" is far more visceral and memorable than reading a bulleted list of vulnerabilities.
• Guardrails are Essential: LLMs are great at reasoning but need strict JSON schemas and validation to produce applicable code rather than vague suggestions.
• Playful Security: Security tooling doesn't have to be intimidating. By using a playful metaphor, we made a tool developers actually want to use.

What's next for GooseGuard?

• UI Integration: Connecting the static repo and website audit endpoints directly to the React components.
• Deeper Analysis: Moving beyond regex to AST-level analysis and integrating with tools like Semgrep.
• Live DAST: Implementing dynamic probing of deployed websites during the battle.
• Multiplayer Mode: A "1v1" mode where one developer chooses attack vectors while another defends in real time.
• CI/CD Integration: Running GooseGuard as a GitHub Action that posts battle summaries directly to PR comments.

Built With

• anthropic
• api
• fastapi
• gemini
• git
• github
• httpx
• openai
• phaser3
• pydantic
• python
• react
• vite
• websockets