Trepan: Local VS Code Security Auditor for AI-Generated Code

Trepan is a VS Code extension that addresses 'Silent AI Security Debt'—vulnerabilities in AI-suggested code that pass compilation but lack architectural security context. It acts as a local security gatekeeper between AI coding assistants and your codebase.

How Trepan Works

The tool uses a Zero-Baseline approach to audit AI suggestions against local security rules. It doesn't just guess; it enforces policies based on a .trepan/system_rules.md file in your project.

• 100% Local-Only: Uses Ollama to run security audits on your machine with no code leakage to external APIs
• Deterministic Validation: Forces the local LLM to validate suggested code against your specific security constraints before acceptance
• Context-Aware: Reads project-specific rules to catch logic-specific flaws that generic linters miss

What Trepan Catches

The tool is specifically tuned to find hallucinations that bypass standard static analysis:

• Insecure API endpoints suggested by AI
• Silent DOM XSS vulnerabilities in frontend logic
• Hardcoded secrets or "convenient" backdoors the AI might hallucinate

Technical Details

Trepan is open-source under AGPLv3 license and available in the VS Code Marketplace. The developer is experimenting with different system prompts for the auditing phase and seeking feedback on auditing logic and prompt engineering.

The developer is asking the community for input on which local models (Llama 3, Mistral, etc.) perform best for security-focused auditing without excessive latency.