coderot-engine
v1.14.0
Published
Find your most dangerous technical debt — before it finds you.
Downloads
1,049
Maintainers
mari123i6Readme
coderot
Find your most dangerous technical debt - before it finds you.
Note: The npm package is published as
coderot-enginedue to npm naming constraints. The tool, brand, and VS Code extension remain named coderot.
The Problem
Your PR just merged. Three days later, a hotfix. Then another. Then an incident.
The file was always the problem - 340 lines, cyclomatic complexity of 46, modified 12 times in the last 90 days, imported by 8 other modules. Nobody flagged it because linters don't tell you which file matters most. They tell you what is wrong, everywhere, at once.
You can't fix everything. coderot tells you what to fix first.
What coderot does
coderot scores every TypeScript and JavaScript file in your codebase on a 0–100 Impact Score — a weighted composite of static complexity, git churn, and dependency centrality. Files that score high are the ones most likely to cause production incidents. The roadmap output sorts them so you always start with the highest-leverage change.
npx coderot-engine analyze ./srccoderot - Refactor Roadmap ┌──────────────────────────────────┬───────┬──────┬────────────┬──────────┬────────────┬────────────────┬─────────┐ │ File │ Score │ LOC │ Complexity │ Churn/wk │ Dependents │ Issues │ Hotspot │ ├──────────────────────────────────┼───────┼──────┼────────────┼──────────┼────────────┼────────────────┼─────────┤ │ src/commands/analyze.ts │ 48 │ 558 │ 107 │ 1.17 │ 1 │ 43 (HIGH) │ YES │ ├──────────────────────────────────┴───────┴──────┴────────────┴──────────┴────────────┴────────────────┴─────────┤ │ breakdown: D:2/30 + Ch:6/25 + Cx:20/20 + I:15/15 + S:6/10 │ ├──────────────────────────────────┬───────┬──────┬────────────┬──────────┼────────────┼────────────────┼─────────┤ │ src/utils/config.ts │ 45 │ 285 │ 70 │ 1.17 │ 1 │ 16 (HIGH) │ YES │ ├──────────────────────────────────┴───────┴──────┴────────────┴──────────┴────────────┴────────────────┴─────────┤ │ breakdown: D:2/30 + Ch:6/25 + Cx:20/20 + I:15/15 + S:3/10 │ └──────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘ ─────────────────────────────────────────── Total files scanned: 17 Avg impact score: 49 Critical issues: 1 Git hotspots: 3 ───────────────────────────────────────────
No config required. Works on any TypeScript or JavaScript project — Next.js, NestJS, monorepos, plain Node.js.
Why coderot
Engineers spend time debating which files to refactor without shared, objective criteria. Linters flag complexity - but a complex function imported by 40 other modules and committed 3 times a week carries fundamentally different risk than an equally complex function nobody depends on.
coderot addresses this by combining three signals into a single Impact Score per file: static complexity via AST traversal, git churn over a rolling 90-day window, and reverse dependency graph centrality. The result is a ranked refactor roadmap — reproducible, data-driven, and actionable without additional tooling or configuration.
coderot integrates with ESLint, TypeScript, GitHub Actions, GitLab CI, Turborepo, and Nx. It outputs SARIF for GitHub Advanced Security and GitLab SAST, PR comments for merge request automation, and standalone HTML reports for engineering leads and stakeholders.
Built with TypeScript, @typescript-eslint/typescript-estree for AST parsing, simple-git for git history, Commander.js for CLI, and Jest for testing.
Quick Start
npx coderot-engine analyze ./srcNo install required. Scans your codebase and prints a prioritized refactor roadmap to the terminal in seconds.
# Global install
npm install -g coderot-engineWhat It Does
coderot scores every file in your codebase on a 0–100 Impact Score — a weighted composite of five independent signals. Files that score high are the ones most likely to slow your team down or trigger production incidents. The roadmap output sorts them descending so you always start with the highest-leverage change.
| Factor | Weight | Signal | |---|---|---| | Dependents | 30% | Files that import this file — high centrality amplifies blast radius | | Churn | 25% | Commits per week over 90 days — frequent changes signal instability | | Complexity | 20% | File-level cyclomatic complexity via AST analysis | | Issues | 15% | Severity-weighted count of detected static issues | | Size | 10% | Lines of non-comment code |
Score thresholds: ≥ 70 is critical risk (red), 40–69 is moderate risk (yellow), < 40 is low risk (green).
