The problem: AI assistants optimize for "code that works," not "code that's secure." They routinely generate SQL injection via
f-strings, hardcode API keys, use os.system() with user input, and pick weak crypto like MD5.
What hackmenot does:
- 100+ rules purpose-built for AI code patterns
- Python, JavaScript, Go, Terraform
- Auto-fix mode (hackmenot scan . --fix)
- Detects hallucinated packages (dependencies AI made up that don't exist)
- Sub-second scans with caching
- GitHub Action with SARIF support
Install: pip install hackmenot
It's Apache 2.0, no API keys needed, works offline.
Would love feedback on the rules coverage and any patterns I'm missing. Happy to answer questions!