LLM-agent repo audit: lint/types/security/deps/perf/a11y breakdowns + dependency intelligence #26
Labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set
Reference
Motstandskraft/spam#26
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Goal
Expand the repo check into an LLM-agent-driven, multi-dimension code & dependency audit. For a given repo/commit, an agent runs (and reasons over) checks across several breakdowns and produces a structured, scored report — combining classic tooling output (ESLint, tsc, linters, dependency advisories) with LLM analysis, cross-referenced with the CVE/KEV/EPSS results SPAM already has.
Breakdowns (inspired by
dagmawibabi/projectlens): security, dependencies, performance, environment, documentation, types, lint, tests, accessibility, network.Includes a potential new dependency-intelligence feature: an LLM agent that, for all dependencies, does security analysis and finds dead / abandoned / unused dependencies (beyond what version-bump metadata shows).
What already exists (reuse)
CREATE_RUNjob + sandboxed K8s runner (internal/runner,internal/jobs): already clones a repo at a commit and runs a suite of checks (secret probe, etc.) in an isolated pod with SecurityContext + NetworkPolicy. This is where the agent / linters run — never in the API process.internal/llmadvisory(OpenAI-compatible, pluggable Open WebUI / vLLM, encrypted keys, streaming, caching keyed by a signals hash). Extend with new use cases per breakdown, or onerepo_audituse case with structured output.asset_risk,vuln_canonical_summary, unified vuln views.internal/dephealth(activity, deprecation, stars,ArchivedDepCount,DeprecatedDepCount,MaxMajorBehind,WorstDepHealthScore) — the "dead dependency" feature should extend this, not duplicate it.internal/manifests(lockfiles, package.json, etc.).asset_riskscoring for the security breakdown.Proposed design
Audit run
REPO_AUDIT(or extendCREATE_RUN) producing arepo_auditrecord per (repo_commit, breakdown) with a score + findings + LLM narrative.tsc --noEmit, framework linters,npm audit/equivalent, test runner if cheap), capture raw output as artifacts (likeImageScanArtifactblobs).Breakdown model
repo_audit_finding{audit_id, breakdown, severity, title, detail, file?, line?, source: tool|llm, remediation}. Breakdowns: security / dependencies / performance / environment / documentation / types / lint / tests / accessibility / network. UI shows a per-repo scorecard (one card per breakdown) + drill-in.Dependency intelligence (sub-feature, can be its own issue)
LLM agent over the full dependency graph (
manifests+dephealth):dephealth(archived/deprecated/last-release age) with LLM read of repo + advisories.Edge cases / decisions
manifests).npm auditetc. need controlled registry access.audit.completed).providerconfiggit PATs (encrypted).Tasks
repo_audit/repo_audit_findingmodels (+ migration)REPO_AUDITjob: run linters/tsc/test/audit tools in runner pod, capture artifactsllmadvisorywith structured output + evidence-citation guardrailsdephealthinto the security & dependencies breakdownsdephealth) — consider splitting into its own issueaudit.completedevent for notificationsRelates to: notifications epic; public scan API (expandable results); suppression epic (suppress audit findings).