Show HN: Prodlint – Static analysis for the bugs AI coding tools write
github.comI use Cursor and Claude Code daily. The code they write compiles, passes typescript, passes eslint. Then I find a hardcoded Supabase key in a client component, or an import for a package that was never installed, or a server action that takes raw formData with zero validation.
These aren't edge cases. I kept hitting the same patterns across projects so I started cataloging them. That turned into prodlint -- 52 static analysis rules targeting the specific bugs AI coding tools consistently produce.
Some examples of what it catches: hallucinated-imports flags import statements for packages not in your package.json (the AI invented them). supabase-missing-rls catches CREATE TABLE in migrations without Row Level Security enabled. env-fallback-secret finds process.env.SECRET || "sk_live_abc123" patterns where the AI helpfully provides a fallback for your API key.
It's all local static analysis, no AI in the tool itself. Babel AST for 12 rules, regex for the rest. Scans ~150 files in under 100ms.
npx prodlint
No config, no account, no install needed. MIT licensed. Interested in what patterns other people are seeing that I should add rules for.
Have you tried raptor? (https://github.com/gadievron/raptor)
Haven't used it but just checked it out — interesting project. Different goals though.
Raptor configures Claude Code as a security agent for active pentesting and adversarial research. It's an LLM doing dynamic security analysis.
Prodlint is the opposite direction with deterministic static analysis, no LLM in the loop. 52 rules that check for the structural patterns AI coding tools consistently get wrong (leaked secrets, missing rate limiting, hallucinated imports, etc.). Same result every time, under 100ms, works offline.