« All posts

hallint: An Open-Source Linter Built to Catch AI-Generated Security Bugs

hallint is a free open-source linter that detects security bugs AI assistants like Copilot and ChatGPT commonly write, from SQL injection to hardcoded secrets.

After extensive use of AI coding assistants like Copilot, Claude, and ChatGPT, one developer noticed these tools consistently introduce a distinct class of security bugs that standard linters never catch: hardcoded API keys, string-interpolated SQL queries, route handlers missing auth middleware, wide-open CORS configs, and unsanitized innerHTML assignments. Traditional tools like ESLint were built around common human mistakes, not around what AI models confidently get wrong.

To address this, the developer built hallint, an MIT-licensed open-source static analysis tool with a three-layer detection approach: fast regex matching for known bad patterns, AST-based structural analysis, and an optional LLM review layer (via Ollama or another provider) for deeper semantic checks like logically flawed auth flows. It currently ships eight rules spanning critical issues such as hardcoded secrets and SQL injection down to medium-severity concerns like missing error handling and non-HTTPS URLs.

hallint works both as a CLI tool runnable via npx and as an npm library, and it exits with code 1 on high or critical findings, making it a natural fit for CI pipelines like GitHub Actions or pre-commit hooks. The project is open to community contributions, with each rule kept intentionally small (~30 lines plus fixtures) to lower the barrier for adding new AI-specific patterns. The effort reflects a broader point: as AI-assisted coding becomes standard, code-quality tooling needs to evolve around the specific failure modes models introduce, not just the ones humans have always made.