not-matthias/ast-grep-code-analysis
modules/home/programs/cli-agents/shared/skills/ast-grep-code-analysis/SKILL.md
Use when analyzing complex codebases for security vulnerabilities, performance issues, and structural patterns - provides systematic AST-based approach using ast-grep for comprehensive code understanding beyond manual inspection
$ install --global
skillsauthnpx skillsauth add not-matthias/dotfiles-nix ast-grep-code-analysisInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 20, 2026, 6:30 AM11.0s1 file scanned
SKILL.md
- name:
- ast-grep-code-analysis
- description:
- Use when analyzing complex codebases for security vulnerabilities, performance issues, and structural patterns - provides systematic AST-based approach using ast-grep for comprehensive code understanding beyond manual inspection
AST-Grep Code Analysis
[!NOTE] This skill requires
ast-grepto be installed and available inPATH.
Overview
AST-Grep Code Analysis uses Abstract Syntax Tree pattern matching to systematically identify code issues, replacing manual line-by-line inspection with structural pattern recognition.
Core principle: Code structure reveals more than surface reading - AST patterns expose hidden relationships, security vulnerabilities, and architectural issues that manual inspection misses.
When to Use
digraph when_to_use {
"Need to analyze code?" [shape=diamond];
"Complex/nested structure?" [shape=diamond];
"Security review needed?" [shape=diamond];
"Performance analysis?" [shape=diamond];
"Use ast-grep patterns" [shape=box];
"Manual review sufficient" [shape=box];
"Need to analyze code?" -> "Complex/nested structure?" [label="yes"];
"Complex/nested structure?" -> "Security review needed?" [label="yes"];
"Security review needed?" -> "Performance analysis?" [label="yes"];
"Performance analysis?" -> "Use ast-grep patterns" [label="yes"];
"Complex/nested structure?" -> "Manual review sufficient" [label="no"];
"Security review needed?" -> "Manual review sufficient" [label="no"];
"Performance analysis?" -> "Manual review sufficient" [label="no"];
}
Use when:
- Code has nested functions, complex control flow, or multiple abstraction layers
- Security review required (authentication, authorization, data handling)
- Performance analysis needed (React hooks, loops, async patterns)
- Large codebase where manual inspection is impractical
- Need to identify patterns across multiple files
- Time pressure requires systematic approach over ad-hoc analysis
Do NOT use when:
- Simple, straightforward code (< 50 lines)
- Single-file utilities with obvious structure
- When quick glance is sufficient for the task
Core Pattern
Before (Manual Inspection):
// Agent manually reads line by line
if (data[i].admin) {
userObj.token = generateToken(data[i].id); // "This looks insecure"
}
After (AST Pattern Matching):
# ast-grep rule: insecure-token-generation
rule:
pattern: |
function $FUNC($ARGS) {
const secret = $SECRET;
return btoa(JSON.stringify($PAYLOAD) + '.' + $SECRET);
}
meta:
severity: ERROR
message: "Hardcoded secret in token generation"
Quick Reference
| Analysis Type | AST Pattern Focus | Common Issues Found | |---------------|------------------|-------------------| | Security | String literals in crypto functions | Hardcoded secrets, weak encryption | | Performance | React hooks dependencies | Infinite re-renders, memory leaks | | Structure | Function nesting depth | Complex control flow, maintainability | | Data Flow | Variable assignments and usage | Unused variables, implicit dependencies |
Implementation
Installation and Setup
# Confirm ast-grep is available
ast-grep --version
# Initialize configuration
ast-grep init
# Create rules directory
mkdir -p sg-rules/security sg-rules/performance sg-rules/structure
Essential Security Patterns
Hardcoded Secrets Detection:
# sg-rules/security/hardcoded-secrets.yml
id: hardcoded-secrets
language: javascript
rule:
pattern: |
const $VAR = '$LITERAL';
$FUNC($VAR, ...)
