Local AI VS Code extension blocks insecure code generation during saves

A developer created a VS Code extension that runs llama3.1:8b-instruct-q4 locally to physically block saves containing insecure AI-generated code. The tool was built after Claude generated a Flask route with a textbook CWE-117 (Log Injection) vulnerability.

How it works

The extension intercepts your save operations in VS Code, runs the llama3.1:8b-instruct-q4 model locally, maps the source-to-sink execution flow of the code, and throws a hard block if the AI generated something dangerous. The entire system operates offline with no cloud dependencies or API keys required.

Specific details from the source

• Model used: llama3.1:8b-instruct-q4
• Platform: VS Code extension
• Trigger: Intercepts save operations
• Analysis method: Maps source-to-sink execution flow
• Action: Throws a hard block on dangerous code
• Example vulnerability caught: CWE-117 Log Injection in a Flask route generated by Claude
• Infrastructure: Completely offline, no cloud, no API keys

This approach addresses a common issue where AI coding assistants like Claude and GitHub Copilot generate code quickly but may introduce security vulnerabilities. The local execution ensures privacy and eliminates dependency on external services.