ai-code-audit 0.1.0

package/src/rules/quality.ts

@@ -0,0 +1,169 @@
+import type { Rule, Finding } from '../types.js';
+
+function findMatches(
+  content: string,
+  pattern: RegExp,
+  rule: string,
+  severity: 'info' | 'warning' | 'error',
+  message: string,
+  filename: string
+): Finding[] {
+  const findings: Finding[] = [];
+  const lines = content.split('\n');
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    let match;
+
+    pattern.lastIndex = 0;
+
+    while ((match = pattern.exec(line)) !== null) {
+      findings.push({
+        rule,
+        severity,
+        message,
+        file: filename,
+        line: i + 1,
+        column: match.index + 1,
+        snippet: line.trim(),
+      });
+
+      if (!pattern.global) break;
+    }
+  }
+
+  return findings;
+}
+
+export const missingErrorHandling: Rule = {
+  name: 'missing-error-handling',
+  description: 'Detects async operations without try/catch',
+  severity: 'warning',
+  languages: ['javascript', 'typescript'],
+  check: (content, filename) => {
+    const findings: Finding[] = [];
+    const lines = content.split('\n');
+
+    // Look for await outside of try blocks
+    let inTry = 0;
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+
+      if (/\btry\s*\{/.test(line)) inTry++;
+      if (/\}\s*catch/.test(line)) inTry = Math.max(0, inTry - 1);
+
+      if (inTry === 0 && /\bawait\s+/.test(line)) {
+        // Check if it's in an async function without surrounding try
+        findings.push({
+          rule: 'missing-error-handling',
+          severity: 'warning',
+          message: 'Async operation without error handling',
+          file: filename,
+          line: i + 1,
+          column: line.indexOf('await') + 1,
+          snippet: line.trim(),
+        });
+      }
+    }
+
+    return findings;
+  },
+};
+
+export const emptyCatch: Rule = {
+  name: 'empty-catch',
+  description: 'Detects empty catch blocks that swallow errors',
+  severity: 'warning',
+  languages: ['javascript', 'typescript'],
+  check: (content, filename) => {
+    const pattern = /catch\s*\([^)]*\)\s*\{\s*\}/g;
+    return findMatches(
+      content,
+      pattern,
+      'empty-catch',
+      'warning',
+      'Empty catch block swallows errors',
+      filename
+    );
+  },
+};
+
+export const consoleLog: Rule = {
+  name: 'console-log',
+  description: 'Detects console.log left in code',
+  severity: 'info',
+  languages: ['javascript', 'typescript'],
+  check: (content, filename) => {
+    const pattern = /console\.log\s*\(/g;
+    return findMatches(
+      content,
+      pattern,
+      'console-log',
+      'info',
+      'console.log statement found',
+      filename
+    );
+  },
+};
+
+export const todoFixme: Rule = {
+  name: 'todo-fixme',
+  description: 'Detects TODO/FIXME comments',
+  severity: 'info',
+  languages: ['javascript', 'typescript', 'python', 'ruby', 'go'],
+  check: (content, filename) => {
+    const pattern = /\/\/\s*(?:TODO|FIXME|HACK|XXX|BUG)[\s:]/gi;
+    return findMatches(
+      content,
+      pattern,
+      'todo-fixme',
+      'info',
+      'TODO/FIXME comment found',
+      filename
+    );
+  },
+};
+
+export const deepNesting: Rule = {
+  name: 'deep-nesting',
+  description: 'Detects deeply nested code (>4 levels)',
+  severity: 'warning',
+  languages: ['javascript', 'typescript'],
+  check: (content, filename) => {
+    const findings: Finding[] = [];
+    const lines = content.split('\n');
+    let depth = 0;
+    const MAX_DEPTH = 4;
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const opens = (line.match(/\{/g) || []).length;
+      const closes = (line.match(/\}/g) || []).length;
+
+      depth += opens - closes;
+
+      if (depth > MAX_DEPTH && opens > 0) {
+        findings.push({
+          rule: 'deep-nesting',
+          severity: 'warning',
+          message: `Code nested ${depth} levels deep (max: ${MAX_DEPTH})`,
+          file: filename,
+          line: i + 1,
+          column: 1,
+          snippet: line.trim(),
+        });
+      }
+    }
+
+    return findings;
+  },
+};
+
+export const qualityRules: Rule[] = [
+  missingErrorHandling,
+  emptyCatch,
+  consoleLog,
+  todoFixme,
+  deepNesting,
+];

