Show HN: Hackmenot – Security scanner for AI-generated code
1 points
6 hours ago
| 0 comments
| github.com
| HN
Hey HN! I built hackmenot because I kept seeing the same security vulnerabilities in AI-generated code.

  The problem: AI assistants optimize for "code that works," not "code that's secure." They routinely generate SQL injection via        
  f-strings, hardcode API keys, use os.system() with user input, and pick weak crypto like MD5.                                         
                                                                                                                                        
  What hackmenot does:                                                                                                                  
                                                                                                                                        
  - 100+ rules purpose-built for AI code patterns                                                                                       
  - Python, JavaScript, Go, Terraform                                                                                                   
  - Auto-fix mode (hackmenot scan . --fix)                                                                                              
  - Detects hallucinated packages (dependencies AI made up that don't exist)                                                            
  - Sub-second scans with caching                                                                                                       
  - GitHub Action with SARIF support                                                                                                    
                                                                                                                                        
  Install: pip install hackmenot                                                                                                        
                                                                                                                                        
  It's Apache 2.0, no API keys needed, works offline.                                                                                   
                                                                                                                                        
  Would love feedback on the rules coverage and any patterns I'm missing. Happy to answer questions!
No one has commented on this post.