Metadata-Version: 2.4
Name: hackmenot
Version: 2.1.1
Summary: AI-Era Code Security Scanner - catches vulnerabilities AI coding assistants introduce
Project-URL: Homepage, https://github.com/b0rd3aux/hackmenot
Project-URL: Repository, https://github.com/b0rd3aux/hackmenot
Project-URL: Documentation, https://github.com/b0rd3aux/hackmenot/tree/main/docs
Project-URL: Issues, https://github.com/b0rd3aux/hackmenot/issues
Author: b0rd3aux
License-Expression: Apache-2.0
License-File: LICENSE
Keywords: ai,claude,code-analysis,copilot,cursor,sast,scanner,security,vulnerability
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Quality Assurance
Classifier: Topic :: Software Development :: Testing
Requires-Python: >=3.10
Requires-Dist: python-hcl2>=4.3.0
Requires-Dist: pyyaml>=6.0
Requires-Dist: rich>=13.0.0
Requires-Dist: tqdm>=4.66.0
Requires-Dist: tree-sitter-go>=0.21.0
Requires-Dist: tree-sitter-java>=0.23.5
Requires-Dist: tree-sitter-javascript>=0.23.0
Requires-Dist: tree-sitter-rust>=0.23.0
Requires-Dist: tree-sitter>=0.23.0
Requires-Dist: typer>=0.9.0
Provides-Extra: dev
Requires-Dist: mypy>=1.8.0; extra == 'dev'
Requires-Dist: pre-commit>=3.6.0; extra == 'dev'
Requires-Dist: pytest-cov>=4.0.0; extra == 'dev'
Requires-Dist: pytest>=8.0.0; extra == 'dev'
Requires-Dist: ruff>=0.1.0; extra == 'dev'
Description-Content-Type: text/markdown

<div align="center">

# 🛡️ hackmenot

**AI-Era Code Security Scanner**

*Catches the vulnerabilities AI coding assistants introduce—and fixes them.*

[![PyPI](https://img.shields.io/pypi/v/hackmenot?color=blue)](https://pypi.org/project/hackmenot/)
[![Docker](https://img.shields.io/badge/docker-ghcr.io-blue)](https://github.com/b0rd3aux/hackmenot/pkgs/container/hackmenot)
[![Tests](https://img.shields.io/github/actions/workflow/status/b0rd3aux/hackmenot/hackmenot.yml?label=tests)](https://github.com/b0rd3aux/hackmenot/actions)
[![License](https://img.shields.io/badge/license-Apache%202.0-blue)](LICENSE)
[![Python](https://img.shields.io/badge/python-3.10+-blue)](https://www.python.org/downloads/)

![100+ Security Rules](https://img.shields.io/badge/rules-120+-green)
![6 Languages](https://img.shields.io/badge/languages-Python%20%7C%20JS%20%7C%20Go%20%7C%20Rust%20%7C%20Java%20%7C%20Terraform-orange)
![Enterprise Scale](https://img.shields.io/badge/scans-10k%20files%20%3C10s-purple)
![Parallel Scanning](https://img.shields.io/badge/parallel-enterprise%20scale-blueviolet)

<img src="assets/hero-scan.gif" alt="hackmenot in action" width="700">

</div>

---

## The Problem

**Over 50% of AI-generated code contains security vulnerabilities.** Copilot, Cursor, and Claude Code are transforming how we write software—but they're also introducing patterns that traditional SAST tools weren't built to catch.

hackmenot is purpose-built for the AI era: it detects these vulnerabilities, provides **auto-fix suggestions**, and explains **why AI makes these mistakes** so you learn as you secure.

---

## Quick Start

Get scanning in 30 seconds:

```bash
# Install via pip
pip install hackmenot

# Or with Docker
docker pull ghcr.io/b0rd3aux/hackmenot:latest

# Scan your code
hackmenot scan .

# Scan with auto-fix
hackmenot scan . --fix

# Scan dependencies for hallucinated packages
hackmenot deps .
```

That's it. No config files, no setup, no API keys.

---

## Features

### Scan & Detect

120+ security rules purpose-built for AI-generated code patterns across Python, JavaScript/TypeScript, Go, Rust, Java, and Terraform.

<img src="assets/hero-scan.gif" alt="hackmenot scanning code" width="700">

### Auto-Fix

Don't just find problems—fix them. Interactive mode lets you review and apply fixes one by one.

```bash
hackmenot scan . --fix-interactive
```

<img src="assets/fix-interactive.gif" alt="Auto-fix in action" width="700">

### Dependency Scanning

Detect hallucinated packages (dependencies that don't exist), typosquats, and known CVEs powered by [Google's OSV](https://osv.dev) database.

```bash
hackmenot deps . --check-vulns
```