package/src/rules/security.ts

@@ -0,0 +1,247 @@
+import type { Rule, Finding } from '../types.js';
+
+function findMatches(
+  content: string,
+  pattern: RegExp,
+  rule: string,
+  severity: 'info' | 'warning' | 'error',
+  message: string,
+  filename: string
+): Finding[] {
+  const findings: Finding[] = [];
+  const lines = content.split('\n');
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    let match;
+
+    // Reset regex for global patterns
+    pattern.lastIndex = 0;
+
+    while ((match = pattern.exec(line)) !== null) {
+      findings.push({
+        rule,
+        severity,
+        message,
+        file: filename,
+        line: i + 1,
+        column: match.index + 1,
+        snippet: line.trim(),
+      });
+
+      // Prevent infinite loop for non-global regex
+      if (!pattern.global) break;
+    }
+  }
+
+  return findings;
+}
+
+export const sqlInjection: Rule = {
+  name: 'sql-injection',
+  description: 'Detects SQL queries with string interpolation',
+  severity: 'error',
+  languages: ['javascript', 'typescript', 'python'],
+  check: (content, filename) => {
+    const patterns = [
+      // Template literals in SQL
+      /(?:query|execute|sql)\s*\(\s*`[^`]*\$\{/gi,
+      // String concatenation in SQL
+      /(?:query|execute|sql)\s*\(\s*['"][^'"]*['"]\s*\+/gi,
+      // Python f-strings in SQL
+      /(?:execute|cursor\.execute)\s*\(\s*f['"][^'"]*\{/gi,
+    ];
+
+    const findings: Finding[] = [];
+    for (const pattern of patterns) {
+      findings.push(
+        ...findMatches(
+          content,
+          pattern,
+          'sql-injection',
+          'error',
+          'SQL injection risk: query uses string interpolation',
+          filename
+        )
+      );
+    }
+    return findings;
+  },
+};
+
+export const commandInjection: Rule = {
+  name: 'command-injection',
+  description: 'Detects shell commands with unsanitized input',
+  severity: 'error',
+  languages: ['javascript', 'typescript', 'python'],
+  check: (content, filename) => {
+    const patterns = [
+      // exec with template literal
+      /(?:exec|execSync|spawn|spawnSync)\s*\(\s*`[^`]*\$\{/gi,
+      // exec with concatenation
+      /(?:exec|execSync|spawn|spawnSync)\s*\(\s*['"][^'"]*['"]\s*\+/gi,
+      // Python subprocess with f-string
+      /subprocess\.(?:run|call|Popen)\s*\(\s*f['"][^'"]*\{/gi,
+      // shell=True in Python
+      /subprocess\.(?:run|call|Popen)\s*\([^)]*shell\s*=\s*True/gi,
+    ];
+
+    const findings: Finding[] = [];
+    for (const pattern of patterns) {
+      findings.push(
+        ...findMatches(
+          content,
+          pattern,
+          'command-injection',
+          'error',
+          'Command injection risk: shell command with unsanitized input',
+          filename
+        )
+      );
+    }
+    return findings;
+  },
+};
+
+export const hardcodedSecret: Rule = {
+  name: 'hardcoded-secret',
+  description: 'Detects hardcoded API keys, passwords, tokens',
+  severity: 'error',
+  languages: ['javascript', 'typescript', 'python', 'ruby', 'go'],
+  check: (content, filename) => {
+    const patterns = [
+      // API keys
+      /(?:api[_-]?key|apikey)\s*[:=]\s*['"][a-zA-Z0-9_\-]{20,}['"]/gi,
+      // AWS keys
+      /(?:AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}/g,
+      // Generic secrets
+      /(?:password|passwd|pwd|secret|token)\s*[:=]\s*['"][^'"]{8,}['"]/gi,
+      // Bearer tokens
+      /['"]Bearer\s+[a-zA-Z0-9_\-\.]+['"]/g,
+      // Private keys
+      /-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----/g,
+      // GitHub tokens
+      /gh[pousr]_[A-Za-z0-9_]{36,}/g,
+      // Slack tokens
+      /xox[baprs]-[A-Za-z0-9-]+/g,
+    ];
+
+    const findings: Finding[] = [];
+    for (const pattern of patterns) {
+      findings.push(
+        ...findMatches(
+          content,
