ast-grep-code-analysis
Use when analyzing complex codebases for security vulnerabilities, performance issues, and structural patterns - provides systematic AST-based approach using ast-grep for comprehensive code understanding beyond manual inspection
$ インストール
git clone https://github.com/zenobi-us/dotfiles /tmp/dotfiles && cp -r /tmp/dotfiles/ai/files/skills/superpowers/ast-grep-code-analysis ~/.claude/skills/dotfiles// tip: Run this command in your terminal to install the skill
SKILL.md
name: ast-grep-code-analysis description: Use when analyzing complex codebases for security vulnerabilities, performance issues, and structural patterns - provides systematic AST-based approach using ast-grep for comprehensive code understanding beyond manual inspection
AST-Grep Code Analysis
[!NOTE] This skill requires that
as-grepis installed and configured in your development environment. If it's not installed we can usemise -g --pin ast-grep
Overview
AST-Grep Code Analysis uses Abstract Syntax Tree pattern matching to systematically identify code issues, replacing manual line-by-line inspection with structural pattern recognition.
Core principle: Code structure reveals more than surface reading - AST patterns expose hidden relationships, security vulnerabilities, and architectural issues that manual inspection misses.
When to Use
digraph when_to_use {
"Need to analyze code?" [shape=diamond];
"Complex/nested structure?" [shape=diamond];
"Security review needed?" [shape=diamond];
"Performance analysis?" [shape=diamond];
"Use ast-grep patterns" [shape=box];
"Manual review sufficient" [shape=box];
"Need to analyze code?" -> "Complex/nested structure?" [label="yes"];
"Complex/nested structure?" -> "Security review needed?" [label="yes"];
"Security review needed?" -> "Performance analysis?" [label="yes"];
"Performance analysis?" -> "Use ast-grep patterns" [label="yes"];
"Complex/nested structure?" -> "Manual review sufficient" [label="no"];
"Security review needed?" -> "Manual review sufficient" [label="no"];
"Performance analysis?" -> "Manual review sufficient" [label="no"];
}
Use when:
- Code has nested functions, complex control flow, or multiple abstraction layers
- Security review required (authentication, authorization, data handling)
- Performance analysis needed (React hooks, loops, async patterns)
- Large codebase where manual inspection is impractical
- Need to identify patterns across multiple files
- Time pressure requires systematic approach over ad-hoc analysis
Do NOT use when:
- Simple, straightforward code (< 50 lines)
- Single-file utilities with obvious structure
- When quick glance is sufficient for the task
Core Pattern
Before (Manual Inspection):
// Agent manually reads line by line
if (data[i].admin) {
userObj.token = generateToken(data[i].id); // "This looks insecure"
}
After (AST Pattern Matching):
# ast-grep rule: insecure-token-generation
rule:
pattern: |
function $FUNC($ARGS) {
const secret = $SECRET;
return btoa(JSON.stringify($PAYLOAD) + '.' + $SECRET);
}
meta:
severity: ERROR
message: "Hardcoded secret in token generation"
Quick Reference
| Analysis Type | AST Pattern Focus | Common Issues Found |
|---|---|---|
| Security | String literals in crypto functions | Hardcoded secrets, weak encryption |
| Performance | React hooks dependencies | Infinite re-renders, memory leaks |
| Structure | Function nesting depth | Complex control flow, maintainability |
| Data Flow | Variable assignments and usage | Unused variables, implicit dependencies |
Implementation
Installation and Setup
# Install ast-grep
npm install -g @ast-grep/cli
# Initialize configuration
ast-grep init
# Create rules directory
mkdir -p sg-rules/security sg-rules/performance sg-rules/structure
Essential Security Patterns
Hardcoded Secrets Detection:
# sg-rules/security/hardcoded-secrets.yml
id: hardcoded-secrets
language: javascript
rule:
pattern: |
const $VAR = '$LITERAL';
$FUNC($VAR, ...)
