Hey HN! We’re Jai and Sanket, co-founders of DeepSource (YC W20). We're open-sourcing Globstar (https://github.com/DeepSourceCorp/globstar), a static analysis toolkit that lets you easily write and run custom code quality and security checkers in YAML [1] or Go [2].
After 5+ years of building AST-based static analyzers that process millions of lines of code daily at DeepSource, we kept hearing a common request from customers: "How do we write custom checks specific to our codebase?" AppSec and DevOps teams have a lot of learned anti-patterns and security rules they want to enforce across their orgs, and being able to do that without being a static analysis expert, came up as an important want.
We initially built an internal framework using tree-sitter [3] for our proprietary infrastructure-as-code analyzers, which enabled us to rapidly create new checkers. We realized that making the framework open-source could solve this problem for everyone.
Our key insight was that writing checkers isn't the hard part anymore. Modern AI assistants like ChatGPT and Claude are excellent at generating tree-sitter queries with very high accuracy. We realized that the tree-sitters' gnarly s-expression syntax isn’t a problem anymore (since the AI will be doing all the generation anyway), and we can instead focus on building a fast, flexible, and reliable checker runtime around it.
So instead of creating yet another DSL, we use tree-sitter's native query syntax. Yes, the expressions look more complex than simplified DSLs, but they give you direct access to your code's actual AST structure – which means your rules work exactly as you'd expect them to. When you need to debug a rule, you're working with the actual structure of your code, not an abstraction that might hide important details.
We've also designed Globstar to have a gradual learning curve: The YAML interface works well for simple checkers, and the Go Interface can handle complex scenarios when you need features like cross-file analysis, scope resolution, data flow analysis, and context awareness. The Go API gives you direct access to tree-sitter bindings, so you can write arbitrarily complex checkers on day one.
Key features:
- Written in Go with native tree-sitter bindings, distributed as a single binary
- MIT-licensed
- Write all your checkers in a “.globstar” folder in your repo, in YAML or Go, and just run “globstar check” without any build steps
- Multi-language support through tree-sitter (20+ languages today)
We have a long way to go and a very exciting roadmap for Globstar, and we’d love to hear your feedback!
[1] https://globstar.dev/guides/writing-yaml-checker
[2] https://globstar.dev/guides/writing-go-checker
[3] https://tree-sitter.github.io/tree-sitter/
Comments URL: https://news.ycombinator.com/item?id=43207942
Points: 9
# Comments: 0
Connectez-vous pour ajouter un commentaire
Autres messages de ce groupe
Article URL: https://www.cbc.ca/radio/asithappens/tooth-in-eye-surgery-canada-1.7470626
Comments URL
Article URL: https://arxiv.org/abs/2502.18864
Comments URL: https://news.ycombinator.c
Article URL: https://github.com/salesforce/Merlion
Comments URL: https://news.yco
