@gulu9527/code-trust 0.1.0 → 0.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +30 -8
- package/action.yml +1 -1
- package/dist/cli/index.js +1281 -134
- package/dist/cli/index.js.map +1 -1
- package/dist/index.d.ts +10 -0
- package/dist/index.js +929 -1
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
|
|
5
5
|
[](https://nodejs.org)
|
|
6
6
|
[](LICENSE)
|
|
7
|
-
[](https://www.npmjs.com/package/code-trust)
|
|
7
|
+
[](https://www.npmjs.com/package/@gulu9527/code-trust)
|
|
8
8
|
|
|
9
9
|
**English | [中文](./README-CN.md)**
|
|
10
10
|
|
|
@@ -26,7 +26,7 @@ CodeTrust is a **fully local** CLI tool designed to verify the quality of AI-gen
|
|
|
26
26
|
## Install
|
|
27
27
|
|
|
28
28
|
```bash
|
|
29
|
-
npm install -g code-trust
|
|
29
|
+
npm install -g @gulu9527/code-trust
|
|
30
30
|
```
|
|
31
31
|
|
|
32
32
|
Both `code-trust` and `codetrust` commands are available after installation.
|
|
@@ -57,6 +57,15 @@ codetrust rules list
|
|
|
57
57
|
|
|
58
58
|
# Install pre-commit hook
|
|
59
59
|
codetrust hook install
|
|
60
|
+
|
|
61
|
+
# Auto-fix issues (dry-run by default)
|
|
62
|
+
codetrust fix src/
|
|
63
|
+
|
|
64
|
+
# Apply fixes
|
|
65
|
+
codetrust fix src/ --apply
|
|
66
|
+
|
|
67
|
+
# Fix only a specific rule
|
|
68
|
+
codetrust fix src/ --apply --rule logic/type-coercion
|
|
60
69
|
```
|
|
61
70
|
|
|
62
71
|
## Trust Score
|
|
@@ -80,22 +89,34 @@ CodeTrust evaluates code across five dimensions, weighted into a total score (0-
|
|
|
80
89
|
| >= 50 | LOW TRUST | Needs careful review |
|
|
81
90
|
| < 50 | UNTRUSTED | Should not be merged |
|
|
82
91
|
|
|
83
|
-
## Built-in Rules (
|
|
92
|
+
## Built-in Rules (29)
|
|
84
93
|
|
|
85
94
|
### Hallucination Detection (Logic)
|
|
86
95
|
| Rule ID | Severity | Description |
|
|
87
96
|
|---------|----------|-------------|
|
|
88
97
|
| `logic/phantom-import` | high | Import from non-existent relative path (AI hallucination) |
|
|
89
98
|
| `logic/missing-await` | medium | Missing `await` on async function call |
|
|
90
|
-
| `logic/
|
|
99
|
+
| `logic/any-type-abuse` | medium | Excessive `any` type usage bypassing type safety |
|
|
100
|
+
| `logic/type-coercion` | medium | Loose equality (`==`) causing implicit type coercion |
|
|
101
|
+
| `logic/no-nested-ternary` | medium | Nested ternary expressions reducing readability |
|
|
91
102
|
| `logic/unnecessary-try-catch` | medium | Try-catch wrapping simple statements |
|
|
92
|
-
| `logic/over-defensive` | low | Excessive null/undefined guards |
|
|
93
103
|
| `logic/dead-branch` | medium | Always true/false conditions, unreachable code |
|
|
94
|
-
| `logic/unused-variables` | low | Declared but never used variables |
|
|
95
104
|
| `logic/duplicate-condition` | medium | Duplicate conditions in if-else chains |
|
|
96
105
|
| `logic/empty-catch` | medium | Empty catch block or rethrow-only catch |
|
|
97
106
|
| `logic/identical-branches` | medium | If/else branches with identical code |
|
|
107
|
+
| `logic/no-non-null-assertion` | medium | Non-null assertion (!) risking runtime crashes |
|
|
108
|
+
| `logic/no-self-compare` | medium | Self-comparison (x === x) always true/false |
|
|
109
|
+
| `logic/no-return-assign` | medium | Assignment (=) in return statement, likely meant === |
|
|
110
|
+
| `logic/promise-void` | medium | Floating promise — async call not awaited or returned |
|
|
111
|
+
| `logic/unused-import` | low | Imported module never used |
|
|
112
|
+
| `logic/over-defensive` | low | Excessive null/undefined guards |
|
|
113
|
+
| `logic/unused-variables` | low | Declared but never used variables |
|
|
98
114
|
| `logic/redundant-else` | low | Unnecessary else after return/throw |
|
|
115
|
+
| `logic/magic-number` | low | Unexplained numeric literals (magic numbers) |
|
|
116
|
+
| `logic/duplicate-string` | low | Same string literal repeated 3+ times |
|
|
117
|
+
| `logic/no-reassign-param` | low | Reassigning function parameters |
|
|
118
|
+
| `logic/no-async-without-await` | low | Async function that never uses await |
|
|
119
|
+
| `logic/no-useless-constructor` | low | Empty or super-only constructor |
|
|
99
120
|
| `logic/console-in-code` | info | Leftover console.log debug statements |
|
|
100
121
|
|
|
101
122
|
### Security Rules
|
|
@@ -104,6 +125,7 @@ CodeTrust evaluates code across five dimensions, weighted into a total score (0-
|
|
|
104
125
|
| `security/hardcoded-secret` | high | Hardcoded API keys, passwords, tokens |
|
|
105
126
|
| `security/eval-usage` | high | eval(), new Function() and similar |
|
|
106
127
|
| `security/sql-injection` | high | String concatenation in SQL queries |
|
|
128
|
+
| `security/no-debugger` | high | Debugger statements left in code |
|
|
107
129
|
| `security/dangerous-html` | medium | innerHTML / dangerouslySetInnerHTML |
|
|
108
130
|
|
|
109
131
|
## Configuration
|
|
@@ -160,8 +182,8 @@ jobs:
|
|
|
160
182
|
- uses: actions/setup-node@v4
|
|
161
183
|
with:
|
|
162
184
|
node-version: '20'
|
|
163
|
-
- run: npm install -g code-trust
|
|
164
|
-
- run:
|
|
185
|
+
- run: npm install -g @gulu9527/code-trust
|
|
186
|
+
- run: codetrust scan --diff origin/main --min-score 70
|
|
165
187
|
```
|
|
166
188
|
|
|
167
189
|
### Git Pre-commit Hook
|