Key Features
- Impact Score — 0–100 per file combining dependency centrality (30%), git churn (25%), cyclomatic complexity (20%), issue density (15%), and size (10%)
- 38 analysis rules — async safety, type safety, security patterns, complexity signals, and dependency health — each with a severity level and a step-by-step fix recipe
- HTML report — standalone visual dashboard, no server, no build step; includes executive summary and per-file fix guidance
- SARIF 2.1.0 — GitHub Advanced Security and GitLab Security Dashboard integration
- PR comment output — automated risk summary on every merge request
- Monorepo support — aggregate risk across packages with
--aggregate; Nx and Turborepo compatible - Baseline and regression tracking — save a risk snapshot, fail CI when score regresses beyond a configurable threshold
- Watch mode —
--watchre-analyzes on every file save during active development - VS Code Extension — Webview Dashboard, inline diagnostics, and history timeline
.coderotrc.json— per-project rule configuration, severity tuning, and ignore patterns- Local history — persistent run history, no account, no network, no telemetry
- Score breakdown — CLI table, PR comment, and HTML report each display weighted factor contributions (D/Ch/Cx/I/S) alongside every file's total score
- 322 tests passing — impact scorer, static analyzer, reporters, baseline, config, history, monorepo, and CI output
Example Output
██████╗ ██████╗ ██████╗ ███████╗██████╗ ██████╗ ████████╗
...
Find your most dangerous technical debt — before it finds you.
coderot — Refactor Roadmap
┌──────────────────────────────┬───────┬──────┬────────────┬──────────┬────────────┬──────────────┬─────────┐
│ File │ Score │ LOC │ Complexity │ Churn/wk │ Dependents │ Issues │ Hotspot │
├──────────────────────────────┼───────┼──────┼────────────┼──────────┼────────────┼──────────────┼─────────┤
│ src/core/transformer.ts │ 78 │ 842 │ 47 │ 2.30 │ 12 │ 3 (CRITICAL) │ YES │
│ src/utils/parser.ts │ 61 │ 412 │ 28 │ 1.10 │ 7 │ 2 (HIGH) │ YES │
│ src/api/handler.ts │ 44 │ 234 │ 15 │ 0.50 │ 4 │ 1 (MEDIUM) │ no │
└──────────────────────────────┴───────┴──────┴────────────┴──────────┴────────────┴──────────────┴─────────┘
─────────────────────────────────────────────
Total files scanned: 47
Files in roadmap: 3
Critical issues: 1
Git hotspots: 2
Avg impact score: 61
─────────────────────────────────────────────All Options
| Flag | Default | Description |
|---|---|---|
| -f, --format <format> | table | Output format: table | json | summary | html | sarif | pr-comment |
| --ci | false | CI mode: suppress banner, exit 1 on CRITICAL issues |
| --max-score <score> | — | Only show files with impact score ≥ this value (0–100) |
| --ignore <patterns...> | — | Additional glob patterns to exclude from analysis |
| --top <n> | — | Show only the top N files by impact score |
| --include-healthy | false | Include files with no detected issues |
| --output <file> | — | Write report to file (html default: coderot-report.html, sarif default: coderot-results.sarif) |
| --no-history | false | Skip saving this run to ~/.coderot/history.json |
| --aggregate | false | Merge results from all paths into a single ranked roadmap (monorepo mode) |
| --baseline | false | Save current avg score as baseline to ~/.coderot/baseline.json |
| --fail-on-regression | false | Exit 1 if avg score increased beyond threshold vs. saved baseline |
| --regression-threshold <n> | 5 | Points increase that triggers failure with --fail-on-regression |
| --title <title> | — | Custom title shown in the HTML report header |
| --author <name> | — | Author name shown in the HTML report footer |
| --open | false | Open the HTML report in the default browser after generation |
| --watch | false | Watch for file changes and re-analyze automatically (incompatible with --ci and file output formats) |
| -v, --version | — | Print version |
Default ignores: node_modules/, dist/, *.d.ts, *.test.*, *.spec.*
Impact Score
Each file is scored 0–100 across five independently weighted factors:
| Factor | Weight | How it's measured | |---|---|---| | Dependents | 30% | Reverse import count — files that depend on this file | | Churn | 25% | Commits per week over the trailing 90-day git window | | Complexity | 20% | File-level cyclomatic complexity from AST analysis | | Issues | 15% | Severity-weighted count of detected static issues | | Size | 10% | Lines of non-comment, non-blank code |
Each factor is normalized to 0–100 against empirical thresholds (e.g., 20+ dependents, 5+ commits/week, complexity ≥ 50), then the weighted sum produces the final score.
