Dotfiles-nix ast-grep-code-analysis

Use when analyzing complex codebases for security vulnerabilities, performance issues, and structural patterns - provides systematic AST-based approach using ast-grep for comprehensive code understanding beyond manual inspection

install

source · Clone the upstream repo

git clone https://github.com/not-matthias/dotfiles-nix

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/not-matthias/dotfiles-nix "$T" && mkdir -p ~/.claude/skills && cp -r "$T/modules/home/programs/cli-agents/shared/skills/ast-grep-code-analysis" ~/.claude/skills/not-matthias-dotfiles-nix-ast-grep-code-analysis && rm -rf "$T"

manifest: modules/home/programs/cli-agents/shared/skills/ast-grep-code-analysis/SKILL.md

source content

AST-Grep Code Analysis

[!NOTE] This skill requires
ast-grep
to be installed and available in
PATH
.

Overview

AST-Grep Code Analysis uses Abstract Syntax Tree pattern matching to systematically identify code issues, replacing manual line-by-line inspection with structural pattern recognition.

Core principle: Code structure reveals more than surface reading - AST patterns expose hidden relationships, security vulnerabilities, and architectural issues that manual inspection misses.

When to Use

digraph when_to_use {
    "Need to analyze code?" [shape=diamond];
    "Complex/nested structure?" [shape=diamond];
    "Security review needed?" [shape=diamond];
    "Performance analysis?" [shape=diamond];
    "Use ast-grep patterns" [shape=box];
    "Manual review sufficient" [shape=box];

    "Need to analyze code?" -> "Complex/nested structure?" [label="yes"];
    "Complex/nested structure?" -> "Security review needed?" [label="yes"];
    "Security review needed?" -> "Performance analysis?" [label="yes"];
    "Performance analysis?" -> "Use ast-grep patterns" [label="yes"];
    "Complex/nested structure?" -> "Manual review sufficient" [label="no"];
    "Security review needed?" -> "Manual review sufficient" [label="no"];
    "Performance analysis?" -> "Manual review sufficient" [label="no"];
}

Use when:

Code has nested functions, complex control flow, or multiple abstraction layers
Security review required (authentication, authorization, data handling)
Performance analysis needed (React hooks, loops, async patterns)
Large codebase where manual inspection is impractical
Need to identify patterns across multiple files
Time pressure requires systematic approach over ad-hoc analysis

Do NOT use when:

Simple, straightforward code (< 50 lines)
Single-file utilities with obvious structure
When quick glance is sufficient for the task

Core Pattern

Before (Manual Inspection):

// Agent manually reads line by line
if (data[i].admin) {
  userObj.token = generateToken(data[i].id); // "This looks insecure"
}

After (AST Pattern Matching):

# ast-grep rule: insecure-token-generation
rule:
  pattern: |
    function $FUNC($ARGS) {
      const secret = $SECRET;
      return btoa(JSON.stringify($PAYLOAD) + '.' + $SECRET);
    }
  meta:
    severity: ERROR
    message: "Hardcoded secret in token generation"

Quick Reference

Analysis Type	AST Pattern Focus	Common Issues Found
Security	String literals in crypto functions	Hardcoded secrets, weak encryption
Performance	React hooks dependencies	Infinite re-renders, memory leaks
Structure	Function nesting depth	Complex control flow, maintainability
Data Flow	Variable assignments and usage	Unused variables, implicit dependencies

Implementation

Installation and Setup

# Confirm ast-grep is available
ast-grep --version

# Initialize configuration
ast-grep init

# Create rules directory
mkdir -p sg-rules/security sg-rules/performance sg-rules/structure

Essential Security Patterns

Hardcoded Secrets Detection:

# sg-rules/security/hardcoded-secrets.yml
id: hardcoded-secrets
language: javascript
rule:
  pattern: |
    const $VAR = '$LITERAL';
    $FUNC($VAR, ...)
  meta:
    severity: ERROR
    message: "Potential hardcoded secret detected"

Insecure Token Generation:

# sg-rules/security/insecure-tokens.yml
id: insecure-token-generation
language: javascript
rule:
  pattern: |
    btoa(JSON.stringify($OBJ) + '.' + $SECRET)
  meta:
    severity: ERROR
    message: "Insecure token generation using base64"

Performance Pattern Detection

React Hook Dependencies:

# sg-rules/performance/react-hook-deps.yml
id: react-hook-dependency-array
language: typescript
rule:
  pattern: |
    useEffect(() => {
      $BODY
    }, [$FUNC])
  meta:
    severity: WARNING
    message: "Function dependency in useEffect may cause infinite re-renders"

Missing useCallback Optimization:

# sg-rules/performance/missing-use-callback.yml
id: missing-use-callback
language: typescript
rule:
  pattern: |
    const $FUNC = ($ARGS) => {
      $BODY
    };
  inside:
    kind: function_declaration
    has:
      kind: arrow_function
  meta:
    severity: INFO
    message: "Consider wrapping function in useCallback for optimization"

Structural Analysis Patterns

Deep Nesting Detection:

# sg-rules/structure/deep-nesting.yml
id: deep-nesting
language: javascript
rule:
  any:
    - pattern: |
        if ($COND1) {
          if ($COND2) {
            if ($COND3) {
              $BODY
            }
          }
        }
    - pattern: |
        for ($INIT) {
          for ($INIT2) {
            for ($INIT3) {
              $BODY
            }
          }
        }
  meta:
    severity: WARNING
    message: "Deep nesting detected - consider refactoring"

Running Analysis

# Run all security rules
ast-grep run -r sg-rules/security/

# Run performance analysis on React components
ast-grep run -r sg-rules/performance/ --include="*.tsx,*.jsx"

# Generate comprehensive report
ast-grep run -r sg-rules/ --format=json > analysis-report.json

# Interactive analysis
ast-grep run -r sg-rules/ --interactive

Common Mistakes

Mistake	Why It Happens	Fix
Too generic patterns	Trying to catch everything	Focus on specific, high-impact patterns
Missing context	Patterns don't consider surrounding code	Use `inside` and `has` constraints
False positives	Overly broad matching	Add negative constraints with `not`
Language-specific assumptions	JavaScript patterns applied to TypeScript	Create separate rules per language
No severity prioritization	All issues marked as error	Use appropriate severity levels

Real-World Impact

Before AST Analysis:

Manual code review: 2-3 hours for medium codebase
Missed security vulnerabilities: 40-60%
Inconsistent analysis between reviewers
No systematic approach to pattern detection

After AST Analysis:

Automated pattern detection: 5-10 minutes
Security vulnerability detection: 90%+
Consistent, repeatable analysis
Comprehensive coverage of known anti-patterns

Example Results:

$ ast-grep run -r sg-rules/
src/components/UserProfile.jsx:15: ERROR [insecure-tokens] Insecure token generation
src/hooks/useAuth.js:8: ERROR [hardcoded-secrets] Potential hardcoded secret
src/components/UserProfile.jsx:23: WARNING [react-hook-deps] Function dependency may cause re-renders
src/utils/processData.js:45: WARNING [deep-nesting] Deep nesting detected

Found 4 issues (2 errors, 2 warnings)

Integration Workflow

Setup: Create rule sets for security, performance, structure
Baseline: Run analysis on existing codebase to establish patterns
Iterate: Refine rules based on false positives/negatives
Automate: Integrate into CI/CD pipeline for continuous analysis
Monitor: Track issue reduction over time

Required Background: Understanding of AST concepts, pattern matching, and code structure analysis. AST patterns reveal what manual inspection misses - systematic, comprehensive, and repeatable code analysis.