risk-lint
v1.0.4
Published
CLI tool to detect risky AI-generated code patterns
Maintainers
Readme
risk-lint
What Is risk-lint?
risk-lint scans JavaScript and TypeScript projects for risky patterns such as
leaked secrets, debug leftovers, weak TypeScript usage, noisy comments,
oversized files, and build failures.
By default it focuses on files changed in git, so it stays fast and useful in daily development.
Quick Start
Run without installing:
npx risk-lintOr install globally:
npm install -g risk-lint
risk-lintAdd a reusable npm script to your project:
npx risk-lint init
npm run riskScan the whole project:
risk-lint --allWhy Use It?
| Signal | What it helps catch |
| --- | --- |
| High-risk secrets | API keys, tokens, and committed .env files |
| Debug leftovers | debugger and console.* calls before deploy |
| TypeScript weak spots | any usage that can hide bugs |
| Unfinished work | TODO, FIXME, and HACK comments |
| Maintainability drift | Source files growing past 500 lines |
| Build confidence | Syntax and build failures from your package scripts |
Example Output
Clean project? You get a clean result and can move on.
Checks
| Level | Check |
| --- | --- |
| High | Possible OpenAI, Google, AWS, and Telegram tokens |
| High | .env files |
| High | debugger statements |
| High | Build or syntax failures from npm run build, pnpm build, or yarn build |
| Medium | console.log, console.warn, console.error, and console.debug |
| Medium | TypeScript any annotations |
| Medium | Files over 500 lines |
| Low | TODO, FIXME, and HACK comments |
CLI Usage
# Scan changed files only
risk-lint
# Scan the entire project
risk-lint --all
# Use through npm without installing
npx risk-lint
# Add "risk": "risk-lint" to package.json scripts
npx risk-lint initIgnored Paths
risk-lint skips common generated, dependency, and build folders:
node_modules
dist
build
.next
.nuxt
.astro
.vercel
.output
coverage
.git
*.d.ts
*.min.jsCI Example
Add a script to your package.json:
{
"scripts": {
"risk": "risk-lint"
}
}Then run it in CI:
npm run riskLocal Development
npm install
npm run build
npm startRun the TypeScript source directly while developing:
npm run devScan the full project while developing:
npm run dev -- --allPublishing
Before publishing to npm:
npm install
npm run build
npm pack --dry-run
npm publishThe package publishes the compiled dist folder, this README, and the MIT
license.
Feedback
Have an idea or found a bug?
- 🐛 Open an Issue
- 💡 Start a Discussion
- ⭐ Star the project if it helps you
Contributions are always welcome.
License
MIT
