deslop 0.1.0

A static analyzer that spots low-context and AI-assisted code patterns across naming, concurrency, security, performance, and test quality.
Documentation

deslop

deslop is a Rust-based static analyzer for Go repositories that focuses on signals commonly associated with low-context AI-generated code. It currently scans a repository, parses Go files with tree-sitter-go, extracts structural fingerprints for each function, builds a lightweight local package index, runs early heuristic checks, and can benchmark the pipeline against real Go repositories.

Overview

The current implementation is optimized around a fast full-repository pass:

  • walk the target tree with .gitignore awareness
  • skip common generated-code inputs and vendor/ paths
  • parse Go files with tree-sitter-go
  • fingerprint functions and methods with lightweight structural metrics
  • flag generic naming, overlong naming, weak typing, comment-style slop, weak crypto usage, hardcoded secret literals, dynamically constructed SQL queries, conservative missing-context cases, missing derived-context cancellation, looped sleep and select-default busy waiting, looped JSON marshaling, looped string concatenation, goroutine fan-out inside loops, looping goroutines without shutdown paths, mutex pressure signals, allocation churn, fmt or reflect hot-path calls, full-memory read patterns, looped database query-shape issues, mixed receiver styles, suspicious struct tags, and low-signal test bodies
  • use a local package index to catch some unresolved repository-local calls
  • benchmark discovery, parse, index, heuristic, and total runtime stages

Commands

Run a scan against a target path:

cargo run -- scan /path/to/go-repo

By default, scan output prints the scan summary plus the standard finding set. Detail-only diagnostics such as full_dataset_load are held back unless you pass --details.

Run the same scan with JSON output:

cargo run -- scan --json /path/to/go-repo

Show full per-function fingerprint details and detail-only findings in either text or JSON output:

cargo run -- scan --details /path/to/go-repo
cargo run -- scan --json --details /path/to/go-repo

Write scan output directly to a file:

cargo run -- scan /path/to/go-repo > results.txt
cargo run -- scan /home/chinmay/ChinmayPersonalProjects/gopdfsuit > results.txt
cargo run -- scan --json /path/to/go-repo > results.txt

Run a scan without .gitignore filtering:

cargo run -- scan --no-ignore /path/to/go-repo

Benchmark the current pipeline against a real local Go repository:

cargo run -- bench /path/to/go-repo

Benchmark with explicit repeats and warmups:

cargo run -- bench --warmups 2 --repeats 5 /path/to/go-repo

Benchmark with JSON output:

cargo run -- bench --json /path/to/go-repo

Development

Run the test suite:

cargo test

Build release executables for your current platform or cross-compile for other supported platforms:

cargo build --release
cargo build --release --target x86_64-pc-windows-gnu
cargo build --release --target x86_64-apple-darwin
cargo build --release --target x86_64-unknown-linux-gnu

If you are cross-compiling, make sure the matching Rust target is installed first. Adjust the target triple to match the architecture you want to ship:

rustup target add x86_64-pc-windows-gnu x86_64-apple-darwin x86_64-unknown-linux-gnu

The native release binary is written to target/release/. Cross-compiled binaries are written under target/<target-triple>/release/ and are named deslop on Unix-like systems and deslop.exe on Windows.

For a detailed architecture and roadmap guide, see guides/implementation-guide.md. For a detector-oriented overview, see guides/features-and-detections.md.