Security and quality linter specifically designed for AI-generated code.
AI coding assistants can introduce security vulnerabilities and quality issues:
- SQL injection through string concatenation
- Command injection via unsanitized inputs
- Hardcoded secrets and credentials
- Missing error handling
- Unsafe deserialization
- Over-complex "clever" solutions
Traditional linters catch some of these, but AI code has unique patterns that need specific attention.
npm install -g ai-code-audit# Audit a single file
aca src/api.ts
# Audit multiple files
aca src/**/*.ts
# Audit a git diff
git diff HEAD~1 | aca --stdin
# Audit staged changes
git diff --cached | aca --stdinOptions:
-s, --stdin Read diff from stdin
-f, --format <type> Output format: text, json, sarif (default: text)
-c, --config <file> Config file path
--severity <level> Minimum severity: info, warning, error (default: warning)
-q, --quiet Only output errors
-h, --help Show help
Add to .git/hooks/pre-commit:
#!/bin/bash
git diff --cached | aca --stdin --severity error
if [ $? -ne 0 ]; then
echo "AI code audit found issues. Please review before committing."
exit 1
fi# GitHub Actions
- name: AI Code Audit
run: |
npm install -g ai-code-audit
git diff ${{ github.event.before }} ${{ github.sha }} | aca --stdin --format sarif > results.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif| Rule | Severity | Description |
|---|---|---|
sql-injection |
error | Detects SQL queries with string interpolation |
command-injection |
error | Detects shell commands with unsanitized input |
hardcoded-secret |
error | Detects hardcoded API keys, passwords, tokens |
unsafe-eval |
error | Detects use of eval() or Function() |
unsafe-regex |
warning | Detects potentially catastrophic regex |
path-traversal |
error | Detects unsanitized file path operations |
xss-risk |
warning | Detects potential XSS in HTML generation |
| Rule | Severity | Description |
|---|---|---|
missing-error-handling |
warning | Detects async operations without try/catch |
empty-catch |
warning | Detects empty catch blocks that swallow errors |
console-log |
info | Detects console.log left in code |
todo-fixme |
info | Detects TODO/FIXME comments |
magic-number |
info | Detects unexplained numeric literals |
deep-nesting |
warning | Detects deeply nested code (>4 levels) |
| Rule | Severity | Description |
|---|---|---|
ai-placeholder |
error | Detects placeholder text like "// Add implementation" |
incomplete-impl |
warning | Detects throw new Error('Not implemented') |
excessive-comments |
info | Detects over-commented obvious code |
type-any-abuse |
warning | Detects excessive use of any type |
Create .ai-code-audit.json:
{
"rules": {
"sql-injection": "error",
"console-log": "off",
"magic-number": "warning"
},
"ignore": [
"**/*.test.ts",
"**/fixtures/**"
],
"languages": ["typescript", "javascript", "python"]
}src/api/users.ts
12:5 error SQL injection risk: query uses string interpolation sql-injection
24:3 warning Missing error handling for async operation missing-error-handling
45:1 error Hardcoded secret detected: API_KEY = "sk-..." hardcoded-secret
src/utils/shell.ts
8:12 error Command injection: exec() with unsanitized input command-injection
4 problems (3 errors, 1 warning)
MIT