hefestoai-auditor
v2.2.0Static code analysis tool. Detects security vulnerabilities, code smells, and complexity issues across 17 languages. All analysis runs locally — no code leaves your machine.
Sourced from ClawHub,
Authored by artvepa80
Installation
HefestoAI Auditor
Static code analysis for security, quality, and complexity. Supports 17 languages.
Privacy: All analysis runs locally. No code is transmitted to external services. No network calls are made during analysis.
Permissions: This tool reads source files in the specified directory (read-only). It does not modify your code.
Install
pip install hefesto-ai
Quick Start
hefesto analyze /path/to/project --severity HIGH
Severity Levels
hefesto analyze /path/to/project --severity CRITICAL # Critical only
hefesto analyze /path/to/project --severity HIGH # High + Critical
hefesto analyze /path/to/project --severity MEDIUM # Medium + High + Critical
hefesto analyze /path/to/project --severity LOW # Everything
Output Formats
hefesto analyze /path/to/project --output text # Terminal (default)
hefesto analyze /path/to/project --output json # Structured JSON
hefesto analyze /path/to/project --output html --save-html report.html # HTML report
hefesto analyze /path/to/project --quiet # Summary only
Status and Version
hefesto status
hefesto --version
What It Detects
Security Vulnerabilities
- SQL injection and command injection
- Hardcoded secrets (API keys, passwords, tokens)
- Insecure configurations (Dockerfiles, Terraform, YAML)
- Path traversal and XSS risks
Semantic Drift (AI Code Integrity)
- Logic alterations that preserve syntax but change intent
- Architectural degradation from AI-generated code
- Hidden duplicates and inconsistencies in monorepos
Code Quality
- Cyclomatic complexity >10 (HIGH) or >20 (CRITICAL)
- Deep nesting (>4 levels)
- Long functions (>50 lines)
- Code smells and anti-patterns
DevOps Issues
- Dockerfile: missing USER, no HEALTHCHECK, running as root
- Shell: missing
set -euo pipefail, unquoted variables - Terraform: missing tags, hardcoded values
What It Does NOT Detect
- Runtime network attacks (DDoS, port scanning)
- Active intrusions (rootkits, privilege escalation)
- Network traffic monitoring
- For these, use SIEM/IDS/IPS or GCP Security Command Center
Supported Languages (17)
Code: Python, TypeScript, JavaScript, Java, Go, Rust, C#
DevOps/Config: Dockerfile, Jenkins/Groovy, JSON, Makefile, PowerShell, Shell, SQL, Terraform, TOML, YAML
Interpreting Results
file.py:42:10
Issue: Hardcoded database password detected
Function: connect_db
Type: HARDCODED_SECRET
Severity: CRITICAL
Suggestion: Move credentials to environment variables or a secrets manager
Issue Types
| Type | Severity | Action |
|---|---|---|
VERY_HIGH_COMPLEXITY |
CRITICAL | Fix immediately |
HIGH_COMPLEXITY |
HIGH | Fix in current sprint |
DEEP_NESTING |
HIGH | Refactor nesting levels |
SQL_INJECTION_RISK |
HIGH | Parameterize queries |
HARDCODED_SECRET |
CRITICAL | Remove and rotate |
LONG_FUNCTION |
MEDIUM | Split function |
CI/CD Integration
# Fail build on HIGH or CRITICAL issues
hefesto analyze /path/to/project --fail-on HIGH
# Pre-push git hook
hefesto install-hook
# Limit output
hefesto analyze /path/to/project --max-issues 10
# Exclude specific issue types
hefesto analyze /path/to/project --exclude-types VERY_HIGH_COMPLEXITY,LONG_FUNCTION
Licensing
| Tier | Price | Key Features |
|---|---|---|
| FREE | $0/mo | Static analysis, 17 languages, pre-push hooks |
| PRO | $8/mo | ML semantic analysis, REST API, BigQuery integration, custom rules |
| OMEGA | $19/mo | IRIS monitoring, auto-correlation, real-time alerts, team dashboard |
All paid tiers include a 14-day free trial.
See pricing and subscribe at hefestoai.narapallc.com.
To activate a license, see the setup guide at hefestoai.narapallc.com/setup.
About
Created by Narapa LLC (Miami, FL) — Arturo Velasquez (@artvepa)
- GitHub: github.com/artvepa80/Agents-Hefesto
- Support: [email protected]