https://github.com/bumahkib7/rust-monorepo-analyzer
Ultra-fast Rust-native code intelligence and security analysis platform for large enterprise monorepos. Leverages tree-sitter for polyglot parsing, rayon for parallelism, and tantivy for indexing.
https://github.com/bumahkib7/rust-monorepo-analyzer
cli code-analysis dependency-analysis developer-tools monorepo rust static-analysis
Last synced: 5 months ago
JSON representation
Ultra-fast Rust-native code intelligence and security analysis platform for large enterprise monorepos. Leverages tree-sitter for polyglot parsing, rayon for parallelism, and tantivy for indexing.
- Host: GitHub
- URL: https://github.com/bumahkib7/rust-monorepo-analyzer
- Owner: bumahkib7
- License: mit
- Created: 2026-01-30T21:03:47.000Z (5 months ago)
- Default Branch: master
- Last Pushed: 2026-02-02T14:56:36.000Z (5 months ago)
- Last Synced: 2026-02-02T15:33:32.502Z (5 months ago)
- Topics: cli, code-analysis, dependency-analysis, developer-tools, monorepo, rust, static-analysis
- Language: Rust
- Size: 1.14 MB
- Stars: 1
- Watchers: 0
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
Awesome Lists containing this project
README
# RMA - Rust Monorepo Analyzer
[](https://github.com/bumahkib7/rust-monorepo-analyzer/actions/workflows/ci.yml)
[](https://github.com/bumahkib7/rust-monorepo-analyzer/releases)
[](https://crates.io/crates/rma-cli)
[](https://ghcr.io/bumahkib7/rma)
[](https://github.com/bumahkib7/homebrew-tap)
[](https://www.rust-lang.org)
[](LICENSE)
**Ultra-fast Rust-native code intelligence and security analysis platform for large enterprise monorepos.**
RMA leverages tree-sitter for polyglot parsing, rayon for parallelism, and tantivy for blazing-fast indexing to deliver sub-minute scans on million-LOC codebases.
## Quick Install
**npm (Node.js):**
```bash
npm install -g rma-cli
```
**Homebrew (macOS/Linux):**
```bash
brew tap bumahkib7/tap
brew install rma
```
**Cargo (Rust):**
```bash
cargo install rma-cli
```
**Shell Script (Linux/macOS):**
```bash
curl -fsSL https://raw.githubusercontent.com/bumahkib7/rust-monorepo-analyzer/master/install.sh | bash
# Install specific version
VERSION=0.12.0 curl -fsSL https://raw.githubusercontent.com/bumahkib7/rust-monorepo-analyzer/master/install.sh | bash
```
**Windows PowerShell:**
```powershell
iwr -useb https://raw.githubusercontent.com/bumahkib7/rust-monorepo-analyzer/master/install.ps1 | iex
```
**Docker:**
```bash
docker run -v $(pwd):/workspace ghcr.io/bumahkib7/rma scan /workspace
```
**GitHub Actions:**
```yaml
- uses: bumahkib7/rust-monorepo-analyzer/.github/actions/rma-scan@master
with:
path: '.'
upload-sarif: true
```
**Pre-commit:**
```yaml
# .pre-commit-config.yaml
repos:
- repo: https://github.com/bumahkib7/rust-monorepo-analyzer
rev: v0.12.0
hooks:
- id: rma
```
## Supported Languages
| Language | Extensions | Security Rules | Metrics |
|----------|------------|----------------|---------|
| Rust | `.rs` | unsafe blocks, unwrap, panic | complexity, LOC |
| JavaScript | `.js`, `.jsx`, `.mjs` | XSS, injection, secrets | complexity, LOC |
| TypeScript | `.ts`, `.tsx` | XSS, injection, secrets | complexity, LOC |
| Python | `.py` | exec, shell injection, secrets | complexity, LOC |
| Go | `.go` | unsafe, SQL injection | complexity, LOC |
| Java | `.java` | injection, crypto issues | complexity, LOC |
## Features
- **Polyglot Support**: Rust, JavaScript/TypeScript, Python, Go, Java
- **Parallel Parsing**: Multi-threaded AST parsing with tree-sitter
- **Security Analysis**: Detect vulnerabilities, unsafe patterns, hardcoded secrets
- **Rich Diagnostics**: Rustc-style error output with source context and error codes
- **AI-Powered Analysis**: Optional AI-assisted vulnerability detection with `--ai` flag
- **Code Metrics**: Cyclomatic complexity, cognitive complexity, LOC
- **Fast Indexing**: Tantivy-based full-text search
- **Incremental Mode**: Only re-analyze changed files
- **Multiple Output Formats**: Text, JSON, SARIF, Compact, Markdown, GitHub
- **Real-time Watch Mode**: WebSocket-based live updates with interactive keyboard controls
- **HTTP API**: Daemon mode with WebSocket support for IDE integration
- **IDE Integrations**: VS Code, Neovim, JetBrains, and Web Dashboard
- **Doctor Command**: Health check for RMA installation (`rma doctor`)
- **Duplicate Detection**: Find copy-pasted functions across your codebase
- **WASM Plugins**: Extend with custom analysis rules
- **External Providers**: Optional integration with PMD for enhanced Java analysis
- **Shell Completions**: Bash, Zsh, Fish, PowerShell, Elvish
## Quick Start
```bash
# Scan current directory
rma scan .
