code-audit-cli
v0.1.0-beta.2
Published
Static audit tool for AI-generated code — detects hardcoded data, hallucinations, weak tests & fragile logic
Maintainers
siddhantkoreReadme
Static audit tool for AI-generated code — detects hardcoded data, hallucinations, weak tests, and fragile logic.
Why?
AI coding tools (Copilot, ChatGPT, Claude) frequently produce code that looks valid but contains subtle quality issues:
- Functions that always return the same hardcoded array or object
- Placeholder data like
user1,user2,[email protected] - Dead branches:
if (true),if (false) - Tests that trivially pass:
expect(true).toBe(true), empty test bodies - Hidden side effects:
window.x = ...,eval()calls - Branch-heavy code, missing error handling, duplicated logic, and untested source surfaces
code-audit-cli scans your project statically (no AI, fully offline) and gives you a Trust Score plus a detailed report.
Install
# Run once (no install needed)
npx code-audit-cli scan ./src
# Or install globally
npm install -g code-audit-cli
code-audit-cli scan ./srcUsage
Basic scan (CLI output)
code-audit-cli scan ./my-projectScan with JSON report
code-audit-cli scan ./my-project --jsonScan with HTML dashboard
code-audit-cli scan ./my-project --htmlAll output formats at once
code-audit-cli scan ./my-project --allCustom output directory
code-audit-cli scan ./src --all --output-dir ./reportsIgnore extra directories
code-audit-cli scan . --ignore "fixtures,mocks"Suppress known/accepted findings
# One-off CLI suppression
code-audit-cli scan . --ignore-rules hardcoded-data,duplicate-logic
# Inline suppression
// code-audit-ignore-next-line: hardcoded-data
const formats = ['jpg', 'png', 'webp'];code-audit-cli also reads code-audit.config.json or .code-audit.json:
{
"ignoreRules": ["duplicate-logic"],
"ignoreFiles": ["fixtures/*", "src/generated/*"],
"ignoreFingerprints": ["abc123def456"]
}Scan a single file
code-audit-cli scan ./src/userService.tsOutput Formats
| Flag | Description |
|------|-------------|
| (default) | Rich CLI report with colors |
| --json | Machine-readable JSON file |
| --html | Self-contained HTML dashboard |
| --all | All three formats |
Reports are written to ./audit-reports/ by default (--output-dir to change).
Documentation
Detailed documentation lives in docs/. It includes the CLI reference, configuration, suppressions, report model, scoring, analyzer behavior, architecture, development workflow, release checklist, and troubleshooting guide.
The docs are organized as a Docsify site and can also be read directly as Markdown files.
npx docsify-cli serve docsExample Output
════════════════════ CODE AUDIT REPORT ═════════════════════
Project : /my-project
Files : 12 (9 source, 3 test)
─────────────────────── TRUST SCORE ────────────────────────
62/100 ███████████████████░░░░░░░░░░░ MEDIUM RISK
──────────────────────── SUB-SCORES ────────────────────────
Data Integrity █████████░░░░░░░░░░░ 45
Test Reliability █████████░░░░░░░░░░░ 46
Logic Robustness ██████████████████░░ 89
Side-Effect Safety █████████████████░░░ 85
Issues:
1. HIGH src/userService.js:4 (90% confidence)
hardcoded-data → Function returns a hardcoded array with 3 literal items
2. HIGH tests/auth.test.js:12 (99% confidence)
fake-test → expect(true).toBe(true) — trivially true assertionWhat It Detects
The CLI report is impact-prioritized by default. Repeated findings are grouped into fix-first sections, hotspots, and score deductions so the report acts as a review queue instead of a raw warning dump.
