The Six OSS Scanners BrassCoders Runs in One Pass

The standard way to scan Python is to install Bandit, Pylint, and Semgrep separately, wire up three config files, reconcile three output formats, and remember to keep all three on compatible versions. BrassCoders runs that stack — six engines, not three — as a single command with one ranked output. It doesn’t reimplement any of them. It orchestrates the real tools and adds the AI-coder detectors they were never built for.

Six Engines, One Scan

BrassCoders bundles six open-source scanners and runs them in a single pass: Bandit, Pylint, Pyre/Pysa, Semgrep, ast-grep, and detect-secrets. Each one does what it does best, and BrassCoders merges their findings into one ranked YAML, tagging every result with the engine that produced it.

• Bandit (github.com/PyCQA/bandit): the PyCQA Python security linter. SQL and command injection, insecure deserialization, hardcoded credentials, weak crypto, mapped to OWASP IDs.
• Pylint (pylint.readthedocs.io): the PyCQA correctness linter for naming, unused variables, type inconsistencies, and a slice of logic errors.
• Pyre and Pysa (pyre-check.org): Meta’s type-checker and taint analyzer. Pysa traces untrusted input from source to sink across functions and files — the engine behind cross-file taint.
• Semgrep (semgrep.dev): AST pattern matching with its own rule language. BrassCoders bundles the OSS ruleset covering the OWASP Top 10 and framework anti-patterns.
• ast-grep (ast-grep.github.io): fast tree-sitter structural search, for “if the code looks like this, it’s probably wrong” patterns across languages.
• detect-secrets (github.com/Yelp/detect-secrets): Yelp’s entropy-plus-regex secret scanner, the base layer BrassCoders extends with its own credential formats.

Orchestration, Not Reimplementation

BrassCoders runs the real upstream tools, not a rewrite of them. When Bandit flags a subprocess(shell=True) call, that’s Bandit’s own rule firing; when Pysa traces a taint flow across three files, that’s Meta’s engine doing the walk. The findings are theirs, and a reimplementation that drifted from upstream would be a liability, not a feature.

What BrassCoders owns is the layer around them. It runs the six together, deduplicates findings that more than one engine reports, ranks the combined set by severity, and writes one YAML built for an AI assistant to read. The orchestration is the product; the detection is the open-source ecosystem’s, kept current with it.

What the Combined Pass Saves You

BrassCoders turns six installs into one. A single pipx install brasscoders brings the whole stack, version-matched, with no per-tool configuration files to maintain and no compatibility matrix to babysit across upgrades.

The bigger saving is the output. Run the six tools by hand and you get six formats — Bandit’s JSON, Semgrep’s SARIF, detect-secrets’ baseline file, and so on — that someone has to merge, dedupe, and prioritize before a reviewer can act. BrassCoders does that merge and emits one severity-ranked file. The reviewer sees a single ordered list, and every line names the engine behind it, so a surprising finding is one tag away from its source.

Where the Bundle Ends and the Custom Layer Begins

These six cover security, correctness, and secrets in human-written and AI-generated code alike — and they stop where the AI-coder failure classes begin. In BrassCoders’s June 2026 benchmark, Bandit caught 6 of 12 planted bugs and Semgrep caught 4, both strong inside their scope and both blind to the four performance anti-patterns AI assistants reproduce. The standard set was calibrated on human bugs.

That gap is the reason BrassCoders adds six detectors of its own on top of the bundle: phantom imports, performance anti-patterns, an extended secret-format pack, PII, content moderation, and JavaScript/TypeScript. The honest read on the bundled engines is in Why Bandit Misses AI-Coder Bugs and Semgrep vs BrassCoders; the tool-by-tool security breakdown is in the Python scanning guide.

Run It

One install runs the bundle and the custom detectors together:

pipx install brasscoders
brasscoders --offline scan

Findings land in .brass/ tagged by scanner, so you always know whether Bandit, Pysa, or a BrassCoders detector flagged a given line. For the full map of every detector in the pass, see what BrassCoders detects.