ast-grep-code-analysis
AST-Grep Code Analysis
[!NOTE] This skill requires that
as-grepis installed and configured in your development environment. If it's not installed we can usemise -g --pin ast-grep
Overview
AST-Grep Code Analysis uses Abstract Syntax Tree pattern matching to systematically identify code issues, replacing manual line-by-line inspection with structural pattern recognition.
Core principle: Code structure reveals more than surface reading - AST patterns expose hidden relationships, security vulnerabilities, and architectural issues that manual inspection misses.
When to Use
digraph when_to_use {
"Need to analyze code?" [shape=diamond];
"Complex/nested structure?" [shape=diamond];
"Security review needed?" [shape=diamond];
"Performance analysis?" [shape=diamond];
"Use ast-grep patterns" [shape=box];
"Manual review sufficient" [shape=box];
"Need to analyze code?" -> "Complex/nested structure?" [label="yes"];
"Complex/nested structure?" -> "Security review needed?" [label="yes"];
"Security review needed?" -> "Performance analysis?" [label="yes"];
"Performance analysis?" -> "Use ast-grep patterns" [label="yes"];
"Complex/nested structure?" -> "Manual review sufficient" [label="no"];
"Security review needed?" -> "Manual review sufficient" [label="no"];
"Performance analysis?" -> "Manual review sufficient" [label="no"];
}
Use when:
- Code has nested functions, complex control flow, or multiple abstraction layers
- Security review required (authentication, authorization, data handling)
- Performance analysis needed (React hooks, loops, async patterns)
- Large codebase where manual inspection is impractical
- Need to identify patterns across multiple files
- Time pressure requires systematic approach over ad-hoc analysis
Do NOT use when:
- Simple, straightforward code (< 50 lines)
- Single-file utilities with obvious structure
- When quick glance is sufficient for the task
Core Pattern
Before (Manual Inspection):
// Agent manually reads line by line
if (data[i].admin) {
userObj.token = generateToken(data[i].id); // "This looks insecure"
}
After (AST Pattern Matching):
# ast-grep rule: insecure-token-generation
rule:
pattern: |
function $FUNC($ARGS) {
const secret = $SECRET;
return btoa(JSON.stringify($PAYLOAD) + '.' + $SECRET);
}
meta:
severity: ERROR
message: "Hardcoded secret in token generation"
Quick Reference
| Analysis Type | AST Pattern Focus | Common Issues Found |
|---|---|---|
| Security | String literals in crypto functions | Hardcoded secrets, weak encryption |
| Performance | React hooks dependencies | Infinite re-renders, memory leaks |
| Structure | Function nesting depth | Complex control flow, maintainability |
| Data Flow | Variable assignments and usage | Unused variables, implicit dependencies |
Implementation
Installation and Setup
# Install ast-grep
npm install -g @ast-grep/cli
# Initialize configuration
ast-grep init
# Create rules directory
mkdir -p sg-rules/security sg-rules/performance sg-rules/structure
Essential Security Patterns
Hardcoded Secrets Detection:
# sg-rules/security/hardcoded-secrets.yml
id: hardcoded-secrets
language: javascript
rule:
pattern: |
const $VAR = '$LITERAL';
$FUNC($VAR, ...)
