TheAuditor: How I Built a SAST Tool for AI-Generated Code (Currently on HN Front Page) tags: security, ai, opensource, python

TheAuditorTool — Mon, 08 Sep 2025 08:57:24 +0000

Just hit the HackerNews front page with my security auditing tool, and I wanted to share it with the dev.to
community since you folks appreciate technical deep-dives.

## The Problem I Solved

After 3 months of using AI assistants to code (I'm not a developer by trade), I noticed a pattern: AI writes
code that "works" but is riddled with security vulnerabilities and inconsistencies. Why? Because AI loses
context. It can't see your entire codebase at once, so it makes different security decisions in different
files.

## Real-World Impact

My first external user just ran TheAuditor on their production betting site. The results?

204 SQL injection vulnerabilities (all from AI using f-strings)
185 total critical security issues
All from following AI suggestions without proper auditing

## How It Works

Instead of trying to make AI "smarter," TheAuditor accepts that AI will write flawed code and provides ground
truth about those flaws:

Indexes your entire codebase into a SQLite database
Runs 14-phase analysis pipeline including taint analysis, pattern detection, and correlation
Outputs AI-readable chunks (56KB max) that fit in LLM context windows
Reports facts, not opinions - "Line 47 has hardcoded JWT secret" not "this might be bad"

## The Architecture

Dual-environment design: TheAuditor itself + sandboxed analysis environment
Language support: Python and JavaScript/TypeScript (more coming)
100+ security patterns from OWASP Top 10
Taint flow analysis: Tracks data from sources (user input) to sinks (database/response)
Framework detection: Applies Django/Flask/React/Vue specific rules

## Key Innovation

The tool outputs findings in .pf/readthis/ as JSON chunks specifically formatted for LLM consumption. This
means AI assistants can read the full security audit and fix their own mistakes - creating a self-correcting
loop.

## Try It


bash
  pip install -e git+https://github.com/TheAuditorTool/Auditor.git#egg=theauditor
  cd your-project
  aud init
  aud full

  Check .pf/readthis/ for the AI-readable security report.

  HackerNews Discussion

  Currently on the front page if you want to join the discussion:
  https://news.ycombinator.com/item?id=42335428

  Would love to hear about the security issues you're seeing in AI-generated code. What patterns should I add to
   the detection engine?

Built a Python SAST tool using only AI - I can't even read the code (250hrs in 30 days)

TheAuditorTool — Sun, 07 Sep 2025 14:54:10 +0000

I haven't written a single line of code myself. Can't even read Python. Not exaggerating - I'm a 25-year infrastructure architect (Cisco/VMware/Microsoft certs) who's never learned to code.

Used Claude to build TheAuditor because I couldn't verify if the code it was writing was secure. 250+ hours of prompting in 30 days. The irony: I built a tool to detect AI's security failures... using AI. It's a legitimate SAST tool with taint analysis, dependency graphs, 100+ security patterns. Works offline, outputs AI-consumable chunks so the AI can fix its own bugs.

https://github.com/TheAuditorTool/Auditor/

Yes, I know it's probably over-engineered. No, I can't fix it myself because I literally can't read code. Take it or leave it.

DEV Community: TheAuditorTool

TheAuditor: How I Built a SAST Tool for AI-Generated Code (Currently on HN Front Page) tags: security, ai, opensource, python

Built a Python SAST tool using only AI - I can't even read the code (250hrs in 30 days)