oauthlint

Catch the OAuth / OIDC / JWT / session / CORS anti-patterns AI coding tools systematically produce.

A curated, multi-language Semgrep rule pack · JS/TS · Python · Go · Java · Rust · CLI + GitHub Action + VS Code · free & MIT

npx oauthlint scan ./src

Requires Semgrep on the machine running the scan (pipx install semgrep or brew install semgrep). The CLI invokes it under the hood and normalises the output for humans and CI.

📖 Full docs & rule catalogue → oauthlint.dev/docs · 🔬 the research behind it → oauthlint.dev/research

Quick start

# one-shot scan, no install
npx oauthlint scan ./src

# fail CI on HIGH severity and above
npx oauthlint scan ./src --fail-on HIGH

# GitHub Code Scanning (SARIF) or a shareable HTML audit report
npx oauthlint scan ./src --format sarif > oauthlint.sarif
npx oauthlint scan ./src --format html  > report.html

Scan only what changed for fast pre-commit hooks and editors with --diff / --staged, or adopt on a large repo with a baseline (oauthlint baseline ./src then scan --baseline) so you're alerted on new findings only. Other commands: list, init, doctor. Run oauthlint --help or see the full CLI reference.

What it catches

LLM coding assistants — Cursor, Claude, Copilot, Gemini — ship the same auth bugs across every project: a JWT accepted with alg: none, a hard-coded client_secret, an OAuth flow with no state/PKCE, a token in localStorage, a * wildcard redirect_uri, an unrate-limited /login, a plaintext password, Math.random() for a CSRF token.

• 100+ rules across JS/TS · Python · Go · Java · Rust, each mapped to CWE/OWASP with a fix page — a lesson, not a grep hit.
• Dataflow (taint) analysis — beyond pattern-matching, the pack traces untrusted input through to dangerous sinks to catch open-redirect and SSRF.
• HTML report — scan --format html renders a self-contained, offline, no-JavaScript audit you can email or attach to a PR.
• Plus SARIF for Code Scanning, --fix for safe auto-fixes, incremental --diff/--staged, and a baseline for existing codebases.

👉 Browse the always-current catalogue at oauthlint.dev/rules.

Use directly with Semgrep — no install

Already have Semgrep? Run the full pack with one command, no config file:

semgrep --config https://oauthlint.dev/r/oauthlint.yaml ./src

Per-language bundles exist too (oauthlint-python.yaml, oauthlint-go.yaml, …). That URL is always the latest pack; for a pinned ruleset in CI, use this CLI (npx oauthlint@<version> scan) or vendor oauthlint-rules. See the Semgrep docs.

Why oauthlint, and not just Semgrep?

Honest answer: nothing stops you writing these rules yourself — Semgrep is open source and it's the engine we run. There's no technical moat. What oauthlint gives you is the work most people never do:

• Low false positives, validated against real auth libraries — jose, NextAuth, PyJWT, Authlib, golang/oauth2, oauth2-rs, Spring Security and more. Anything that fires on mature library source goes to a triage queue, not to you (validation report).
• One coherent product across every language — same concepts, same ID scheme, same docs; not a patchwork of community rules.
• The angle the registry doesn't have — it targets the auth bugs AI tools ship on repeat, encoded in each rule's llm-prevalence metadata and measured by a reproducible benchmark (the research).

Use oauthlint when you'd rather not write and maintain an auth rule pack yourself. That's the whole pitch.

Also available

• GitHub Action — Auspeo/oauthlint/action@v1, Docker-based (any language), with inline PR annotations + a job summary. Docs.
• VS Code / Cursor / Windsurf — oauthlint on the VS Code Marketplace and OpenVSX: inline diagnostics on save, a status-bar finding count, and Quick Fix suppressions.

License

MIT — see LICENSE. Built and maintained by Auspeo.