Secure Code with Gemini CLI Extension in Local and CI/CD
Gemini CLI's open-source security extension scans for secrets, injections, auth flaws, LLM safety, and OSV dependencies—run locally before commits or automate GitHub PR reviews to enforce consistent security.
Core Scanning Capabilities and Real-World Detections
Gemini CLI's security extension performs vulnerability scans covering secrets management, insecure data handling, injection vulnerabilities, authentication issues, LLM safety, and dependency checks via Google's OSV database. It identifies specific flaws like arbitrary file reads (in Gemini CLI repo), environment reduction bypasses (Gemini CLI), path traversals (Project Chip), and using timestamps as hash codes (Flutter). These detections shift security left, allowing immediate fixes during development rather than post-deployment, with an extensible architecture for future advanced techniques.
Local Analysis Workflow for Individual Contributors
Install the extension, then in a project, invoke /security to access custom commands. Customize scans via natural language prompts, e.g., 'Scan all my HTML files.' Enable Yolo mode (Ctrl+Y) for read-only execution. The tool generates a to-do list defining audit scope, analyzes files sequentially (checking off tasks), and outputs a findings summary. Run this pre-commit to catch issues privately, ensuring code quality before public pushes—ideal for solo developers avoiding team disruptions.
GitHub PR Automation for Team Repos
For repositories with multiple contributors, integrate via GitHub Actions: copy the example workflow from the security extension repo, then configure authentication using workload identity federation (via a setup shell script for GitHub-to-Google Cloud access). New PRs auto-trigger scans; for existing ones, comment @GeminiCLI/review. This enforces uniform security standards across all contributions, even if individuals skip local runs, embedding analysis in CI/CD without manual oversight.