Enterprise-grade static analysis with a security-first mindset
A professional, extensible and educational static code analysis platform designed to enforce security, reliability and maintainability standards before code reaches production.
Police of Code is a modern static analysis tool built with a clear philosophy: prevent problems, not incidents.
The project is inspired by internal security tooling used in large engineering organizations and is designed to look, feel and behave like a real-world product rather than a demo or toy project.
It serves three purposes simultaneously:
- A serious security-oriented static analyzer
- An educational reference for advanced JavaScript tooling
- A high-quality portfolio project showcasing architecture, UX and engineering discipline
- Security-focused static analysis
- Modular and extensible rule engine
- Clean, deterministic analysis results
- CI/CD friendly exit codes
- Minimalistic yet expressive CLI interface
- Human-readable and machine-readable outputs
- Educational, auditable codebase
npm install police-of-docsClone the repository and install dependencies:
git clone https://github.com/0xlayout/police-of-code.git
cd police-of-code
npm installThe CLI can be executed locally via:
npx police-of-codeAnalyze a directory:
police-of-code scan ./srcRun system diagnostics:
police-of-code doctorList all available rules:
police-of-code rulesGenerate a default configuration file:
police-of-code initpolice-of-code <command> [options]
| Command | Description |
|---|---|
scan |
Analyze a file or directory |
doctor |
Run environment diagnostics |
rules |
List available analysis rules |
init |
Create a default configuration file |
| Option | Description | Default |
|---|---|---|
--mode <mode> |
Reporting tone (serious, sarcastic) |
serious |
--format <format> |
Output format (console, json) |
console |
--severity <level> |
Minimum reported severity | low |
--fail-on <level> |
Exit with error on severity | critical |
--json-output <file> |
Write JSON report to file | - |
police-of-code/
├── src/
│ ├── cli.js
│ ├── analyzer.js
│ ├── parser.js
│ ├── ruleEngine.js
│ ├── rules/
│ ├── reporter.js
│ └── personality.js
├── examples/
├── tests/
├── README.md
└── SECURITY.md
The architecture is intentionally layered and modular. Each component has a single responsibility and can evolve independently.
| Rule | Category | Severity |
|---|---|---|
hardcodedSecrets |
Security | Critical |
sqlInjection |
Injection | Critical |
emptyCatch |
Reliability | Medium |
longFunctions |
Maintainability | Low |
const apiKey = "sk_test_1234567890";Result:
CRITICAL Hardcoded secret detected
Location: badCode.js:1
db.query("SELECT * FROM users WHERE id = " + userId);Result:
CRITICAL Possible SQL injection detected
Police of Code produces deterministic results suitable for both humans and automation.
Scan completed
2 Critical violations
1 Medium violation
Exit code: 2
This makes the tool ideal for CI/CD pipelines.
Create a configuration file:
police-of-code initExample configuration:
{
"mode": "serious",
"format": "console",
"severity": "low",
"failOn": "critical"
}Police of Code demonstrates real-world concepts such as:
- AST parsing and traversal
- Rule engines and policy enforcement
- Severity classification models
- CLI UX and ergonomics
- Deterministic analysis design
- Secure-by-design development philosophy
Police of Code is not a replacement for professional security audits, penetration testing or runtime protection systems. It is intended as a static analysis and educational tool.
Crafted by 0xlayout