# Scan with AI-powered analysis
rma scan ./src --ai
# Scan with JSON output for CI/CD
rma scan . --output json -f results.json
# Scan with SARIF output for GitHub Code Scanning
rma scan . --output sarif -f results.sarif
# Watch mode for continuous analysis
rma watch .
# Search indexed code
rma search "TODO" --type content
# View statistics
rma stats
# Check installation health
rma doctor
# Scan only changed files in a PR
rma scan . --changed-only
```
## CLI Commands
| Command | Description |
|---------|-------------|
| `scan` | Scan a repository for security issues and metrics |
| `watch` | Watch for file changes and re-analyze in real-time |
| `search` | Search the index for files or findings |
| `stats` | Show index and analysis statistics |
| `init` | Initialize RMA configuration in current directory |
| `daemon` | Start HTTP API server for IDE integration |
| `doctor` | Check RMA installation health and configuration |
| `plugin` | Manage WASM analysis plugins |
| `config` | View and modify configuration |
| `completions` | Generate shell completions |
### Scan Options
```
rma scan [PATH] [OPTIONS]
Options:
-o, --output Output format: text, json, sarif, compact, markdown [default: text]
-f, --output-file Output file (stdout if not specified)
-s, --severity Minimum severity: info, warning, error, critical
-i, --incremental Enable incremental mode (only scan changed files)
--changed-only Only scan files changed in git (for PR workflows)
-j, --parallelism Number of parallel workers (0 = auto-detect)
-l, --languages Languages to scan (comma-separated)
--providers Analysis providers (rma,pmd,oxlint) [default: rma]
--ai Enable AI-powered vulnerability analysis
--no-progress Disable progress bars
-v, --verbose Increase verbosity (-v, -vv, -vvv)
-q, --quiet Suppress non-essential output
```
### Watch Options
```
rma watch [PATH] [OPTIONS]
Options:
-d, --debounce Debounce delay in milliseconds [default: 500]
-l, --languages Languages to watch
--clear Clear screen on each change
--no-initial-scan Skip initial directory scan (only show changes)
--errors-only Only show errors, not warnings
-q, --quiet Suppress non-essential output
```
**Interactive Keyboard Shortcuts:**
| Key | Action |
|-----|--------|
| `q` / `c` | Quit watch mode |
| `r` | Force re-scan of all files |
| `s` | Show current statistics |
| `e` | Toggle errors-only mode |
| `p` | Pause/resume watching |
| `?` | Show help |
## Output Formats
| Format | Use Case |
|--------|----------|
| `text` | Human-readable terminal output with rustc-style diagnostics |
| `json` | Machine-readable for programmatic processing |
| `sarif` | GitHub Code Scanning, Azure DevOps integration |
| `compact` | Minimal output for CI logs |
| `markdown` | Documentation and reports |
| `github` | GitHub Actions workflow commands (annotations) |
### Rich Diagnostics Output
RMA produces rustc-style diagnostic output with error codes, source context, and underline highlighting:
```
warning[RMA-Q501]: Function has 105 lines (max: 100) - consider refactoring
--> src/analyzer.rs:219:5
217 │ }
218 │
219 │ fn check(&self, parsed: &ParsedFile) -> Vec {
│ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ function too long
... (104 more lines)
= note: rule: generic/long-function
critical[RMA-S005]: SQL query built with format! - use parameterized queries instead
--> src/database.rs:42:9
40 │ let user_input = get_input();
41 │
42 │ format!(
│ ^^^^^^^^ SQL query built from untrusted input
43 │ "SELECT * FROM users WHERE name = '{}'",
44 │ user_input
= note: rule: rust/sql-injection
```
### Error Codes
| Code Range | Category |
|------------|----------|
| RMA-S001-S999 | Security issues (unsafe, XSS, injection, etc.) |
| RMA-Q001-Q999 | Quality issues (complexity, length, style) |
| RMA-T001-T999 | Style issues (TODO, console.log, etc.) |
| RMA-J001-J999 | Java external tool findings (PMD) |
### GitHub Actions Integration
RMA provides a reusable GitHub Action for easy CI/CD integration with automatic SARIF upload to GitHub Security tab.
