Skip to content

Youseph-Elkhouly/Sentry-IBM-

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

2 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

πŸ›‘οΈ SENTRY - Secure Engineering Runtime & Trust Yield

A VS Code extension + git-hook enforcement + backend orchestrator that detects insecure code, shows urgency/highlights, and locks the IDE when severity is Critical/High until a verified fix is applied.

Quick Start

1. Start the Backend Server

cd /Users/youseph.e/Desktop/IBM/sentry/server
npm install  # Already done
npm run dev

Server runs at http://localhost:3333

2. Test the API

# Health check
curl http://localhost:3333/health

# Run the test script
node scripts/test-scan.js

3. Test the VS Code Extension

  1. Open VS Code
  2. File β†’ Open Folder β†’ Select /Users/youseph.e/Desktop/IBM/sentry/extension
  3. Press F5 to launch Extension Development Host
  4. In the new VS Code window, open the demo file: /Users/youseph.e/Desktop/IBM/sentry/demo/vulnerable.js
  5. Save the file to trigger a scan
  6. Observe:
    • πŸ”΄ Red highlighting on critical vulnerability lines
    • 🟠 Orange highlighting on high severity lines
    • 🟑 Yellow highlighting on medium severity lines
    • CodeLens "Fix with SENTRY" buttons above issues
    • Problems panel with all findings
    • Lock screen overlay for Critical/High findings

4. Install Git Hooks (Optional)

cd /path/to/any-git-repo
/Users/youseph.e/Desktop/IBM/sentry/hooks/install.sh

Now commits with Critical/High issues will be blocked!

Architecture

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                         VS Code IDE                              β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚  β”‚  CodeLens   β”‚  β”‚ Decorations β”‚  β”‚    Lock Screen Overlay  β”‚  β”‚
β”‚  β”‚  Provider   β”‚  β”‚  Provider   β”‚  β”‚       (Webview)         β”‚  β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β”‚         β”‚                β”‚                      β”‚                β”‚
β”‚         β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜                β”‚
β”‚                          β”‚                                       β”‚
β”‚                    β”Œβ”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”                                β”‚
β”‚                    β”‚  Scanner  │←── Tier 0 (Local Regex)        β”‚
β”‚                    β””β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜                                β”‚
β”‚                          β”‚                                       β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                           β”‚ POST /scan
                           β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                      SENTRY Backend                               β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”    β”‚
β”‚  β”‚                     Orchestrator                          β”‚    β”‚
β”‚  β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   β”‚    β”‚
β”‚  β”‚  β”‚  Tier 0     β”‚  β”‚   Tier 1    β”‚  β”‚    Tier 2       β”‚   β”‚    β”‚
β”‚  β”‚  β”‚  Regex      β”‚β†’ β”‚  AI Scan    β”‚β†’ β”‚   AI Scan       β”‚   β”‚    β”‚
β”‚  β”‚  β”‚  (Always)   β”‚  β”‚  (On Save)  β”‚  β”‚  (On Commit)    β”‚   β”‚    β”‚
β”‚  β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜   β”‚    β”‚
β”‚  β”‚                          β”‚                                β”‚    β”‚
β”‚  β”‚                    β”Œβ”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”                          β”‚    β”‚
β”‚  β”‚                    β”‚ AI Providerβ”‚ ←── IBM watsonx/Bob     β”‚    β”‚
β”‚  β”‚                    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜      (stubbed for demo)  β”‚    β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜    β”‚
β”‚                                                                   β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”     β”‚
β”‚  β”‚    Cache    β”‚  β”‚  Docling Chunker β”‚  β”‚  Patch Generator  β”‚     β”‚
β”‚  β”‚  (5min TTL) β”‚  β”‚   (Code Parser)  β”‚  β”‚   (Fix Suggester) β”‚     β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜     β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                           β–²
                           β”‚ POST /scan (Tier 2)
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                    Git Hooks                                      β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”                                β”‚
β”‚  β”‚ pre-commit  β”‚  β”‚  pre-push   β”‚  ← Blocks if CRITICAL/HIGH    β”‚
β”‚  β”‚ (required)  β”‚  β”‚  (optional) β”‚                                β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜                                β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Three-Tier Checking

Tier When What AI Call
Tier 0 Always Local regex patterns (secrets, eval, innerHTML, SQL concat, shell calls) No
Tier 1 On file save AI scan when Tier 0 flags OR file in sensitive path OR risky sink touched Yes (if needed)
Tier 2 On git commit/push Full AI scan of staged diff Yes (always)

Detected Vulnerabilities

Risk Type Severity Example
HARDCODED_SECRET CRITICAL password = "secret123"
SQL_INJECTION CRITICAL "SELECT * FROM users WHERE id=" + userId
COMMAND_INJECTION CRITICAL exec("ls " + userInput)
CODE_INJECTION CRITICAL eval("(" + data + ")")
XSS_VULNERABILITY HIGH element.innerHTML = userInput
PATH_TRAVERSAL HIGH readFile("/uploads/" + filename)
MASS_ASSIGNMENT HIGH Object.assign(user, req.body)
INSECURE_RANDOMNESS MEDIUM Math.random() for tokens
WEAK_HASH MEDIUM createHash('md5')

API Endpoints

POST /scan

Scan files for vulnerabilities.

Request:

{
  "files": [{
    "filePath": "src/auth.ts",
    "diff": "...",
    "context": "...",
    "metadata": {
      "language": "typescript",
      "tier": 1,
      "timestamp": 1706726400000
    }
  }]
}

Response:

{
  "findings": [{
    "id": "uuid",
    "risk_type": "SQL_INJECTION",
    "severity": "CRITICAL",
    "line_ranges": [{"start": 42, "end": 42}],
    "why_it_matters": "...",
    "suggested_patch": "...",
    "verified": false,
    "source": "tier0"
  }],
  "cached": false,
  "processingTime": 127,
  "tier": 1
}

POST /fix

Generate a fix for a finding.

GET /health

Health check endpoint.

Configuration

VS Code Extension Settings

Setting Default Description
sentry.serverUrl http://localhost:3333 Backend server URL
sentry.debounceMs 1500 Debounce delay for save scans
sentry.cooldownMs 30000 Minimum time between scans of same file
sentry.enableLock true Enable IDE lock on Critical/High findings

Environment Variables

Variable Default Description
SENTRY_SERVER_URL http://localhost:3333 Backend URL (for git hooks)
AI_ENABLED false Enable real AI calls
WATSONX_API_KEY - IBM watsonx API key

Demo Script

  1. Show the vulnerable file - Point out the intentional security issues
  2. Save the file - Watch SENTRY scan and highlight issues
  3. Observe the lock screen - IDE is locked due to critical findings
  4. Click "Fix with SENTRY" - Show AI-suggested fix
  5. Apply the fix - Watch auto-rescan and unlock
  6. Try to commit - Show git hook blocking the commit
  7. Fix remaining issues - Commit succeeds

License

MIT

About

IBM Dev Day AI Demystified Hackathon

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors