Code Hardcode Audit

When to Use This Skill

Use this skill when the user mentions:

• "hardcoded values", "hardcodes", "magic numbers"
• "constant detection", "find constants"
• "duplicate constants", "DRY violations"
• "code audit", "hardcode audit"
• "PLR2004", "semgrep", "jscpd", "gitleaks", "ast-grep", "SSoT violations"
• "secret scanning", "leaked secrets", "API keys", "bandit", "trufflehog", "whispers"
• "passwords in code", "credential leaks", "entropy detection"
• "config file secrets", "hardcoded credentials"

Quick Start

# Preflight — verify all tools installed and configured
uv run --python 3.13 --script scripts/preflight.py -- .

# Full audit (all 9 tools, preflight + both outputs)
uv run --python 3.13 --script scripts/audit_hardcodes.py -- src/

# Individual tools (all respect .gitignore):

# Python credential detection (passwords, tokens, API keys in variable names)
uv run --python 3.13 --script scripts/run_bandit.py -- src/

# Entropy-based secret detection (catches secrets regex can't)
uv run --python 3.13 --script scripts/run_trufflehog.py -- src/

# Config file secrets (YAML, JSON, Dockerfile, .env, .properties)
uv run --python 3.13 --script scripts/run_whispers.py -- src/

# AST-based hardcode detection (numeric args, URLs, paths, sleep)
uv run --python 3.13 --script scripts/run_ast_grep.py -- src/

# Python magic numbers only (fastest)
uv run --python 3.13 --script scripts/run_ruff_plr.py -- src/

# Pattern-based detection (URLs, ports, paths, sleep, circuit breaker)
uv run --python 3.13 --script scripts/run_semgrep.py -- src/

# Env-var coverage audit (BaseSettings cross-reference)
uv run --python 3.13 --script scripts/audit_env_coverage.py -- src/

# Copy-paste detection
uv run --python 3.13 --script scripts/run_jscpd.py -- src/

# Regex-based secret scanning (API keys, tokens, passwords)
uv run --python 3.13 --script scripts/run_gitleaks.py -- src/

Tool Overview

Tool	Detection Focus	Language Support	Speed
Preflight	Tool availability + config validation	N/A	Instant
Bandit	Hardcoded passwords, tokens in Python (B105-7)	Python	Fast
TruffleHog	Entropy-based secret + API verification	Any (file-based)	Medium
Whispers	Config file secrets (YAML, JSON, Docker, .env)	Config files	Medium
ast-grep	Hardcoded literals in args, sleep, URLs, paths	Multi-language	Fast
Ruff PLR2004	Magic value comparisons	Python	Fast
Semgrep	URLs, ports, paths, credentials, retry config	Multi-language	Medium
Env-coverage	BaseSettings cross-reference, coverage gaps	Python	Fast
jscpd	Duplicate code blocks	Multi-language	Slow
gitleaks	Regex-based secrets, API keys, passwords	Any (file-based)	Fast

Output Formats

JSON (--output json)

{
  "summary": {
    "total_findings": 42,
    "by_tool": { "ruff": 15, "semgrep": 20, "jscpd": 7 },
    "by_severity": { "high": 5, "medium": 25, "low": 12 }
  },
  "findings": [
    {
      "id": "MAGIC-001",
      "tool": "ruff",
      "rule": "PLR2004",
      "file": "src/config.py",
      "line": 42,
      "column": 8,
      "message": "Magic value used in comparison: 8123",
      "severity": "medium",
      "suggested_fix": "Extract to named constant"
    }
  ],
  "refactoring_plan": [
    {
      "priority": 1,
      "action": "Create constants/ports.py",
      "finding_ids": ["MAGIC-001", "MAGIC-003"]
    }
  ]
}

Compiler-like Text (--output text)

src/config.py:42:8: PLR2004 Magic value used in comparison: 8123 [ruff]
src/probe.py:15:1: hardcoded-url Hardcoded URL detected [semgrep]
src/client.py:20-35: Clone detected (16 lines, 95% similarity) [jscpd]

Summary: 42 findings (ruff: 15, semgrep: 20, jscpd: 7)

CLI Options

--output {json,text,both}  Output format (default: both)
--tools {all,ast-grep,ruff,semgrep,jscpd,gitleaks,env-coverage,bandit,trufflehog,whispers}  Tools to run
--severity {all,high,medium,low}  Filter by severity (default: all)
--exclude PATTERN  Glob pattern to exclude (repeatable)
--no-parallel  Disable parallel execution
--skip-preflight  Skip tool availability check

References

• Tool Comparison - Detailed tool capabilities
• Output Schema - JSON schema specification
• Troubleshooting - Common issues and fixes

Related

• ADR-0046: Semantic Constants Abstraction
• ADR-0047: Code Hardcode Audit Skill
• code-clone-assistant - PMD CPD-based clone detection (DRY focus)

---

Troubleshooting

Issue	Cause	Solution
Ruff PLR2004 zero output	PLR2004 globally suppressed	Run preflight: uv run --python 3.13 --script scripts/preflight.py -- .
Ruff PLR2004 not found	Ruff not installed or old	uv tool install ruff or upgrade
ast-grep not found	Binary not installed	cargo install ast-grep or brew install ast-grep
Semgrep timeout	Large codebase scan	Use --exclude to limit scope
jscpd memory error	Too many files	Increase Node heap: NODE_OPTIONS=--max-old-space-size=4096
gitleaks false positives	Test data flagged	Add patterns to .gitleaks.toml allowlist
Env-coverage misses	Not using BaseSettings	Only detects pydantic BaseSettings; other config patterns skipped
No findings in output	Wrong directory specified	Verify path exists and contains source files
JSON parse error	Tool output malformed	Run tool individually with --output text
Missing tool in PATH	Tool not installed globally	Run preflight first, then install missing tools
Bandit false positives	password = '' in init	Filter B105 by confidence: --confidence HIGH
TruffleHog timeout	Scanning .venv/node_modules	All tools respect .gitignore; ensure large dirs are gitignored
TruffleHog regex error	Glob patterns in .gitignore	Complex globs (**/*.rs.bk) are auto-skipped; only simple names used
Whispers slow scan	Large directories	Exclude via .gitignore; whispers config auto-generated from it
Whispers zero findings	No config files in scope	Whispers targets YAML/JSON/Docker/INI; use on project root, not src/
Severity filter empty	No findings at that level	Use --severity all to see all findings