#### Quick Setup (Reusable Workflow)
```yaml
name: Security Scan
on: [push, pull_request]
jobs:
security-scan:
uses: bumahkib7/rust-monorepo-analyzer/.github/workflows/rma-scan-reusable.yml@master
permissions:
contents: read
security-events: write
with:
path: './src'
severity: 'warning'
upload-sarif: true
```
#### Composite Action (More Control)
```yaml
name: Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- name: Run RMA Security Scan
uses: bumahkib7/rust-monorepo-analyzer/.github/actions/rma-scan@master
with:
path: '.'
format: 'sarif'
severity: 'warning'
upload-sarif: 'true'
```
#### Action Inputs
| Input | Description | Default |
|-------|-------------|---------|
| `path` | Path to scan | `.` |
| `format` | Output format (text, json, sarif, compact, markdown, github) | `sarif` |
| `severity` | Minimum severity (info, warning, error, critical) | `warning` |
| `languages` | Comma-separated languages to scan | (all) |
| `ai` | Enable AI-powered analysis | `false` |
| `verbose` | Enable verbose output | `false` |
| `upload-sarif` | Upload SARIF to GitHub Security tab | `true` |
| `show-annotations` | Show GitHub annotations for findings | `true` |
| `fail-on-findings` | Fail workflow if findings detected | `false` |
| `version` | RMA version to use | `latest` |
#### Action Outputs
| Output | Description |
|--------|-------------|
| `sarif-file` | Path to generated SARIF file |
| `findings-count` | Number of security findings detected |
#### Manual SARIF Upload
```yaml
- name: Run RMA Security Scan
run: rma scan . --output sarif -f results.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
```
## Architecture
```
rust-monorepo-analyzer/
├── crates/
│ ├── common/ # Shared types and utilities
│ ├── parser/ # Tree-sitter based polyglot parser
│ ├── analyzer/ # Security and code analysis engine
│ ├── indexer/ # Tantivy/Sled based indexing
│ ├── cli/ # Command-line interface
│ ├── daemon/ # HTTP API server (Axum)
│ ├── plugins/ # WASM plugin runtime (Wasmtime)
│ ├── lsp/ # Language Server Protocol
│ └── ai/ # AI-powered analysis
```
### Component Overview
| Crate | Purpose |
|-------|---------|
| `rma-common` | Core types: Language, Severity, Finding, Config |
| `rma-parser` | Parallel AST parsing with tree-sitter |
| `rma-analyzer` | Security rules and metrics computation |
| `rma-indexer` | Full-text search and incremental updates |
| `rma-cli` | User-facing CLI binary |
| `rma-daemon` | Axum-based HTTP API server |
| `rma-plugins` | Wasmtime-based WASM plugin system |
| `rma-lsp` | Language Server Protocol implementation |
| `rma-ai` | AI-powered vulnerability detection |
## Security Rules
### Rust
- `rust/unsafe-block` - Detects unsafe blocks requiring manual review
- `rust/unwrap-used` - Detects .unwrap() calls that may panic
- `rust/panic-used` - Detects panic! macro usage
### JavaScript/TypeScript
- `js/dynamic-code` - Detects dangerous dynamic code execution
- `js/innerHTML-xss` - Detects innerHTML usage (XSS risk)
- `js/hardcoded-secret` - Detects hardcoded credentials
### Python
- `python/exec-usage` - Detects exec/compile calls
- `python/shell-injection` - Detects shell=True patterns
- `python/hardcoded-secret` - Detects hardcoded credentials
### Go
- `go/unsafe-usage` - Detects unsafe package usage
- `go/sql-injection` - Detects SQL injection patterns
### Generic (All Languages)
- `generic/todo-fixme` - Detects TODO/FIXME comments
- `generic/long-function` - Detects functions over 100 lines
- `generic/high-complexity` - Detects high cyclomatic complexity
- `generic/hardcoded-secret` - Detects API keys and passwords
- `generic/duplicate-function` - Detects copy-pasted functions (10+ lines)
- `generic/insecure-crypto` - Detects MD5, SHA-1, DES, RC4, ECB usage
## HTTP API (Daemon Mode)
Start the daemon:
```bash
rma daemon --host 127.0.0.1 --port 9876
```
### Endpoints
| Method | Endpoint | Description |
|--------|----------|-------------|
| GET | `/health` | Health check |
| POST | `/api/v1/scan` | Scan a directory |
| POST | `/api/v1/analyze` | Analyze a single file |
| GET | `/api/v1/search` | Search indexed files |
| GET | `/api/v1/stats` | Get daemon statistics |
| POST | `/api/v1/index` | Trigger re-indexing |
| WS | `/ws/watch` | WebSocket for real-time updates |
### Example Request
```bash
curl -X POST http://localhost:9876/api/v1/scan \
-H "Content-Type: application/json" \
-d '{"path": "/path/to/repo", "languages": ["rust", "python"]}'
```
### WebSocket Real-time Updates
Connect to `/ws/watch` for real-time file change notifications and analysis results:
```javascript
const ws = new WebSocket('ws://localhost:9876/ws/watch');
ws.onmessage = (event) => {
const msg = JSON.parse(event.data);
switch (msg.type) {
case 'FileChanged':
console.log(`File changed: ${msg.data.path}`);
break;
case 'AnalysisComplete':
console.log(`Analysis: ${msg.data.findings.length} findings`);
break;
}
};
// Start watching a directory
ws.send(JSON.stringify({ command: 'Watch', data: { path: '/path/to/repo' } }));
```
## IDE Integrations
RMA provides official integrations for popular editors and IDEs.
### VS Code Extension
```bash
# Install from VSIX
code --install-extension editors/vscode-rma/rma-vscode-*.vsix
```
Features:
- Real-time diagnostics as you type
- Problem panel integration
- Quick fixes and code actions
- Status bar with finding count
### Neovim Plugin
```lua
-- Using lazy.nvim
{
dir = "editors/neovim-rma",
config = function()
require("rma").setup({
daemon_url = "http://localhost:9876",
auto_start_daemon = true,
})
end,
}
```
### JetBrains Plugin
Install from `editors/jetbrains-rma/` - supports IntelliJ IDEA, WebStorm, PyCharm, GoLand, and CLion.
### Web Dashboard
For browser-based real-time monitoring:
```bash
# Start the daemon
rma daemon
# Open the dashboard
open editors/web-dashboard/index.html
```
The web dashboard connects via WebSocket and shows live analysis results as you edit files.
## Plugin System
RMA supports WASM plugins for custom analysis rules:
```bash
# List installed plugins
rma plugin list
# Install a plugin
rma plugin install ./my-plugin.wasm
# Test a plugin
rma plugin test my-plugin --file src/main.rs
# Remove a plugin
rma plugin remove my-plugin
```
## External Providers
RMA supports optional integration with external static analysis tools for enhanced language-specific coverage.
### PMD for Java
[PMD](https://pmd.github.io/) provides comprehensive Java static analysis with hundreds of rules for security, best practices, and code style.
**Enable PMD:**
```bash
# Use PMD alongside RMA's native rules
rma scan . --providers rma,pmd
# Configure PMD in rma.toml (see Configuration section)
```
**Requirements:**
- PMD 6.x or 7.x installed and available in PATH
- Or specify custom path in `rma.toml`
**PMD Rulesets:**
RMA uses PMD's security, error-prone, and best practices rulesets by default. You can customize which rulesets to use in the configuration.
### Available Providers
| Provider | Languages | Description |
|----------|-----------|-------------|
| `rma` | All | Built-in Rust-native rules (always enabled) |
| `pmd` | Java | PMD static analysis for Java |
| `oxlint` | JS/TS | Oxlint for JavaScript/TypeScript |
| `gosec` | Go | Gosec for Go security analysis |
### Gosec for Go
[Gosec](https://github.com/securego/gosec) is the Go Security Checker that inspects Go source code for security problems.