The CLI table, PR comment, and HTML report display a per-file score breakdown showing the weighted contribution from each factor: D:{n}/30 + Ch:{n}/25 + Cx:{n}/20 + I:{n}/15 + S:{n}/10 = {total}.
Analysis Rules
coderot ships 38 built-in rules across five categories. Each rule fires with a severity level (CRITICAL, HIGH, MEDIUM, LOW) and a step-by-step recipe. Rules in KNOWN_RULES are configurable via .coderotrc.json — the remaining rules fire unconditionally.
| Rule | Severity | Condition |
|---|---|---|
| cyclomatic-risk | CRITICAL / HIGH | Cyclomatic complexity > 20 (CRITICAL) or > 10 (HIGH) |
| function-body-length | HIGH / MEDIUM | Function > 100 lines (HIGH) or > 50 lines (MEDIUM) |
| nesting-depth-risk | HIGH / MEDIUM | Nesting depth > 5 (HIGH) or > 3 (MEDIUM) |
| file-length-risk | CRITICAL / HIGH | File > 1000 LOC (CRITICAL) or > 500 LOC (HIGH) |
| import-coupling | MEDIUM | More than 15 imports in a single file |
| untyped-parameter | LOW | Parameters lacking TypeScript type annotations |
| import-cycle | HIGH | Circular imports detected between modules |
| untested-module | MEDIUM | Source file with no corresponding *.test.* file |
| unhandled-async-risk | HIGH | Async function with no try/catch or .catch() |
| unnamed-constant | LOW | Inline numeric literals without named constants |
| dead-export | MEDIUM | Exported symbols with no external consumers |
| implicit-return-type | MEDIUM | Exported function missing explicit return type annotation |
| inline-data-structure | LOW | Inline object or array literal with ≥ 20 entries |
| fire-and-forget-risk | HIGH | Async-sounding call in an async function not preceded by await |
| debug-output-leak | LOW | console.log/warn/error/debug/info left in non-test source file |
| swallowed-exception | HIGH | try/catch with an empty catch body |
| too-many-parameters | MEDIUM | Function with more than 5 parameters |
| credential-exposure | CRITICAL | Long mixed-case alphanumeric string in a secret-named variable, JWT tokens, AWS keys, GitHub PATs, npm tokens, and private key headers |
| implicit-any-usage | MEDIUM | Explicit any type annotation |
| unreachable-code | MEDIUM | Statements after return, throw, break, or continue |
| promise-chain-depth | LOW | .then() chain with more than 3 calls |
| nullable-access-risk | HIGH | Direct property access on .find() or Map.get() result |
| split-import | LOW | Multiple import statements from the same module path |
| bundle-weight-risk | MEDIUM | Full import of a known large package (moment, lodash, rxjs, jquery, antd) when a lighter alternative exists |
| detached-promise | HIGH | Async-sounding call outside an async function that is not awaited or .catch()-handled |
| inferred-any-assignment | MEDIUM | Variable assigned from a bare function call with no explicit type annotation |
| mixed-return-type | MEDIUM | Non-async function where some paths return a value and others return undefined |
| scope-shadow | LOW | Variable or parameter that shadows a binding declared in an outer scope |
| bus-factor-risk | MEDIUM | File with only 1 commit author, ≥ 3 dependents, and ≥ 3 commits — single point of knowledge failure |
| god-file | HIGH | File exceeding all four thresholds simultaneously: ≥ 300 LOC, ≥ 10 imports, ≥ 5 dependents, ≥ 0.5 churn/week |
| async-loop-antipattern | HIGH | await inside for/for-of/for-in loops or async callback in forEach |
| parallel-await | LOW | Two or more consecutive independent awaits that could run in parallel |
| unguarded-array-index | MEDIUM | Direct property access on array index without optional chaining or guard |
| await-in-finally | HIGH | await inside finally block silently swallows the original error |
| cast-from-any | MEDIUM | Type assertion on any-typed value provides no compiler verification |
