With all the news about AI-generated code causing production issues (Amazon outage this week, NYT piece on vibe coding), I wanted to share the free toolstack I use to catch problems before they ship.
All of these run locally, no cloud services needed:
shellcheck — If you write any bash scripts (or AI generates them for you), this is non-negotiable. Catches unquoted variables, word splitting issues, POSIX compatibility problems. Install: sudo apt install shellcheck or pacman -S shellcheck
semgrep — Pattern-based static analysis. The community rulesets catch OWASP Top 10 patterns across Python, JS, Go, Java, Ruby. pip install semgrep && semgrep --config p/security-audit .
bandit (Python-specific) — Finds hardcoded passwords, eval/exec usage, insecure crypto, shell injection patterns. pip install bandit && bandit -r your_project/
trivy — Container image AND filesystem vulnerability scanning. Checks your dependencies against CVE databases. trivy fs . scans your project directory.
pre-commit — The glue that makes everything automatic:
# .pre-commit-config.yaml
repos:
- repo: https://github.com/koalaman/shellcheck-precommit
hooks:
- id: shellcheck
- repo: https://github.com/PyCQA/bandit
hooks:
- id: bandit
Run pip install pre-commit && pre-commit install once, and every commit runs the checks automatically.
The key insight: AI tools generate confident-looking code that often has subtle security problems — SQL injection, hardcoded secrets, missing input validation. These tools catch most of those issues with zero ongoing effort after initial setup.
What tools are you using for code quality/security?