meta:
severity: ERROR
message: "Potential hardcoded secret detected"
Insecure Token Generation:
# sg-rules/security/insecure-tokens.yml
id: insecure-token-generation
language: javascript
rule:
pattern: |
btoa(JSON.stringify($OBJ) + '.' + $SECRET)
meta:
severity: ERROR
message: "Insecure token generation using base64"
Performance Pattern Detection
React Hook Dependencies:
# sg-rules/performance/react-hook-deps.yml
id: react-hook-dependency-array
language: typescript
rule:
pattern: |
useEffect(() => {
$BODY
}, [$FUNC])
meta:
severity: WARNING
message: "Function dependency in useEffect may cause infinite re-renders"
Missing useCallback Optimization:
# sg-rules/performance/missing-use-callback.yml
id: missing-use-callback
language: typescript
rule:
pattern: |
const $FUNC = ($ARGS) => {
$BODY
};
inside:
kind: function_declaration
has:
kind: arrow_function
meta:
severity: INFO
message: "Consider wrapping function in useCallback for optimization"
Structural Analysis Patterns
Deep Nesting Detection:
# sg-rules/structure/deep-nesting.yml
id: deep-nesting
language: javascript
rule:
any:
- pattern: |
if ($COND1) {
if ($COND2) {
if ($COND3) {
$BODY
}
}
}
- pattern: |
for ($INIT) {
for ($INIT2) {
for ($INIT3) {
$BODY
}
}
}
meta:
severity: WARNING
message: "Deep nesting detected - consider refactoring"
Running Analysis
# Run all security rules
ast-grep run -r sg-rules/security/
# Run performance analysis on React components
ast-grep run -r sg-rules/performance/ --include="*.tsx,*.jsx"
# Generate comprehensive report
ast-grep run -r sg-rules/ --format=json > analysis-report.json
# Interactive analysis
ast-grep run -r sg-rules/ --interactive
Common Mistakes
| Mistake | Why It Happens | Fix |
|---|---|---|
| Too generic patterns | Trying to catch everything | Focus on specific, high-impact patterns |
| Missing context | Patterns don't consider surrounding code | Use inside and has constraints |
| False positives | Overly broad matching | Add negative constraints with not |
| Language-specific assumptions | JavaScript patterns applied to TypeScript | Create separate rules per language |
| No severity prioritization | All issues marked as error | Use appropriate severity levels |
Real-World Impact
Before AST Analysis:
- Manual code review: 2-3 hours for medium codebase
- Missed security vulnerabilities: 40-60%
- Inconsistent analysis between reviewers
- No systematic approach to pattern detection
After AST Analysis:
- Automated pattern detection: 5-10 minutes
- Security vulnerability detection: 90%+
- Consistent, repeatable analysis
- Comprehensive coverage of known anti-patterns
Example Results:
$ ast-grep run -r sg-rules/
src/components/UserProfile.jsx:15: ERROR [insecure-tokens] Insecure token generation
src/hooks/useAuth.js:8: ERROR [hardcoded-secrets] Potential hardcoded secret
src/components/UserProfile.jsx:23: WARNING [react-hook-deps] Function dependency may cause re-renders
src/utils/processData.js:45: WARNING [deep-nesting] Deep nesting detected
Found 4 issues (2 errors, 2 warnings)
Integration Workflow
- Setup: Create rule sets for security, performance, structure
- Baseline: Run analysis on existing codebase to establish patterns
- Iterate: Refine rules based on false positives/negatives
- Automate: Integrate into CI/CD pipeline for continuous analysis
- Monitor: Track issue reduction over time
Required Background: Understanding of AST concepts, pattern matching, and code structure analysis. AST patterns reveal what manual inspection misses - systematic, comprehensive, and repeatable code analysis.
Repository
zenobi-us
Author
zenobi-us/dotfiles/ai/files/skills/superpowers/ast-grep-code-analysis
21
Stars
4
Forks
Updated5d ago
Added1w ago