Flutter-Specific Security Analysis Capabilities

[evanotero]

This issue serves as the central tracker for gathering feedback and planning new features to provide first-class security analysis for Flutter development within the Gemini CLI Security Extension.

We want to enhance this tool with checks and features that are specifically tailored to the Flutter ecosystem. To do this, we need expertise from the Flutter community.

We are looking for your feedback on what's missing and what we can build to help you ship secure Flutter apps with confidence.

How You Can Help

Please use this issue to discuss and request new features. We are especially interested in:

1. Flutter-Specific Vulnerabilities:

   • What common security pitfalls exist in Flutter or Dart code?
   • Are there specific packages (e.g., for state management, networking, or storage) that have common misconfigurations we should check for?
   • What about platform channel security (e.g., insecure MethodChannel handling, data validation)?

2. Workflow & Integrations:

   • How can this tool better fit into your existing Flutter development and CI/CD workflow?
   • Are there other tools (linters, formatters, etc.) that this should integrate with?

3. Other Features:

   • What else would make this an indispensable security tool for your Flutter projects?

Please add your ideas as comments below or open a new, dedicated sub-issue for a specific feature request.

[reidbaker]

I attempted to do a security audit on a package that had security issues in the past with the goal of authoring a pr to accidentally regress a vulnerability and see if the tool caught it.

I followed the setup instructions in https://github.com/gemini-cli-extensions/security?tab=readme-ov-file#use-the-extension

I started with an unmodified flutter/packages checkout of master commit 5fc2fd7169cfe841bb46f0f825fc236d2c4c206f

With the following prompt /security:analyze all files in packages/image_picker/image_picker_android
Code ran for 2-3 minutes then gave the following error.
✕ [API Error: Unexpected line format in response: ,]

If it helps the DRAFT_SECURITY_REPORT.md was blank and the SECURITY_ANALYSIS_TODO_REPORT.md has the following top few lines.

- [x] Define the audit scope.
- [x] SAST Recon on `/Users/reidbaker/Documents/packages/packages/image_picker/image_picker_android/pubspec.yaml`
- [x] SAST Recon on `/Users/reidbaker/Documents/packages/packages/image_picker/image_picker_android/android/build.gradle`
- [ ] SAST Recon on `/Users/reidbaker/Documents/packages/packages/image_picker/image_picker_android/android/src/main/AndroidManifest.xml`
- [ ] SAST Recon on `/Users/reidbaker/Documents/packages/packages/image_picker/image_picker_android/android/src/main/java/io/flutter/plugins/imagepicker/ImagePickerUtils.java`

[reidbaker]

FWIW a second attempt at the same command was able to give me a result but it didnt write it anywhere so when I closed the tab I lost the ~10-15m worth of evaluation.

[reidbaker]

Rerunning the command on a fresh start of gemini (after I lost the output)
ℹA potential loop was detected. This can happen due to repetitive tool calls or other model behavior. The request has been halted.

[reidbaker]

3 rd attempt, this time revoking permissions for gemini to delete the final report, Found 2 different issues than were found the on first successful did not find the issue that was found on the first successful attempt.

Still need to dig into the results to validate what was found is real.

[reidbaker]

1st attempt, error (api format), restartable
1.5 on restart, successful at finding something but then deleted report with no way to recover.
2nd attempt, error(loop), non restartable
3rd attempt, success, manually prevented deletion of report. Audit in progress.