Apache 2.0 core · optional AI enrichment · no token markup

The bug scanner for AI coders

BrassCoders, the scanner that catches what AI assistants structurally miss. Claude Code and Cursor emit eight suggestions per file when one actually matters — and miss the hardcoded credentials, the SQL-injection sinks, the hallucinated imports. BrassCoders catches them, ranks them, and hands a short YAML file to your AI assistant for triage.

Install free Subscribe — $12/mo

pipx install brasscoders · macOS / Linux / Windows · Python 3.10+ · Why BrassCoders?

The wedge

Eight items in. One item out.

Most AI reviewer output is conditional, speculative, or duplicated. BrassCoders keeps the items that survived a confidence threshold, a style-issue strip, and a per-file cap. Critical findings always survive.

BEFORE — raw AI review

Eight suggestions on a single file. One is real.

1. Hardcoded AWS access key in handler.py:4
2. requests.get has no timeout (could hang on slow upstream)
3. .json() called without status check
4. Conditional XSS if name is user-controlled
5. list_files doesn't handle FileNotFoundError
6. Inline TODO should be filed as a tracked issue
7. Connection pool size is "small" for high-throughput
8. Style: imports should follow PEP 8 ordering

Developer triage cost: read every line, classify, dismiss the speculation, find the real bug.

AFTER — BrassCoders filter

One critical finding. Real, actionable.

$ cat review.json | brasscoders filter

critical_issues:
  - severity: critical
    file_path: handler.py
    line_number: 4
    title: Possible AWS Access Key
    detected_by: SecretsScanner

filtered: 8 → 1 (87% reduction)

Developer triage cost: rotate the key, push fix, done.

See the full worked example on a real codebase: benchmarks/django

Detection coverage

Not a wrapper around an LLM

BrassCoders uses battle-tested OSS detectors — the same ones security teams already trust — and layers a noise reducer on top. Findings are deterministic, reproducible, and don't depend on a prompt.

Secrets

AWS · Azure · GitHub · GitLab · Stripe · Slack · NPM · PEM · JWT · high-entropy

Code quality

Complexity · dead code · common bugs · security anti-patterns

Bandit + Pylint + Radon

PII

Credit card · SSN · IBAN · NHS · NINO · Aadhaar · PAN · NRIC · Medicare · TFN

Pattern + Luhn-validated regex

AI-coder anti-patterns

String concat in loops · insert-at-zero · unbounded nesting · eval-on-input

BrassCoders-specific AST analysis

Auth anti-patterns

Hardcoded secrets · weak JWT · missing rate-limiting

BrassCoders-specific regex

Phantom AI code

Imports that don't resolve · stub functions that pretend to work

AST-based; flags real bugs in AI output

Privacy

Offline by default. No telemetry. No bundled credits.

BrassCoders scans private source code. We treat it like that.

Zero outbound calls

The only optional network surface is --check-package-hallucination, which is opt-in per scan. --offline disables it absolutely.

Redacted output

PII and secrets are masked before they hit disk. Two redaction layers: source and YAML boundary.

Owner-only files

.brass/ is 0700; YAML files inside are 0600. Atomic writes. POSIX-tight perms.

Upstream cost, no markup

Paid-plan enrichment runs through our gateway. We pass through our embedding provider's per-token pricing — your topup tokens cost what they cost. Your downstream Anthropic / OpenAI / Cursor bill stays yours.

Full disclosure in our privacy policy.