| prefer-enum-over-literal | LOW | String literal comparison on categorical field — use enum or union type |
| spread-any | MEDIUM | Spreading any-typed value into object bypasses type checking |
| missing-type-guard | MEDIUM | Function parameter with union type accessed without typeof, instanceof, in, or optional chaining guard |
Rule configurability
coderot rules fall into two categories:
Always active — these rules fire on every run and cannot be disabled or overridden via .coderotrc.json. They cover security, correctness, and async safety issues where silencing the rule is rarely the right answer:
credential-exposure swallowed-exception fire-and-forget-risk debug-output-leak too-many-parameters implicit-any-usage unreachable-code promise-chain-depth nullable-access-risk split-import bundle-weight-risk cast-from-any spread-any await-in-finally
Configurable — these rules can be turned off, downgraded to a warning, or escalated to an error in .coderotrc.json:
{
"rules": {
"unnamed-constant": "off",
"cyclomatic-risk": "warn",
"untested-module": "error"
}
}Full list of configurable rules: cyclomatic-risk function-body-length nesting-depth-risk unhandled-async-risk implicit-return-type inline-data-structure unnamed-constant file-length-risk import-coupling untyped-parameter import-cycle untested-module dead-export detached-promise inferred-any-assignment mixed-return-type scope-shadow bus-factor-risk god-file async-loop-antipattern parallel-await unguarded-array-index prefer-enum-over-literal missing-type-guard
Rules can be configured per project in .coderotrc.json. See the Configuration section.
Configuration File
Create .coderotrc.json in your project root (or any parent directory) to set defaults. CLI flags always take precedence.
{
"ignore": ["**/*.test.ts", "**/node_modules/**", "**/dist/**"],
"maxScore": 80,
"top": 10,
"rules": {
"unnamed-constant": "off",
"inline-data-structure": "warn"
},
"format": "table",
"output": "coderot-report.html"
}VS Code tip: Add
"$schema": "https://unpkg.com/coderot-engine@latest/schemas/coderotrc.schema.json"to your.coderotrc.jsonfor autocomplete and inline validation.
| Field | Type | Description |
|---|---|---|
| ignore | string[] | Glob patterns to exclude, merged with --ignore |
| maxScore | number | Default score threshold (same as --max-score) |
| top | number | Default top-N limit (same as --top) |
| rules | object | Per-rule overrides: "off" suppresses, "warn" downgrades to LOW, "error" escalates to CRITICAL |
| format | string | Default output format |
| output | string | Default output file path |
| aggregate | boolean | Set true to make --aggregate the default for monorepo roots |
coderot walks up from the analyzed directory to the filesystem root when searching for .coderotrc.json, so a single config at the repo root covers all sub-directory and package scans. Committing the file to the repository means distributed teams share the same thresholds and rule overrides without any manual coordination.
CI Integration
GitHub Actions
name: coderot analysis
on: [push, pull_request]
jobs:
coderot:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Run coderot — quality gate
run: npx coderot-engine analyze . --format summary --ci
- name: Generate full report
run: npx coderot-engine analyze . --format html --output coderot-report.html
- name: Upload report (private artifact)
uses: actions/upload-artifact@v4
with:
name: coderot-report
path: coderot-report.html
retention-days: 30Security note for public repositories: The
--format summaryflag in the quality gate step prints only aggregate statistics to public logs (file count, avg score, pass/fail). File-level details are in the HTML report, uploaded as a private artifact visible only to repository collaborators.