Static Analysis
| Issue Type | Description |
|------------|-------------|
| hardcoded-data | Functions/variables that always return literal values |
| hallucination-pattern | Synthetic data: user1/user2, [email protected], [1,2,3,4,5] |
| dead-logic | if(true), if(false), unreachable code after return |
| constant-condition | Ternaries/loops with constant boolean conditions |
| side-effect | Global state mutation, window.* writes, eval() |
| high-complexity | Branch-heavy functions and deep nesting |
| missing-error-handling | Unguarded JSON parsing, I/O, network, and database calls |
| unguarded-input | Function parameters used with risky string/array methods without guards |
| secret-risk | Hardcoded credentials and injection-prone query construction |
| dependency-risk | Circular dependencies and high import fan-in |
| duplicate-logic | Repeated source blocks across files |
| unused-parameter | Function inputs that are accepted but never used |
| constant-output | Exported functions whose observed return paths are constant |
Test Analysis
| Issue Type | Description |
|------------|-------------|
| fake-test | assert(true), expect(true).toBe(true) |
| no-assertion | Test body with no assertion calls |
| empty-test | Completely empty it()/test() blocks |
| weak-assertion | expect() called with a literal value |
| missing-test-coverage | Exported modules or multi-function files without nearby/importing tests |
Trust Score
Scores range from 0–100 across four dimensions:
| Sub-Score | Weight | What it measures | |-----------|--------|-----------------| | Data Integrity | 30% | How real/dynamic the data appears | | Test Reliability | 30% | How trustworthy the tests are | | Logic Robustness | 25% | How robust branches and conditions are | | Side-Effect Safety | 15% | How free of hidden mutations the code is |
Risk levels: Low ≥ 75 · Medium ≥ 45 · High < 45
Exit Codes
0— Low risk (score ≥ 75)1— Medium risk (score 45–74)2— High risk (score < 45)
Supported Languages
- JavaScript (
.js,.mjs,.cjs) - TypeScript (
.ts) - JSX / React (
.jsx,.tsx)
Programmatic API
import { audit } from 'code-audit-cli';
const result = await audit({
path: './src',
ignore: ['fixtures'],
});
console.log(result.score); // 0-100
console.log(result.risk); // 'low' | 'medium' | 'high'
console.log(result.issues); // Issue[]
console.log(result.subScores); // { dataIntegrity, testReliability, ... }
console.log(result.recommendations); // string[]JSON Report Structure
{
"score": 62,
"risk": "medium",
"timestamp": "2026-01-01T00:00:00.000Z",
"project": "/path/to/project",
"subScores": {
"dataIntegrity": 45,
"testReliability": 46,
"logicRobustness": 89,
"sideEffectSafety": 85
},
"metrics": {
"totalLinesOfCode": 3628,
"filesWithIssues": 32,
"sourceFilesWithoutTests": 25,
"dependencyEdges": 67,
"duplicateBlocks": 8
},
"summary": {
"totalFiles": 2,
"totalIssues": 24,
"highSeverity": 13,
"mediumSeverity": 11,
"lowSeverity": 0
},
"issueGroups": [
{
"title": "Missing Error Handling (4 occurrences)",
"rank": 84,
"impact": "Malformed input, network failures, or database errors can become crashes...",
"recommendation": "Add try/catch, .catch(), error boundaries..."
}
],
"hotspots": [
{
"file": "src/controllers/dashboardController.js",
"rank": 100,
"issueCount": 23,
"reasons": ["High Complexity Hot Paths", "Hardcoded or Mock Data"]
}
],
"issues": [
{
"type": "hardcoded-data",
"severity": "high",
"rank": 58,
"file": "src/userService.js",
"line": 4,
"description": "Function returns a hardcoded array with 3 literal items",
"impact": "Hardcoded domain records and static return values can make generated applications look complete without real data flow.",
"confidence": 0.9
}
],
"recommendations": [...]
}Limitations
- Cannot guarantee 100% accuracy — each issue has a confidence score
- Full runtime/intent analysis is not performed; light execution awareness is static only
- Very large projects (>10k LOC) may be slow
- Cannot detect all forms of AI hallucination
Development Checks
npm run lint
npm test
npm run buildTests are documented in docs/testing.md and tests/README.md. They cover the scanner, config loader, analyzers, scoring, suppressions, and the public audit() pipeline.
Contributing
Contributions are welcome for new analyzers, better false-positive filtering, report improvements, and documentation fixes. Start with CONTRIBUTING.md before opening an issue or pull request.
License
ISC License (c) 2026 Siddhant Kore. See LICENSE for details.