Open-source security analysis with Gemini CLI (github.com)

Google released an open-source Security extension for the Gemini CLI that adds a /security:analyze command to scan code changes (particularly pull-request diffs) for common security risks. Distributed under Apache 2.0 and installable with gemini extensions install https://github.com/gemini-cli-extensions/security, the extension requires Gemini CLI v0.4.0+. It’s designed to be extensible, integrates directly into developers’ CLI workflows, and currently runs interactively (non-interactive support is planned, tracked as issue #20). The team cautions that the report is a first-pass, AI-assisted analysis and should be used alongside other tooling and manual review. Technically, the extension leverages Gemini’s contextual AI to detect a wide range of issues—hardcoded secrets, weak cryptography, sensitive logging, PII handling violations, insecure deserialization, XSS, SQLi, command injection, SSRF, SSTI, authentication/session weaknesses, and insecure password resets. Evaluation used the OpenSSF CVE Benchmark (TypeScript/JavaScript) by replaying prePatch/postPatch diffs (with archeogit) and manually validating results; the benchmark showed 90% precision and 93% recall. That performance suggests the tool is effective at surfacing true positives while keeping false alarms relatively low, making it a practical addition for early vulnerability detection in CI/PR workflows while remaining improvable via its extensible architecture and planned dataset/automation enhancements.