I scanned two popular open-source repos with an AI code scanner. Here's what I found.

Rohit Sriram — Mon, 18 May 2026 22:47:30 +0000

I've been building Faultmark, an AI code scanner that uses a multi-model
debate to verify bugs before showing them to you. One AI finds candidates,
a second challenges each finding, a third breaks ties. Nothing gets surfaced
unless it survives that process.

I ran it on two real codebases as a test.

dub.co (20k GitHub stars) — 6 confirmed bugs, 0 false positives

The two most interesting findings:

Missing await on sendEmail calls in the CSV import flow. Both sends fire and forget,
so errors are silently swallowed and users may never receive import confirmation emails.
Logic inversion in GET /api/customers. Any caller passing an explicit programId
has it silently overwritten with the workspace default. Every filtered customer
query is broken.

documenso (8k GitHub stars) — 24 confirmed bugs, 0 false positives

The most critical ones:

handleInitialsFieldClick always returns null. The user types their initials,
the dialog stores the input, but the return statement sends the original null
value instead of what the user typed. Initials are never actually saved.
removeValue crashes when removing the last dropdown option. After splice(index, 1),
the code reads newValues[index] which is now undefined. Runtime crash.
Two progress bars divide by zero when a recipient has zero required fields,
producing width: 'Infinity%' and breaking rendering.

All findings were filed as GitHub issues with the maintainers before this post.

The tool is at faultmark.com if you want to run it on your own repo.

DEV Community: Rohit Sriram

I scanned two popular open-source repos with an AI code scanner. Here's what I found.