Exit codes:
0— no CRITICAL issues in the roadmap1— at least one CRITICAL issue found (only in--cimode)
GitLab CI
coderot works in GitLab CI with the same flags. For SARIF upload to GitLab Security Dashboard, use --format sarif --output gl-sast-report.json and set it as a sast artifact.
coderot:
stage: test
image: node:20
script:
- npx coderot-engine analyze . --ci --format summary
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
coderot-sarif:
stage: test
image: node:20
script:
- npx coderot-engine analyze . --format sarif --output gl-sast-report.json
artifacts:
reports:
sast: gl-sast-report.json
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"Watch Mode
Re-analyze on every file save without leaving the terminal:
npx coderot-engine analyze ./src --watchcoderot runs a full analysis on startup, then watches for changes. Each save triggers a re-analysis of the changed file and prints a diff:
[14:23:01] Change detected: src/api/routes.ts
✓ resolved: Empty catch block silently swallows errors (line 42)
✗ introduced: async function has no try/catch or .catch() (line 67)
Files in roadmap: 4 | Avg score: 38 | Critical: 0Press Ctrl+C to stop watching.
Incompatible with --format html/sarif/json/pr-comment and the --ci flag. Compatible formats: table (default) and summary.
Baseline & Trend Tracking
coderot can track your codebase's average impact score over time and fail CI when a pull request degrades quality beyond an acceptable threshold.
Save a baseline on your main branch after a clean run:
npx coderot-engine analyze . --baselineThe current average score is written to ~/.coderot/baseline.json keyed by project path.
Detect regressions in CI on pull requests:
npx coderot-engine analyze . --ci --fail-on-regressionThe trend is shown inline with the results:
✓ Avg score: 34 (baseline: 38, improved by 4 points)
✗ Avg score: 45 (baseline: 38, regressed by 7 points — threshold: 5)Adjust the threshold (default: 5 points):
npx coderot-engine analyze . --ci --fail-on-regression --regression-threshold 3GitHub Actions
- name: Analyze codebase
run: npx coderot-engine analyze . --ci --fail-on-regression --regression-threshold 5
- name: Save baseline on main branch
if: github.ref == 'refs/heads/main'
run: npx coderot-engine analyze . --baselineExit codes for regression checks:
0— score improved or regression is within threshold1— score regressed beyond threshold (only with--fail-on-regression)
HTML Report
Generate a standalone visual dashboard — no server, no build step, no dependencies:
npx coderot-engine analyze . --format html --output report.htmlThe report includes an executive summary in plain English, impact score cards, a sortable full roadmap table, and per-file issue details with refactor recipes. Pass --title and --author to brand the report for sharing with your team or management:
npx coderot-engine analyze . --format html \
--title "Q2 2026 Tech Debt Review" \
--author "Ioana Marinela" \
--open--open launches the report in your default browser immediately after generation. The report is fully print-friendly via @media print.
SARIF Output
Generate a SARIF 2.1.0 report and upload it to GitHub Advanced Security for inline annotations on pull requests:
npx coderot-engine analyze . --format sarif --output results.sarif- name: Run coderot
run: npx coderot-engine analyze . --format sarif --output results.sarif
- name: Upload SARIF to GitHub
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarifPR Comment Output
Generate a Markdown comment suitable for posting directly on GitHub Pull Requests:
npx coderot-engine analyze . --format pr-commentPipe it anywhere or write to a file with --output:
npx coderot-engine analyze . --format pr-comment --output comment.mdThe output includes a summary line, a top-files table, a critical issues section (when present), and a baseline comparison if a baseline has been saved. Example:
## coderot analysis
**Scanned 47 files · 5 in roadmap · Avg score: 34/100**
> ✅ Avg score improved by 4 points vs baseline (38 → 34)
### Top files by impact score
| File | Score | LOC | Issues | Top Issue |
|---|---|---|---|---|
| `src/core/transformer.ts` | 78 | 842 | 3 (HIGH) | unhandled-async-risk |
| `src/utils/parser.ts` | 61 | 412 | 2 (HIGH) | cyclomatic-risk |
---
*Generated by [coderot-engine v1.11.0](https://github.com/ioanamarinelababa1/coderot) · Thu, 17 Apr 2026 10:00:00 GMT*GitHub Actions — post comment on every PR
# .github/workflows/coderot-pr.yml
name: coderot PR comment
on:
pull_request:
branches: [main]
jobs:
coderot:
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version: '20'
- name: Run coderot analysis
run: npx coderot-engine analyze . --format pr-comment --output comment.md
- name: Post PR comment
