aicodeaudit

A pre-commit hook that flags common antipatterns in AI-generated code.

84% of developers now use AI coding assistants, and multiple reports document critical vulnerabilities in code generated by Copilot, Cursor, and Amazon Q. aicodeaudit catches the patterns these tools get wrong — hallucinated imports, insecure defaults, missing error handling, deprecated APIs, and placeholder content left behind.

Installation

pip install aicodeaudit

Quick Start

# Scan the current directory
aicodeaudit check .

# Scan specific files
aicodeaudit check app.py views.py

# Filter by confidence level
aicodeaudit check . --min-confidence medium

# Output as JSON
aicodeaudit check . --format json

# Output as SARIF (for GitHub Code Scanning)
aicodeaudit check . --format sarif

What It Catches

Hallucinated Imports (ACA4xx)

Flags import statements for packages that don't exist on PyPI or in the stdlib.

import flask_caching_plus  # ACA401: not a real package

Insecure Defaults (ACA0xx)

Flags verify=False, debug=True, hardcoded SECRET_KEY, and other unsafe patterns.

requests.get(url, verify=False)       # ACA001: insecure default
SECRET_KEY = "my-secret-key"          # ACA002: hardcoded secret
DEBUG = True                          # ACA003: debug enabled
ALLOWED_HOSTS = ["*"]                 # ACA004: wildcard hosts

Missing Error Handling (ACA2xx)

Detects HTTP calls without try/except and open() without with.

response = requests.get(url)          # ACA201: no error handling
f = open("data.txt")                  # ACA202: no context manager

Deprecated APIs (ACA3xx)

Catches deprecated stdlib and library APIs that LLMs suggest from stale training data.

import imp                            # ACA302: deprecated module
os.popen("ls")                        # ACA301: use subprocess.run()
datetime.utcnow()                     # ACA301: use datetime.now(tz=UTC)

Placeholder Detection (ACA1xx)

Finds TODO/FIXME comments, placeholder URLs, and dummy credentials.

url = "https://example.com/api"       # ACA102: placeholder URL
password = "password123"              # ACA103: dummy credential
# TODO: implement this                # ACA101: TODO comment
api_key = "your_api_key"             # ACA104: placeholder value

Pre-commit Integration

Add to your .pre-commit-config.yaml:

repos:
  - repo: https://github.com/your-username/aicodeaudit
    rev: v0.1.0
    hooks:
      - id: aicodeaudit

CLI Reference

aicodeaudit check

Usage: aicodeaudit check [OPTIONS] PATHS...

  Scan Python files for AI-generated code antipatterns.

Options:
  -f, --format [text|json|sarif]     Output format (default: text)
  -c, --min-confidence [low|medium|high]
                                     Minimum confidence level (default: low)

Exit code 0 = no issues found. Exit code 1 = issues found.

aicodeaudit update-index

Usage: aicodeaudit update-index

  Refresh the local PyPI package index for hallucinated import detection.

Downloads the full PyPI package list for more accurate hallucinated import detection. Without this, a built-in list of ~200 popular packages is used.

Confidence Levels

Each finding includes a confidence level:

Level	Meaning
high	Very likely a real issue (e.g., verify=False, hardcoded secrets)
medium	Probable issue worth reviewing (e.g., TODO comments, bare HTTP calls)
low	Possible false positive (e.g., unknown import that might be a private package)

Use --min-confidence medium to reduce noise.

Output Formats

• text (default): Rich-formatted table in the terminal
• json: Machine-readable JSON with all diagnostic details
• sarif: SARIF 2.1.0 for GitHub Code Scanning integration

Contributing

1. Clone the repo and install dev dependencies:

   uv sync

2. Run tests:

   uv run pytest

3. Run linter:

   uv run ruff check .

License

MIT