+          pattern,
+          'hardcoded-secret',
+          'error',
+          'Hardcoded secret detected',
+          filename
+        )
+      );
+    }
+    return findings;
+  },
+};
+
+export const unsafeEval: Rule = {
+  name: 'unsafe-eval',
+  description: 'Detects use of eval() or Function()',
+  severity: 'error',
+  languages: ['javascript', 'typescript'],
+  check: (content, filename) => {
+    const patterns = [
+      /\beval\s*\(/g,
+      /new\s+Function\s*\(/g,
+      /setTimeout\s*\(\s*['"`]/g,
+      /setInterval\s*\(\s*['"`]/g,
+    ];
+
+    const findings: Finding[] = [];
+    for (const pattern of patterns) {
+      findings.push(
+        ...findMatches(
+          content,
+          pattern,
+          'unsafe-eval',
+          'error',
+          'Unsafe eval() or Function() usage detected',
+          filename
+        )
+      );
+    }
+    return findings;
+  },
+};
+
+export const pathTraversal: Rule = {
+  name: 'path-traversal',
+  description: 'Detects unsanitized file path operations',
+  severity: 'error',
+  languages: ['javascript', 'typescript', 'python'],
+  check: (content, filename) => {
+    const patterns = [
+      // Direct path concatenation
+      /(?:readFile|writeFile|unlink|rmdir|mkdir)(?:Sync)?\s*\(\s*(?:req\.|request\.|params\.|query\.)/gi,
+      // Python path with user input
+      /open\s*\(\s*(?:request\.|args\.|kwargs\.)/gi,
+      // Path join with user input
+      /path\.join\s*\([^)]*(?:req\.|request\.|params\.|query\.)/gi,
+    ];
+
+    const findings: Finding[] = [];
+    for (const pattern of patterns) {
+      findings.push(
+        ...findMatches(
+          content,
+          pattern,
+          'path-traversal',
+          'error',
+          'Path traversal risk: file operation with user input',
+          filename
+        )
+      );
+    }
+    return findings;
+  },
+};
+
+export const xssRisk: Rule = {
+  name: 'xss-risk',
+  description: 'Detects potential XSS in HTML generation',
+  severity: 'warning',
+  languages: ['javascript', 'typescript'],
+  check: (content, filename) => {
+    const patterns = [
+      // innerHTML with variable
+      /\.innerHTML\s*=\s*[^'"]/g,
+      // document.write
+      /document\.write\s*\(/g,
+      // dangerouslySetInnerHTML
+      /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:/g,
+    ];
+
+    const findings: Finding[] = [];
+    for (const pattern of patterns) {
+      findings.push(
+        ...findMatches(
+          content,
+          pattern,
+          'xss-risk',
+          'warning',
+          'Potential XSS risk: unsafe HTML manipulation',
+          filename
+        )
+      );
+    }
+    return findings;
+  },
+};
+
+export const securityRules: Rule[] = [
+  sqlInjection,
+  commandInjection,
+  hardcodedSecret,
+  unsafeEval,
+  pathTraversal,
+  xssRisk,
+];

package/src/types.ts

@@ -0,0 +1,33 @@
+export type Severity = 'info' | 'warning' | 'error';
+
+export interface Finding {
+  rule: string;
+  severity: Severity;
+  message: string;
+  file: string;
+  line: number;
+  column: number;
+  snippet?: string;
+}
+
+export interface Rule {
+  name: string;
+  description: string;
+  severity: Severity;
+  languages: string[];
+  check: (content: string, filename: string) => Finding[];
+}
+
+export interface Config {
+  rules: Record<string, Severity | 'off'>;
+  ignore: string[];
+  languages: string[];
+}
+
+export interface AuditResult {
+  findings: Finding[];
+  filesScanned: number;
+  errorCount: number;
+  warningCount: number;
+  infoCount: number;
+}

package/tsconfig.json

@@ -0,0 +1,17 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "outDir": "dist",
+    "rootDir": "src",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "declaration": true,
+    "sourceMap": true
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "dist"]
+}