**Install Gosec:**
```bash
go install github.com/securego/gosec/v2/cmd/gosec@latest
```
**Enable Gosec:**
```bash
# Use gosec alongside RMA's native rules
rma scan . --providers rma,gosec
```
**Gosec Rules:**
Gosec detects common Go security issues including:
- G101-G110: Hardcoded credentials, bind to all interfaces
- G201-G204: SQL injection, command injection
- G301-G307: File permissions, file traversal
- G401-G505: Weak crypto, insecure TLS
## Configuration
Initialize configuration:
```bash
rma init
```
This creates `rma.toml`:
```toml
# Config format version (required)
config_version = 1
[scan]
include = ["src/**", "lib/**"]
exclude = ["node_modules/**", "target/**", "dist/**"]
max_file_size = 10485760
[rules]
enable = ["*"]
disable = ["js/console-log"]
[rulesets]
security = ["js/xss-sink", "js/timer-string-eval", "rust/unsafe-block"]
maintainability = ["generic/long-function", "generic/high-complexity"]
[profiles]
default = "balanced"
[profiles.strict]
max_function_lines = 50
max_complexity = 10
[allow]
unsafe_rust_paths = ["src/ffi/**"]
[baseline]
file = ".rma/baseline.json"
mode = "all" # or "new-only"
# Optional: External providers configuration
# [providers]
# enabled = ["rma", "pmd"] # Providers to use
#
# [providers.pmd]
# pmd_path = "/usr/local/bin/pmd" # Path to PMD installation
# rulesets = ["category/java/security.xml", "category/java/bestpractices.xml"]
# timeout_ms = 120000 # 2 minute timeout
# min_priority = 3 # 1-5, lower is more severe
```
### Inline Suppression
Suppress specific findings with comments:
```javascript
// rma-ignore-next-line js/xss-sink reason="content is sanitized"
element.textContent = processedContent;
// rma-ignore generic/long-function reason="complex algorithm"
function processData() { /* ... */ }
```
```python
# rma-ignore-next-line python/hardcoded-secret reason="test fixture"
TEST_API_KEY = "test-key-12345"
```
```
### Environment Variables
| Variable | Description |
|----------|-------------|
| `RMA_CONFIG` | Path to config file |
| `RMA_LOG` | Log level (trace, debug, info, warn, error) |
| `OPENAI_API_KEY` | API key for AI-powered analysis |
| `RMA_NO_COLOR` | Disable colored output |
## Shell Completions
Generate completions for your shell:
```bash
# Bash
rma completions bash > ~/.local/share/bash-completion/completions/rma
# Zsh
rma completions zsh > ~/.zfunc/_rma
# Fish
rma completions fish > ~/.config/fish/completions/rma.fish
# PowerShell
rma completions powershell > $PROFILE.CurrentUserAllHosts
```
## Development
```bash
# Build all crates
make build
# Run tests
make test
# Run lints
make lint
# Format code
make fmt
# Full CI check
make ci
# Scan RMA's own codebase
make self-scan
# Build documentation
make docs
```
## Benchmarks
```bash
# Run benchmarks
make bench
# Compare with Semgrep
hyperfine 'rma scan /path/to/repo' 'semgrep --config auto /path/to/repo'
```
## Roadmap
- [x] Multi-language tree-sitter parsing
- [x] Parallel analysis with rayon
- [x] SARIF output for CI/CD
- [x] Watch mode with interactive controls
- [x] HTTP API daemon with WebSocket support
- [x] WASM plugin system
- [x] AI-powered analysis
- [x] One-command installation
- [x] GitHub Actions integration
- [x] VS Code extension
- [x] Neovim plugin
- [x] JetBrains plugin
- [x] Web Dashboard
- [x] Doctor command
- [x] Duplicate function detection
- [ ] LSP integration
- [ ] Cloud SaaS deployment
## License
Licensed under either of:
- Apache License, Version 2.0 ([LICENSE-APACHE](LICENSE-APACHE))
- MIT License ([LICENSE-MIT](LICENSE-MIT))
at your option.
## Contributing
Contributions welcome! Please read [CONTRIBUTING.md](CONTRIBUTING.md) first.