DEV Community

TheAuditorTool
TheAuditorTool

Posted on

TheAuditor: How I Built a SAST Tool for AI-Generated Code (Currently on HN Front Page) tags: security, ai, opensource, python

Just hit the HackerNews front page with my security auditing tool, and I wanted to share it with the dev.to
community since you folks appreciate technical deep-dives.

## The Problem I Solved

After 3 months of using AI assistants to code (I'm not a developer by trade), I noticed a pattern: AI writes
code that "works" but is riddled with security vulnerabilities and inconsistencies. Why? Because AI loses
context. It can't see your entire codebase at once, so it makes different security decisions in different
files.

## Real-World Impact

My first external user just ran TheAuditor on their production betting site. The results?

  • 204 SQL injection vulnerabilities (all from AI using f-strings)
  • 185 total critical security issues
  • All from following AI suggestions without proper auditing

## How It Works

Instead of trying to make AI "smarter," TheAuditor accepts that AI will write flawed code and provides ground
truth about those flaws:

  1. Indexes your entire codebase into a SQLite database
  2. Runs 14-phase analysis pipeline including taint analysis, pattern detection, and correlation
  3. Outputs AI-readable chunks (56KB max) that fit in LLM context windows
  4. Reports facts, not opinions - "Line 47 has hardcoded JWT secret" not "this might be bad"

## The Architecture

  • Dual-environment design: TheAuditor itself + sandboxed analysis environment
  • Language support: Python and JavaScript/TypeScript (more coming)
  • 100+ security patterns from OWASP Top 10
  • Taint flow analysis: Tracks data from sources (user input) to sinks (database/response)
  • Framework detection: Applies Django/Flask/React/Vue specific rules

## Key Innovation

The tool outputs findings in .pf/readthis/ as JSON chunks specifically formatted for LLM consumption. This
means AI assistants can read the full security audit and fix their own mistakes - creating a self-correcting
loop.

## Try It


bash
  pip install -e git+https://github.com/TheAuditorTool/Auditor.git#egg=theauditor
  cd your-project
  aud init
  aud full

  Check .pf/readthis/ for the AI-readable security report.

  HackerNews Discussion

  Currently on the front page if you want to join the discussion:
  https://news.ycombinator.com/item?id=42335428

  Would love to hear about the security issues you're seeing in AI-generated code. What patterns should I add to
   the detection engine?
Enter fullscreen mode Exit fullscreen mode

Top comments (1)

Collapse
 
theauditortool profile image
TheAuditorTool

Showing integration into any AI/IDE.