if: github.event_name == 'pull_request'
run: gh pr comment ${{ github.event.pull_request.number }} --body-file comment.md
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}Combine with --baseline on the main branch to get the "improved / regressed" comparison on every PR:
- name: Save baseline (main branch only)
if: github.ref == 'refs/heads/main'
run: npx coderot-engine analyze . --baseline --no-historyMonorepo Support
Scan multiple packages in a single command:
# Per-package tables — one section per package, dependency graphs stay isolated
npx coderot-engine analyze ./packages/api ./packages/web ./packages/shared
# Unified ranked roadmap across all packages
npx coderot-engine analyze ./packages/api ./packages/web --aggregate
# Aggregate with shell glob expansion
npx coderot-engine analyze ./packages/* --aggregate
# Cross-package HTML report
npx coderot-engine analyze ./packages/* --aggregate --format htmlWith --aggregate, each file in the roadmap is prefixed with its package label:
┌──────────────────────────────┬───────┬──────┬────────────┬──────────┬────────────┐
│ File │ Score │ LOC │ Complexity │ Churn/wk │ Issues │
├──────────────────────────────┼───────┼──────┼────────────┼──────────┼────────────┤
│ [api] src/routes.ts │ 87 │ 420 │ 34 │ 1.20 │ 3 (HIGH) │
│ [web] src/App.tsx │ 74 │ 310 │ 22 │ 0.80 │ 2 (MEDIUM) │
│ [shared] src/utils/format.ts │ 61 │ 180 │ 14 │ 0.40 │ 1 (LOW) │
└──────────────────────────────┴───────┴──────┴────────────┴──────────┴────────────┘Without --aggregate, each package is scanned independently — dependency graphs stay per-package, so cross-package circular imports are not reported. Set "aggregate": true in .coderotrc.json to make it the default for a monorepo root.
Nx
Add coderot as an executor target in each project's project.json:
{
"targets": {
"coderot": {
"executor": "nx:run-commands",
"options": {
"command": "npx coderot-engine analyze {projectRoot}/src --ci"
}
}
}
}Run it across all projects in the workspace:
nx run-many --target=coderot --allOr generate a unified report from the repo root without the Nx executor:
npx coderot-engine analyze ./packages/* --aggregate --format htmlTurborepo
Add a coderot script to each package's package.json and declare it as a pipeline task in turbo.json:
// package.json (each workspace package)
{ "scripts": { "coderot": "npx coderot-engine analyze ./src --ci" } }// turbo.json
{ "pipeline": { "coderot": { "outputs": [] } } }Run across all packages:
turbo run coderotOr scan the whole tree from the root with --aggregate for a single ranked roadmap:
npx coderot-engine analyze ./apps/* ./packages/* --aggregateJSON Output
coderot-engine --format json | jq '.roadmap[0]'The JSON schema includes filePath, impactScore, issues[] (with severity, message, line, recipe), functions[], churnRate, dependents[], imports[], and more. In monorepo mode each file also includes package (e.g. "api") and displayPath (e.g. "[api] src/routes.ts").
Runtime compatibility
What coderot analyzes
| Language / Framework | Support | Notes | |---|---|---| | TypeScript | ✅ Full | .ts and .tsx files | | JavaScript | ✅ Full | .js and .jsx files | | Next.js | ✅ Full | App Router and Pages Router | | Node.js projects | ✅ Full | Any Node.js TypeScript/JavaScript codebase | | React | ✅ Full | Components, hooks, context | | Nx monorepos | ✅ Full | --aggregate across packages | | Turborepo | ✅ Full | --aggregate across packages | | ESM projects | ✅ Full | import/export syntax | | CJS projects | ✅ Full | require/module.exports | | ESM/CJS hybrid | ✅ Full | Mixed syntax in same repo |
What coderot requires to run
| Requirement | Version | Notes | |---|---|---| | Node.js | ≥ 20.0.0 | Node 18 is EOL since April 2025 | | Git | any | Optional — if unavailable, churn scores default to 0 | | TypeScript compiler | not required | AST-only analysis — no tsc or tsconfig needed | | ESLint | not required | Works alongside ESLint, not instead of it |
Security
coderot passed a full OWASP security audit and has been hardened accordingly:
- Runs 100% locally — no data ever leaves your machine
- Zero network calls — no telemetry, no analytics, no outbound connections
- 0 npm vulnerabilities —
npm auditreturns clean - All CLI arguments are validated and sanitized before reaching any processing code
- File scanning guards against path traversal, binary files, and symlinks escaping the workspace
- The VS Code extension uses
execFile(neverexec) — shell injection is structurally impossible ignore-scripts=truein.npmrc— malicious postinstall scripts from dependencies cannot run
Because no data ever leaves the machine, coderot is straightforward to use in environments with strict data privacy requirements — including teams subject to GDPR.
