{"slug": "show-hn-hallint-lint-ai-generated-code-for-security-issues", "title": "Show HN: Hallint – lint AI-generated code for security issues", "summary": "Async Innovator released Hallint, a static analysis tool that lints AI-generated code for security vulnerabilities such as hardcoded secrets, SQL injection, and missing authentication. The tool, available via npm, aims to catch common bugs introduced by AI coding assistants before code reaches production.", "body_md": "\n\n```\n██╗  ██╗ █████╗ ██╗     ██╗     ██╗███╗   ██╗████████╗\n██║  ██║██╔══██╗██║     ██║     ██║████╗  ██║╚══██╔══╝\n███████║███████║██║     ██║     ██║██╔██╗ ██║   ██║   \n██╔══██║██╔══██║██║     ██║     ██║██║╚██╗██║   ██║   \n██║  ██║██║  ██║███████╗███████╗██║██║ ╚████║   ██║   \n╚═╝  ╚═╝╚═╝  ╚═╝╚══════╝╚══════╝╚═╝╚═╝  ╚═══╝   ╚═╝\n```\n\n**Static analysis for AI-generated code.**\nCatch the security holes Artificial Intelligence leave behind — before they reach production.\n\nAI coding assistants (Copilot, Cursor, etc.) are fast, but they consistently introduce the same classes of bugs: hardcoded secrets, SQL injection, missing auth, unsafe eval. hallint catches them.\n\n```\nnpm install @asyncinnovator/hallint\n```\n\nOr run without installing:\n\n```\nnpx @asyncinnovator/hallint-cli ./src\n```\n\n**Requirements:** Node.js >= 18\n\n```\nnpx @asyncinnovator/hallint-cli ./src\nnpx @asyncinnovator/hallint-cli \"./src/**/*.ts\"\nnpx @asyncinnovator/hallint-cli ./src --min-severity high\nnpx @asyncinnovator/hallint-cli ./src --rules all\nnpx @asyncinnovator/hallint-cli ./src --no-color\n```\n\n| Option | Description | Default |\n|---|---|---|\n`--rules` |\nRule set: `recommended` or `all` |\n`recommended` |\n`--min-severity` |\nMinimum severity: `critical` `high` `medium` `low` `info` |\n`info` |\n`--no-color` |\nDisable colored output | off |\n`--help` |\nShow help | |\n`--version` |\nShow version |\n\n| Code | Meaning |\n|---|---|\n`0` |\nNo issues found |\n`1` |\nOne or more critical or high findings |\n`2` |\nUnexpected error |\n\n``` js\nimport { scan } from '@asyncinnovator/hallint'\n\nconst result = await scan({\n  files: ['./src/**/*.ts'],\n})\n\nresult.findings.forEach(f => {\n  console.log(`${f.severity} [${f.ruleId}] ${f.filePath}:${f.line}`)\n  console.log(`  ${f.message}`)\n  console.log(`  fix: ${f.fix}`)\n})\njs\nconst result = await scan({\n  files: ['./src/**/*.ts'],\n  rules: 'recommended',\n  minSeverity: 'high',\n  ignore: ['**/node_modules/**', '**/dist/**'],\n})\njs\nimport { scanSource } from '@asyncinnovator/hallint'\n\nconst source = `const apiKey = \"sk-abc123def456ghi789jk\"`\n\nconst findings = scanSource(source, 'example.ts')\n\nfindings.forEach(f => console.log(f.ruleId, f.message))\n{\n  findings: Finding[]       // all issues found\n  scannedFiles: string[]    // list of files scanned\n  durationMs: number        // time taken\n  summary: {                // count per severity\n    critical: number\n    high: number\n    medium: number\n    low: number\n    info: number\n  }\n}\n{\n  ruleId: string        // e.g. \"hardcoded-secret\"\n  severity: string      // \"critical\" | \"high\" | \"medium\" | \"low\" | \"info\"\n  message: string       // human-readable description\n  fix: string           // suggested fix\n  filePath: string      // absolute path to the file\n  line: number          // line number\n  snippet: string       // the offending line of code\n}\n```\n\n| Rule | Severity | What it catches |\n|---|---|---|\n`hardcoded-secret` |\ncritical | API keys, tokens, passwords in source code |\n`sql-injection` |\ncritical | User input interpolated into SQL queries |\n`unsafe-eval` |\ncritical | `eval()` or `new Function()` with dynamic input |\n`missing-auth-check` |\nhigh | Route handlers with no auth middleware |\n`xss-innerHTML` |\nhigh | Unsanitized strings assigned to `innerHTML` |\n`permissive-cors` |\nhigh | `cors({ origin: '*' })` in route handlers |\n`async-no-catch` |\nmedium | `async` functions with no `try/catch` or `.catch()` |\n`http-not-https` |\nmedium | Hardcoded `http://` URLs in fetch or axios calls |\n\nCreate a `hallint.config.ts`\n\nat your project root:\n\n``` python\nimport type { ScanConfig } from '@asyncinnovator/hallint'\n\nexport default {\n  rules: 'recommended',\n  minSeverity: 'medium',\n  ignore: [\n    '**/node_modules/**',\n    '**/dist/**',\n    '**/*.test.ts',\n  ],\n} satisfies Omit<ScanConfig, 'files'>\n```\n\nAdd hallint as a PR gate — it exits with code `1`\n\non any critical or high finding:\n\n```\nname: hallint\n\non:\n  push:\n    branches: [main]\n  pull_request:\n    branches: [main]\n\njobs:\n  hallint:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - uses: actions/setup-node@v4\n        with:\n          node-version: 20\n      - run: npx @asyncinnovator/hallint-cli ./src --min-severity high\n```\n\nInstall [husky](https://github.com/typicode/husky):\n\n```\nnpm install --save-dev husky\nnpx husky init\necho \"npx @asyncinnovator/hallint-cli ./src --min-severity high\" > .husky/pre-commit\n```\n\nContributions are welcome. Each rule is a single file (~30 lines) with a `bad.ts`\n\n/ `good.ts`\n\nfixture — a new rule is a good first contribution.\n\n- Fork the repo\n- Create a branch:\n`git checkout -b feat/rule-your-rule-name`\n\n- Add your rule in\n`packages/core/src/rules/index.ts`\n\n- Add fixtures in\n`packages/core/tests/fixtures/your-rule-name/`\n\n- Run tests:\n`npm test`\n\n- Open a PR\n\nIssues labeled **good first issue** are pre-scoped and ready to pick up.\n\nMIT — free to use in personal and commercial projects.", "url": "https://wpnews.pro/news/show-hn-hallint-lint-ai-generated-code-for-security-issues", "canonical_source": "https://github.com/Asyncinnovator/hallint", "published_at": "2026-07-10 12:43:06+00:00", "updated_at": "2026-07-10 13:05:31.646077+00:00", "lang": "en", "topics": ["ai-tools", "ai-safety", "developer-tools"], "entities": ["Async Innovator", "Hallint", "Copilot", "Cursor"], "alternates": {"html": "https://wpnews.pro/news/show-hn-hallint-lint-ai-generated-code-for-security-issues", "markdown": "https://wpnews.pro/news/show-hn-hallint-lint-ai-generated-code-for-security-issues.md", "text": "https://wpnews.pro/news/show-hn-hallint-lint-ai-generated-code-for-security-issues.txt", "jsonld": "https://wpnews.pro/news/show-hn-hallint-lint-ai-generated-code-for-security-issues.jsonld"}}