<img src="assets/deps-scan.gif" alt="Dependency scanning" width="700">

### 🎯 Security Graph Visualization (v2.1)

Visualize your application's attack surface with interactive security graphs. Trace data flows from entry points to security sinks, identify vulnerable paths, and understand your security posture at a glance.

```bash
# Generate security graph
hackmenot graph . -o security.dot
dot -Tpng security.dot -o security.png

# Or use the interactive HTML viewer
hackmenot graph . --interactive -o security.html
```

<img src="assets/security-graph-preview.png" alt="Security graph visualization" width="700">

**Features:**
- 🔍 **Attack Surface Mapping** - Identify all entry points (API endpoints, CLI commands, webhooks)
- 🌊 **Data Flow Analysis** - Trace untrusted data from sources to sinks
- 📊 **Risk Scoring** - Calculate exploit likelihood (0-100) based on authentication, sink type, and sanitization
- 🎨 **Interactive Visualization** - Search, filter, and explore your security graph in the browser
- 🎯 **Exploit Chain Detection** - Find compound vulnerabilities through single entry points

[Try the interactive demo →](assets/security-graph-demo.html)

### CI/CD & GitHub Security

Native GitHub Action with SARIF support. Findings appear directly in GitHub's Security tab.

```yaml
- uses: hackmenot/hackmenot@v1
  with:
    sarif-upload: 'true'
```

### ⚡ Enterprise-Scale Performance (v2.0)

Parallel scanning architecture built for large codebases:

- **10k files in <10 seconds** on 8-core machines
- **Memory-efficient**: <2GB for 50k file scans
- **Zero external dependencies**: Pure Python multiprocessing

```bash
# Parallel scanning (default in v2.0)
hackmenot scan .

# Control worker count
hackmenot scan . --workers 16

# Sequential mode (v1.x behavior)
hackmenot scan . --no-parallel
```

**Performance Targets:**
- Small repos (100 files): <1s
- Medium repos (1k files): <3s
- Large repos (10k files): <10s
- Enterprise (50k files): <60s

---

## What It Catches

| Category | Examples | Languages |
|----------|----------|-----------|
| **Injection** | SQL injection, command injection, XSS, path traversal | All |
| **Authentication** | Missing auth decorators, weak sessions, hardcoded credentials | Python, JS, Java |
| **Cryptography** | Weak algorithms, hardcoded keys, insecure random | All |
| **Unsafe Operations** | Unsafe blocks, raw pointers, transmute, reflection | Rust, Java |
| **Deserialization** | Insecure object deserialization, XXE attacks | Java, Rust |
| **Data Exposure** | Logging secrets, verbose errors, debug mode in prod | All |
| **Infrastructure** | Open security groups, missing encryption, public S3 buckets | Terraform |
| **Dependencies** | Hallucinated packages, typosquats, CVEs via [OSV](https://osv.dev) | Python, JS |

---

## Installation

**pip (recommended)**
```bash
pip install hackmenot
```

**Docker**
```bash
# Pull image
docker pull ghcr.io/b0rd3aux/hackmenot:latest

# Scan current directory
docker run --rm -v $(pwd):/workspace ghcr.io/b0rd3aux/hackmenot scan .
```

**From source**
```bash
pip install git+https://github.com/b0rd3aux/hackmenot.git@v1.0.0
```

Requires Python 3.10+

## Usage

```bash
# Basic scan
hackmenot scan .

# Scan specific path
hackmenot scan src/

# Set minimum severity (critical, high, medium, low)
hackmenot scan . --severity medium

# Fail CI on high+ findings
hackmenot scan . --fail-on high

# Output as JSON or SARIF
hackmenot scan . --format json
hackmenot scan . --format sarif

# Auto-fix all issues
hackmenot scan . --fix

# Interactive fix mode
hackmenot scan . --fix-interactive

# Preview fixes without applying
hackmenot scan . --fix --dry-run --diff

# Scan only changed files (great for CI)
hackmenot scan . --changed-since origin/main

# Dependency scanning
hackmenot deps .
hackmenot deps . --check-vulns

# Security graph visualization
hackmenot graph . -o security.dot
hackmenot graph . --interactive -o security.html
```

---

## Documentation

| Guide | Description |
|-------|-------------|
| [Getting Started](docs/getting-started.md) | First-time setup and basic usage |
| [CLI Reference](docs/cli-reference.md) | All commands and options |
| [Rules Reference](docs/rules-reference.md) | Complete list of 100+ security rules |
| [Configuration](docs/configuration.md) | `.hackmenot.yml` options |
| [CI Integration](docs/ci-integration.md) | GitHub Actions, GitLab, Jenkins, and more |
| [Custom Rules](docs/custom-rules.md) | Write your own security rules |
| [Contributing](docs/contributing.md) | How to contribute |

## Support

If hackmenot is useful to you, consider supporting its development:

[![Sponsor on Patreon](https://img.shields.io/badge/Patreon-Support-orange?logo=patreon)](https://patreon.com/b0rd3aux)

---

## Contributing

Contributions are welcome! See [Contributing Guide](docs/contributing.md) for details.

## License

Apache 2.0 - see [LICENSE](LICENSE) for details.