meta:
severity: ERROR
message: "Potential hardcoded secret detected"
Insecure Token Generation:
# sg-rules/security/insecure-tokens.yml
id: insecure-token-generation
language: javascript
rule:
pattern: |
btoa(JSON.stringify($OBJ) + '.' + $SECRET)
meta:
severity: ERROR
message: "Insecure token generation using base64"
Performance Pattern Detection
React Hook Dependencies:
# sg-rules/performance/react-hook-deps.yml
id: react-hook-dependency-array
language: typescript
rule:
pattern: |
useEffect(() => {
$BODY
}, [$FUNC])
meta:
severity: WARNING
message: "Function dependency in useEffect may cause infinite re-renders"
Missing useCallback Optimization:
# sg-rules/performance/missing-use-callback.yml
id: missing-use-callback
language: typescript
rule:
pattern: |
const $FUNC = ($ARGS) => {
$BODY
};
inside:
kind: function_declaration
has:
kind: arrow_function
meta:
severity: INFO
message: "Consider wrapping function in useCallback for optimization"
Structural Analysis Patterns
Deep Nesting Detection:
# sg-rules/structure/deep-nesting.yml
id: deep-nesting
language: javascript
rule:
any:
- pattern: |
if ($COND1) {
if ($COND2) {
if ($COND3) {
$BODY
}
}
}
- pattern: |
for ($INIT) {
for ($INIT2) {
for ($INIT3) {
$BODY
}
}
}
meta:
severity: WARNING
message: "Deep nesting detected - consider refactoring"
Running Analysis
# Run all security rules
ast-grep run -r sg-rules/security/
# Run performance analysis on React components
ast-grep run -r sg-rules/performance/ --include="*.tsx,*.jsx"
# Generate comprehensive report
ast-grep run -r sg-rules/ --format=json > analysis-report.json
# Interactive analysis
ast-grep run -r sg-rules/ --interactive
Common Mistakes
| Mistake | Why It Happens | Fix |
|---|---|---|
| Too generic patterns | Trying to catch everything | Focus on specific, high-impact patterns |
| Missing context | Patterns don't consider surrounding code | Use inside and has constraints |
| False positives | Overly broad matching | Add negative constraints with not |
| Language-specific assumptions | JavaScript patterns applied to TypeScript | Create separate rules per language |
| No severity prioritization | All issues marked as error | Use appropriate severity levels |
Real-World Impact
Before AST Analysis:
- Manual code review: 2-3 hours for medium codebase
- Missed security vulnerabilities: 40-60%
- Inconsistent analysis between reviewers
- No systematic approach to pattern detection
After AST Analysis:
- Automated pattern detection: 5-10 minutes
- Security vulnerability detection: 90%+
- Consistent, repeatable analysis
- Comprehensive coverage of known anti-patterns
Example Results:
$ ast-grep run -r sg-rules/
src/components/UserProfile.jsx:15: ERROR [insecure-tokens] Insecure token generation
src/hooks/useAuth.js:8: ERROR [hardcoded-secrets] Potential hardcoded secret
src/components/UserProfile.jsx:23: WARNING [react-hook-deps] Function dependency may cause re-renders
src/utils/processData.js:45: WARNING [deep-nesting] Deep nesting detected
Found 4 issues (2 errors, 2 warnings)
Integration Workflow
- Setup: Create rule sets for security, performance, structure
- Baseline: Run analysis on existing codebase to establish patterns
- Iterate: Refine rules based on false positives/negatives
- Automate: Integrate into CI/CD pipeline for continuous analysis
- Monitor: Track issue reduction over time
Required Background: Understanding of AST concepts, pattern matching, and code structure analysis. AST patterns reveal what manual inspection misses - systematic, comprehensive, and repeatable code analysis.
More from zenobi-us/dotfiles
leaflet-mapping
Use when creating interactive maps in Obsidian using LeafletJS plugin - covers real-world maps, image maps, markers from notes, overlays, GeoJSON, GPX tracks, and common issues with bounds/zoom levels
73skill-hunter
Find and download skills. Use when you need to discover existing skills from GitHub repositories and store them in the correct local skills category. Results in discovered skills being downloaded into the users dotfile repo.
68using-superpowers
Use when starting any conversation - establishes mandatory workflows for finding and using skills, including using Skill tool before announcing usage, following brainstorming before coding, and creating TodoWrite todos for checklists
67deep-researcher
Use when delegating research tasks requiring verified information from multiple authoritative sources - crawls and fact-checks beyond surface-level findings, providing evidence of verification process with confidence levels for each claim
66chrome-debug
Use when debugging web applications in chrome via the remote debugging protocol. Provides capabilities for inspecting DOM, executing JS, taking screenshots, and automating browser interactions.
64projectmanagement
Skills for managing projects, tracking progress, and suggesting next actions.
64