---

Introduction

Police of Code is a modern static analysis tool built with a clear philosophy: prevent problems, not incidents.

The project is inspired by internal security tooling used in large engineering organizations and is designed to look,
feel and behave like a real-world product rather than a demo or toy project.

It serves three purposes simultaneously:

- A serious security-oriented static analyzer
- An educational reference for advanced JavaScript tooling
- A high-quality portfolio project showcasing architecture, UX and engineering discipline

---

Features

- Security-focused static analysis
- Modular and extensible rule engine
- Clean, deterministic analysis results
- CI/CD friendly exit codes
- Minimalistic yet expressive CLI interface
- Human-readable and machine-readable outputs
- Educational, auditable codebase

---

Installation

Clone the repository and install dependencies:

``bash
git clone https://github.com/0xlayout/police-of-code.git
cd police-of-code
npm install
`

The CLI can be executed locally via:

`bash
npx police-of-code
`

---

Quick Start

Analyze a directory:

`bash
police-of-code scan ./src
`

Run system diagnostics:

`bash
police-of-code doctor
`

List all available rules:

`bash
police-of-code rules
`

Generate a default configuration file:

`bash
police-of-code init
`

---

CLI Overview

`text
police-of-code [options]
`

$3

| Command | Description |
|-------|------------|
| scan | Analyze a file or directory |
| doctor | Run environment diagnostics |
| rules | List available analysis rules |
| init | Create a default configuration file |

---

$3

Option	Description	Default
--mode <mode>	Reporting tone (serious, sarcastic)	serious
--format <format>	Output format (console, json)	console
--severity <level>	Minimum reported severity	low
--fail-on <level>	Exit with error on severity	critical
--json-output <file>	Write JSON report to file	-

---

Architecture

`text
police-of-code/
├── src/
│ ├── cli.js
│ ├── analyzer.js
│ ├── parser.js
│ ├── ruleEngine.js
│ ├── rules/
│ ├── reporter.js
│ └── personality.js
├── examples/
├── tests/
├── README.md
└── SECURITY.md
`

The architecture is intentionally layered and modular. Each component has a single responsibility and can evolve independently.

---

Built-in Rules

| Rule | Category | Severity |
|----|--------|----------|
| hardcodedSecrets | Security | Critical |
| sqlInjection | Injection | Critical |
| emptyCatch | Reliability | Medium |
| longFunctions | Maintainability | Low |

---

$3

`js
const apiKey = "sk_test_1234567890";
`

Result:

`text
CRITICAL Hardcoded secret detected
Location: badCode.js:1
`

---

$3

`js
db.query("SELECT * FROM users WHERE id = " + userId);
`

Result:

`text
CRITICAL Possible SQL injection detected
`

---

Output Model

Police of Code produces deterministic results suitable for both humans and automation.

`text
Scan completed
2 Critical violations
1 Medium violation
Exit code: 2
`

This makes the tool ideal for CI/CD pipelines.

---

Configuration

Create a configuration file:

`bash
police-of-code init
`

Example configuration:

`json
{
"mode": "serious",
"format": "console",
"severity": "low",
"failOn": "critical"
}
``

---

Educational Scope

Police of Code demonstrates real-world concepts such as:

- AST parsing and traversal
- Rule engines and policy enforcement
- Severity classification models
- CLI UX and ergonomics
- Deterministic analysis design
- Secure-by-design development philosophy

---

Disclaimer

Police of Code is not a replacement for professional security audits, penetration testing or runtime protection systems.
It is intended as a static analysis and educational tool.

---

Credits