See SECURITY.md for the full security model and vulnerability reporting policy.
In April 2026, coderot underwent a full package contents audit. Findings resolved: accidental developer config excluded from npm package, absolute local paths removed from shipped artifacts, unused 30MB native dependency removed, VS Code extension source map exposure fixed.
In April 2026, coderot underwent a full supply chain audit. All production dependencies were verified against known CVE databases, confirmed free of typosquatting, and checked for actual usage in the shipped package. Result: 0 vulnerabilities, no unused dependencies, no suspicious patterns in compiled output.
Proof Points
- All 38 rules in the Analysis Rules table are implemented in
src/analyzers/static-analyzer.tsand covered by tests insrc/__tests__/static-analyzer.test.ts. - HTML, SARIF, and PR comment reporters each have dedicated test files: html-reporter.test.ts (7 tests), sarif-reporter.test.ts (16 tests), pr-comment-reporter.test.ts (14 tests).
- Monorepo support (
--aggregate) is shipped and tested insrc/__tests__/monorepo.test.ts. - Baseline tracking (
--baseline,--fail-on-regression) is shipped and tested insrc/__tests__/baseline.test.ts— 12 dedicated tests. - GitLab CI compatibility is documented — SARIF output works with GitLab Security Dashboard
sastartifacts out of the box. - The public changelog records every shipped surface from v1.0.0 through v1.9.4 — see
CHANGELOG.md. - The full evidence trail lives in
docs/shipped.md, which separates repo-backed proof from planned features. - The complete rule reference with AST implementation details lives in
docs/rules-reference.md. - A full analysis demo lives in
examples/demo/. - A package contents security audit was completed in April 2026 — all CRITICAL and HIGH findings resolved. See
SECURITY.md.
Integration guides
- Turborepo — aggregate analysis across Turborepo packages
- Nx — executor target setup for Nx workspaces
- Next.js — pages, API routes, and component analysis
- Node.js — backend error handling, secrets, and async safety
- React — bundle size, null safety, and type contracts
Roadmap
The following features are planned or under active consideration. Open an issue to discuss prioritization.
- Approval workflows — structured sign-off for tech debt items: engineers flag a file for deferral, leads approve or escalate, decision is recorded in
.coderot/decisions.jsonand surfaced in CI - Custom scoring weights — override factor weights (dependents, churn, complexity) per project in
.coderotrc.jsonto match your team's risk model - Rule authoring API — define custom analysis rules as plugins without forking the engine; rules expose the same severity and recipe interface as built-ins
- Team digest — weekly Slack or email summary of score deltas for engineering leads, with breakdown by package and author
Plans
coderot is free and open source. Every feature — the CLI, all 38 analysis rules, every output format, CI integration, monorepo support, and the VS Code Extension — is available with no account, no paywall, and no usage cap.
The Classic, Pro, and Enterprise tiers on the coderot website describe increasing levels of adoption complexity and organizational workflow integration, not increasing access to the engine itself. A solo engineer and an enterprise team have access to the same analysis capabilities.
Pro is a direct collaboration channel for teams that want guided rollout, shared configuration, and early access to governance features as they ship. Enterprise adds approval workflows, org-wide policy enforcement, and compliance infrastructure for regulated organizations.
See plans page for full details.
Contributing
See CONTRIBUTING.md for guidelines on forking, branch naming, commit format, and opening pull requests.
- 322 tests passing across impact scoring, static analysis, HTML reporter, SARIF, baseline, config, history, monorepo, input validation, and coverage reporting — run with
npm test - Cross-platform verified — all filesystem operations use
path.sep/path.join()with no hardcoded separators, confirmed on macOS, Linux, and Windows - Rollback plan documented — procedures for deprecating a broken npm version, publishing a hotfix, emergency unpublish, and VS Code Marketplace rollback are in CONTRIBUTING.md § Rollback Plan
License
MIT © coderot