Verify what your
AI just wrote.
One static binary.

six verifiers

• secrets 218 gitleaks rules + AST context + entropy — catches API keys, JWTs, OAuth client secrets.
• cve rustsec advisory DB + OSV.dev — scans Rust, Node, Python, Go dependencies for known CVEs.
• hallucination rustc error codes + crate resolver — flags AI-invented imports and function calls.
• deadcode cargo lints + AST walk — flags unreachable-after-return paths and uncalled functions.
• mutation cargo-mutants wrapper, --deep mode runs auto mutation testing on AI-tagged files.
• property auto-generates proptest harnesses — fuzz-based invariant checks for pure functions.

flow

1. 1
   Discovery Walks the repo manifests — cargo, package.json, pyproject — discovering every package type.
2. 2
   Parsing tree-sitter produces an AST per file. Verifiers operate over the AST.
3. 3
   AI provenance Eight signals score each commit and file for AI authorship. High-score files become mutation/property candidates.
4. 4
   SARIF report Output conforms to SARIF — GitHub Code Scanning displays findings inline on PR diffs.

features

• Single static binary cargo install gives you one file — no runtime deps, fits into any CI lane.
• SARIF output Standard format → GitHub Code Scanning, GitLab Security, Sonar all render inline.
• Self-dogfood End of Week 6: shaudit ran zero findings on its own source. Real production exercise.
• Fast + parallel tree-sitter via Rust bindings, parallel scan. ~10K LoC under 10s typically.
• --deep mode Mutation + property are expensive. Triggered only on AI-provenance hits. CI cost stays low.
• AGPL/MIT/Apache-2.0 Vendored gitleaks rules MIT, main project dual-licensed. Commercial-friendly.

install

Two ways — build with cargo or download the binary from GitHub Releases.

cargo install --git https://github.com/Lavescar-dev/shadow-auditor shaudit-cli

# or clone
git clone https://github.com/Lavescar-dev/shadow-auditor
cd shadow-auditor && cargo run -p shaudit-cli -- audit ./