meta:
severity: ERROR
message: "Potential hardcoded secret detected"
Insecure Token Generation:
# sg-rules/security/insecure-tokens.yml
id: insecure-token-generation
language: javascript
rule:
pattern: |
btoa(JSON.stringify($OBJ) + '.' + $SECRET)
meta:
severity: ERROR
message: "Insecure token generation using base64"
Performance Pattern Detection
React Hook Dependencies:
# sg-rules/performance/react-hook-deps.yml
id: react-hook-dependency-array
language: typescript
rule:
pattern: |
useEffect(() => {
$BODY
}, [$FUNC])
meta:
severity: WARNING
message: "Function dependency in useEffect may cause infinite re-renders"
Missing useCallback Optimization:
# sg-rules/performance/missing-use-callback.yml
id: missing-use-callback
language: typescript
rule:
pattern: |
const $FUNC = ($ARGS) => {
$BODY
};
inside:
kind: function_declaration
has:
kind: arrow_function
meta:
severity: INFO
message: "Consider wrapping function in useCallback for optimization"
Structural Analysis Patterns
Deep Nesting Detection:
# sg-rules/structure/deep-nesting.yml
id: deep-nesting
language: javascript
rule:
any:
- pattern: |
if ($COND1) {
if ($COND2) {
if ($COND3) {
$BODY
}
}
}
- pattern: |
for ($INIT) {
for ($INIT2) {
for ($INIT3) {
$BODY
}
}
}
meta:
severity: WARNING
message: "Deep nesting detected - consider refactoring"
Running Analysis
# Run all security rules
ast-grep run -r sg-rules/security/
# Run performance analysis on React components
ast-grep run -r sg-rules/performance/ --include="*.tsx,*.jsx"
# Generate comprehensive report
ast-grep run -r sg-rules/ --format=json > analysis-report.json
# Interactive analysis
ast-grep run -r sg-rules/ --interactive
Common Mistakes
| Mistake | Why It Happens | Fix |
|---------|----------------|-----|
| Too generic patterns | Trying to catch everything | Focus on specific, high-impact patterns |
| Missing context | Patterns don't consider surrounding code | Use inside and has constraints |
| False positives | Overly broad matching | Add negative constraints with not |
| Language-specific assumptions | JavaScript patterns applied to TypeScript | Create separate rules per language |
| No severity prioritization | All issues marked as error | Use appropriate severity levels |
Real-World Impact
Before AST Analysis:
- Manual code review: 2-3 hours for medium codebase
- Missed security vulnerabilities: 40-60%
- Inconsistent analysis between reviewers
- No systematic approach to pattern detection
After AST Analysis:
- Automated pattern detection: 5-10 minutes
- Security vulnerability detection: 90%+
- Consistent, repeatable analysis
- Comprehensive coverage of known anti-patterns
Example Results:
$ ast-grep run -r sg-rules/
src/components/UserProfile.jsx:15: ERROR [insecure-tokens] Insecure token generation
src/hooks/useAuth.js:8: ERROR [hardcoded-secrets] Potential hardcoded secret
src/components/UserProfile.jsx:23: WARNING [react-hook-deps] Function dependency may cause re-renders
src/utils/processData.js:45: WARNING [deep-nesting] Deep nesting detected
Found 4 issues (2 errors, 2 warnings)
Integration Workflow
- Setup: Create rule sets for security, performance, structure
- Baseline: Run analysis on existing codebase to establish patterns
- Iterate: Refine rules based on false positives/negatives
- Automate: Integrate into CI/CD pipeline for continuous analysis
- Monitor: Track issue reduction over time
Required Background: Understanding of AST concepts, pattern matching, and code structure analysis. AST patterns reveal what manual inspection misses - systematic, comprehensive, and repeatable code analysis.
Related Skills
not-matthias/writing-style
development
VerifiedTrustedCommunity
Emulates not-matthias's technical blog writing style. Use when writing blog posts, technical articles, README content, or any long-form technical prose. Produces investigation-driven, first-person narratives with dry humor, practical code examples, and concrete takeaways.
9SKILL.mdUpdated Jun 7, 2026
not-matthias/worktree-parallel
development
VerifiedTrustedCommunity
Create and manage Git worktrees for parallel feature development. Use when user wants to work on multiple features simultaneously or needs isolated development environments.
9SKILL.mdUpdated Jun 7, 2026
not-matthias/technical-researcher
development
VerifiedTrustedCommunity
Systematic technical research and brainstorming. Given a question, recursively explores attached specifications, source code, documentation, GitHub repositories, and authoritative online sources to build comprehensive, accurate answers. Surfaces edge cases, caveats, and implementation details that matter.
9SKILL.mdUpdated Jun 7, 2026
not-matthias/paper-to-skill
development
VerifiedTrustedCommunity
Converts a research paper (PDF path, uploaded PDF, or URL) into a reusable skill that stores distilled knowledge for future sessions. Use when a user asks to "turn this paper into a skill", "make this PDF reusable", "encode this research", or wants project-specific decisions backed by a specific paper without re-uploading it.
9SKILL.mdUpdated Jun 7, 2026