TheAuditor: Offline-First, AI-Centric SAST & Code Intelligence Platform Overview TheAuditor is a comprehensive security analysis and code intelligence platform designed to provide ground truth for both developers and AI assistants in AI-assisted development workflows. It targets issues arising from "vibe coding" by offering an automated, verifiable data-driven approach to static application security testing (SAST). --- What TheAuditor Does Find Security Vulnerabilities: Detects OWASP Top 10 issues, injection attacks, authentication flaws, and framework-specific vulnerabilities. Track Data Flow: Follows untrusted data paths from sources to sinks to identify injection points. Analyze Architecture: Builds dependency graphs, detects cyclic dependencies, and measures code complexity. Detect Refactoring Issues: Finds incomplete migrations, API contract mismatches, and cross-stack inconsistencies. Run Industry-Standard Tools: Orchestrates ESLint, Ruff, MyPy, and other trusted linters. Produce AI-Ready Reports: Generates chunked, structured outputs optimized for consumption by large language models (LLMs). Unlike traditional SAST tools, TheAuditor is built specifically for AI-assisted workflows, focusing on delivering reliable facts rather than summaries. --- Quick Start Guide Step 1: Install TheAuditor (One-Time Setup) Step 2: Analyze Your Project Important directory structure: ~/tools/TheAuditor - TheAuditor tool location ~/my-project/ - Your project directory ~/my-project/.auditorvenv/ - Sandbox environment created by TheAuditor ~/my-project/.pf/ - Results directory --- TheAuditor’s Approach Philosophy Orchestrates Verifiable Data: Runs standardized linters/scanners and preserves raw outputs. Built for AI Consumption: Converts raw data into structured, digestible chunks for LLMs. Focused and Extensible: Initially supports Python and Node.js; designed to be modular for future language and framework expansion. Key Benefits Tool Agnostic: Works with any AI assistant or IDE. AI Self-Correction: Enables recursive AI workflows where the AI can detect and fix security issues autonomously. No Human Intervention Required: Once set up, the AI does all terminal work; developers review results. Ground Truth Source**: Provides accurate, fact-based security and architecture information. --- Key Features Refactoring Detection & Analysis Detects incomplete refactorings using correlation rules. Identifies data model changes, API contract mismatches, foreign key issues, and cross-stack discrepancies. Custom rules can be defined in /correlations/rules/. Sample commands: Dependency Graph Visualization Visualizes dependency graphs with Graphviz. Supports multiple views: full graph, cycles-only, hotspots, architectural layers, and impact analysis. Uses visual intelligence: node colors (languages), node sizes (importance), red highlights for cycles, border thickness for churn. Provides AI-readable SVG outputs. Sample commands: Insights Analysis (Optional) Produces technical scoring on audits. Offers health scores, severity classification, recommendations, and