« All posts

voidguard: A Static Scanner That Catches Tests That Verify Nothing

voidguard is an open-source static scanner that flags tests, type checks, and CI conditions that pass while verifying nothing.

voidguard is a new static analysis tool aimed at a specific failure mode: checks that are present, look plausible, and pass — while verifying nothing. For every guard it examines, it asks a single question: could this check, as currently configured, ever be observed to fail? — and backs each verdict with evidence.

It ships as a pip-installable CLI and as a GitHub Action that comments findings on pull requests; by default it's report-only and won't fail a build unless fail-on is explicitly enabled. The current release detects four categories of void guards: tests that never actually run, type checks that pass vacuously, configuration values that are silently discarded, and CI conditions that can never fire. Every verdict — VOID, WARN, or UNKNOWN — comes with its enumerated search set: what was checked and what was found.

The project is explicit about its limits: of seven known types of void guards, this version's static analysis only catches the shapes of four. Semantic voids, bypassed human approval steps, and anything requiring actual code execution fall outside its scope. The tool grew out of a real audit that found seven such guards in one repository within a week — including a core integrity test that had silently skipped since the project's inception.