CodeShield

1.0.1 · active · verified Tue Apr 14

CodeShield is a robust inference-time filtering tool developed by Meta to prevent the introduction of insecure code generated by Large Language Models (LLMs) into production systems. It acts as a guardrail to intercept and filter out potentially insecure code before it's integrated into a codebase. Currently at version 1.0.1, its release cadence is not explicitly defined but is part of Meta's broader Purple Llama project for AI safety and security.

Warnings

gotcha Relying solely on LLM-generated code without security scanning can introduce significant vulnerabilities. LLMs, even when security-conditioned, can inadvertently produce insecure code. CodeShield helps mitigate this risk but should be part of a broader security strategy.
Fix: Always integrate an inference-time code scanner like CodeShield into your LLM application's workflow. Review identified issues and implement recommended treatments (blocking or warning) to maintain code hygiene and prevent exploitable vulnerabilities.
gotcha As of its initial release (1.0.1), there are no widely documented breaking changes or version-specific common footguns for the `codeshield` library itself, beyond the general challenges of securing LLM-generated code that the library aims to solve. Given it's a new project, future updates may introduce changes.
Fix: Monitor the official GitHub repository (part of Meta's Purple Llama) and PyPI for release notes and changelogs when updating to new versions to be aware of any potential breaking changes or new usage patterns.

Install

pip install codeshield Install from PyPI

Imports

CodeShield
```
from codeshield.cs import CodeShield
```
The main class for interacting with the CodeShield filtering functionality.

Quickstart

This example demonstrates how to initialize CodeShield and use it to scan a given code snippet. It shows how to interpret the scan result, including whether the code is insecure and the recommended treatment (e.g., block or warn), along with details of any identified issues. The asynchronous nature of the `scan_code` method is highlighted.

import asyncio
from codeshield.cs import CodeShield

async def scan_example_code():
    llm_output_code = """
def hashString(input):
    return hashlib.md5(input)
"""
    print(f"Scanning code:\n{llm_output_code}")
    result = await CodeShield.scan_code(llm_output_code)

    if result.is_insecure:
        if result.recommended_treatment == "block":
            treated_code = "*** Code Security issues found, blocking the code ***"
        elif result.recommended_treatment == "warn":
            treated_code = (llm_output_code + "\n*** Warning: The generated snippet contains insecure code ***")
        else:
            treated_code = llm_output_code # Default to original if no specific treatment
        summary = "Security issue detected"
    else:
        treated_code = llm_output_code
        summary = "No issues found"

    print("\n## LLM output after treatment")
    print(f"\t {treated_code} \n")
    print("## Results:\n")
    print(f"\t {summary}")
    print(f"\t Recommended treatment: {result.recommended_treatment}\n")
    if result.issues_found and len(result.issues_found) > 0:
        issue = result.issues_found[0]
        print(f"## Details:\n\tIssue found: \n\t\tPattern id: {issue.pattern_id} \n\t\tDescription: {issue.description} \n\t\tSeverity: {issue.severity} \n\t\tLine number: {issue.line}")

if __name__ == "__main__":
    asyncio.run(scan_example_code())

view raw JSON →