HefestoAI Auditor
Static code analysis for security, quality, and complexity. Supports 17 languages.
Privacy: All analysis runs locally. No code is transmitted to external services. No network calls are made during analysis.
Permissions: This tool reads source files in the specified directory (read-only). It does not modify your code.
Install
CODEBLOCK0
Quick Start
CODEBLOCK1
Severity Levels
CODEBLOCK2
Output Formats
CODEBLOCK3
Status and Version
CODEBLOCK4�
What It Detects
Security Vulnerabilities
- - SQL injection and command injection
- Hardcoded secrets (API keys, passwords, tokens)
- Insecure configurations (Dockerfiles, Terraform, YAML)
- Path traversal and XSS risks
Semantic Drift (AI Code Integrity)
- - Logic alterations that preserve syntax but change intent
- Architectural degradation from AI-generated code
- Hidden duplicates and inconsistencies in monorepos
Code Quality
- - Cyclomatic complexity >10 (HIGH) or >20 (CRITICAL)
- Deep nesting (>4 levels)
- Long functions (>50 lines)
- Code smells and anti-patterns
DevOps Issues
- - Dockerfile: missing USER, no HEALTHCHECK, running as root
- Shell: missing
set -euo pipefail, unquoted variables - Terraform: missing tags, hardcoded values
What It Does NOT Detect
- - Runtime network attacks (DDoS, port scanning)
- Active intrusions (rootkits, privilege escalation)
- Network traffic monitoring
- For these, use SIEM/IDS/IPS or GCP Security Command Center
Supported Languages (17)
Code: Python, TypeScript, JavaScript, Java, Go, Rust, C#
DevOps/Config: Dockerfile, Jenkins/Groovy, JSON, Makefile, PowerShell, Shell, SQL, Terraform, TOML, YAML
Interpreting Results
CODEBLOCK5
Issue Types
| Type | Severity | Action |
|---|
| INLINECODE1 | CRITICAL | Fix immediately |
| INLINECODE2 |
HIGH | Fix in current sprint |
|
DEEP_NESTING | HIGH | Refactor nesting levels |
|
SQL_INJECTION_RISK | HIGH | Parameterize queries |
|
HARDCODED_SECRET | CRITICAL | Remove and rotate |
|
LONG_FUNCTION | MEDIUM | Split function |
CI/CD Integration
CODEBLOCK6�
Licensing
| Tier | Price | Key Features |
|---|
| FREE | $0/mo | Static analysis, 17 languages, pre-push hooks |
| PRO |
$8/mo | ML semantic analysis, REST API, BigQuery integration, custom rules |
|
OMEGA | $19/mo | IRIS monitoring, auto-correlation, real-time alerts, team dashboard |
All paid tiers include a 14-day free trial.
See pricing and subscribe at hefestoai.narapallc.com.
To activate a license, see the setup guide at hefestoai.narapallc.com/setup.
About
Created by Narapa LLC (Miami, FL) — Arturo Velasquez (@artvepa)
技能名称: hefestoai-auditor
详细描述:
HefestoAI 审计器
用于安全、质量和复杂度的静态代码分析。支持17种语言。
隐私: 所有分析均在本地运行。没有代码被传输到外部服务。分析期间不会进行任何网络调用。
权限: 此工具以只读方式读取指定目录中的源文件。它不会修改你的代码。
安装
bash
pip install hefesto-ai
快速开始
bash
hefesto analyze /path/to/project --severity HIGH
严重级别
bash
hefesto analyze /path/to/project --severity CRITICAL # 仅严重
hefesto analyze /path/to/project --severity HIGH # 高 + 严重
hefesto analyze /path/to/project --severity MEDIUM # 中 + 高 + 严重
hefesto analyze /path/to/project --severity LOW # 全部
输出格式
bash
hefesto analyze /path/to/project --output text # 终端(默认)
hefesto analyze /path/to/project --output json # 结构化 JSON
hefesto analyze /path/to/project --output html --save-html report.html # HTML 报告
hefesto analyze /path/to/project --quiet # 仅摘要
状态与版本
bash
hefesto status
hefesto --version
检测内容
安全漏洞
- - SQL注入和命令注入
- 硬编码的密钥(API密钥、密码、令牌)
- 不安全的配置(Dockerfile、Terraform、YAML)
- 路径遍历和XSS风险
语义漂移(AI代码完整性)
- - 保留语法但改变意图的逻辑变更
- AI生成代码导致的架构退化
- 单体仓库中的隐藏重复项和不一致性
代码质量
- - 圈复杂度 >10(高)或 >20(严重)
- 深度嵌套(>4层)
- 长函数(>50行)
- 代码坏味和反模式
DevOps问题
- - Dockerfile:缺少USER、无HEALTHCHECK、以root身份运行
- Shell:缺少 set -euo pipefail、未引用的变量
- Terraform:缺少标签、硬编码值
不检测的内容
- - 运行时网络攻击(DDoS、端口扫描)
- 主动入侵(Rootkit、权限提升)
- 网络流量监控
- 对于这些,请使用SIEM/IDS/IPS或GCP安全指挥中心
支持的语言(17种)
代码: Python、TypeScript、JavaScript、Java、Go、Rust、C#
DevOps/配置: Dockerfile、Jenkins/Groovy、JSON、Makefile、PowerShell、Shell、SQL、Terraform、TOML、YAML
解读结果
file.py:42:10
问题:检测到硬编码的数据库密码
函数:connect_db
类型:HARDCODED_SECRET
严重级别:CRITICAL
建议:将凭据移至环境变量或密钥管理器
问题类型
| 类型 | 严重级别 | 操作 |
|---|
| VERYHIGHCOMPLEXITY | CRITICAL | 立即修复 |
| HIGH_COMPLEXITY |
HIGH | 在当前迭代中修复 |
| DEEP_NESTING | HIGH | 重构嵌套层级 |
| SQL
INJECTIONRISK | HIGH | 参数化查询 |
| HARDCODED_SECRET | CRITICAL | 移除并轮换 |
| LONG_FUNCTION | MEDIUM | 拆分函数 |
CI/CD集成
bash
在HIGH或CRITICAL问题上构建失败
hefesto analyze /path/to/project --fail-on HIGH
预推送git钩子
hefesto install-hook
限制输出
hefesto analyze /path/to/project --max-issues 10
排除特定问题类型
hefesto analyze /path/to/project --exclude-types VERY
HIGHCOMPLEXITY,LONG_FUNCTION
许可
| 层级 | 价格 | 主要功能 |
|---|
| 免费版 | $0/月 | 静态分析、17种语言、预推送钩子 |
| 专业版 |
$8/月 | 机器学习语义分析、REST API、BigQuery集成、自定义规则 |
|
至尊版 | $19/月 | IRIS监控、自动关联、实时告警、团队仪表盘 |
所有付费层级均包含 14天免费试用。
查看定价并订阅,请访问 hefestoai.narapallc.com。
要激活许可证,请参阅 hefestoai.narapallc.com/setup 上的设置指南。
关于
由 Narapa LLC(佛罗里达州迈阿密)创建 — Arturo Velasquez (@artvepa)
