What BrassCoders Detects

BrassCoders runs 12 deterministic scanners against your code and emits the union of their findings as YAML built for AI coding assistants to read. Six are proven open-source engines it orchestrates; six are custom detectors built for the bugs AI assistants introduce that the standard tools were never calibrated for. Every finding is reproducible: the same code produces the same output, every run.

This page is the hub. Each scanner gets a short capsule below; the deep dives, the reproducible benchmark, and the per-problem research live in the linked guides. The numbers throughout come from BrassCoders's reproducible AI-coder bug benchmark (June 2026) and the research index.

BrassCoders Reports Patterns; Your AI Assistant Triages

BrassCoders is the deterministic pattern reporter, not the judge. It emits raw, reproducible matches with file, line, and evidence, and it never infers whether a given match is a real bug or a false positive. That context-aware triage is your AI assistant's job — Claude Code, Cursor, Continue. The split is the whole design: a scanner that guessed context would demote real bugs behind wrong guesses, and the bug would ship.

So the workflow is two layers. BrassCoders does the exhaustive, rule-based search no model can match for recall and reproducibility. Your assistant reads the YAML and does the judgment no rule set can do. The rest of this page is layer one: every pattern BrassCoders can find without guessing.

The Six Bundled Engines

BrassCoders bundles six widely-used open-source scanners and runs them as one pass, so you get their combined coverage without managing six installs, six config files, and six version pins. The orchestration is the value here, not a reimplementation — each engine does what it does best, and BrassCoders merges the output into one ranked YAML.

Bandit (github.com/PyCQA/bandit) — the Python security linter from PyCQA. Catches SQL injection, command injection, insecure deserialization, hardcoded credentials, and SSL/TLS misconfiguration via AST rules mapped to OWASP IDs. Caught 6/12 in the benchmark, all in security and secrets.

Pylint (pylint.readthedocs.io) — the PyCQA correctness linter for naming, unused variables, type inconsistencies, and a slice of logic errors. It caught the one division-by-zero logic bug in the benchmark that the pure security tools didn't.

Pyre and Pysa (pyre-check.org) — Meta's type-checker and taint analyzer. Pysa traces untrusted input from source to sink across functions and files, catching the interprocedural injection flaws that single-file pattern matching misses. This is the engine behind cross-file taint detection.

Semgrep (semgrep.dev) — AST pattern matching with its own rule language. BrassCoders bundles the OSS ruleset (OWASP Top 10, framework anti-patterns). If your team has custom Semgrep rules, run them alongside; the outputs don't conflict.

ast-grep (ast-grep.github.io) — structural AST search across languages, for "if the code looks like this, it's probably wrong" patterns. BrassCoders uses it for the structural-correctness layer and its custom AI-pattern rules.

detect-secrets (github.com/Yelp/detect-secrets) — Yelp's entropy-plus-regex secret scanner covering ~40 credential formats. It's the base layer BrassCoders extends with its own format pack (see below).

Deep dive: The Six OSS Scanners BrassCoders Runs in One Pass. For the tool-by-tool security breakdown and the full benchmark table, see the Python scanning guide and the Static Analysis Buyer's Guide.

The Six Custom Detectors

BrassCoders adds six detectors of its own for the failure classes the standard SAST set doesn't cover — the patterns AI coding assistants reproduce because they appear in training data and look correct at a glance. This is where BrassCoders catches what the bundled engines structurally miss.

AI-pattern detector (phantom imports) — flags imports of packages that don't exist on the registry. AI assistants hallucinate plausible-looking package names; the import passes visual review and fails at runtime, or worse, an attacker has registered the hallucinated name. Deep dive: Catching Hallucinated Imports Before pip install; further context in the slopsquatting research and When AI Invents Libraries.

Performance anti-pattern scanner — catches the four AST-detectable slow patterns AI assistants introduce: O(N²) string concatenation in a loop, list.insert(0) in a loop, triple-nested loops used as a join, and unbounded while-True reads. Caught 4/4 in the benchmark where Bandit, Semgrep, and Pylint each caught 0. Deep dive: How BrassCoders Catches Slow AI-Generated Code; further context in AI-Coder Performance Bugs in the Wild.

Secret-pattern scanner — extends detect-secrets with formats it doesn't ship rules for: OpenAI keys (sk-...), Anthropic keys (sk-ant-...), SendGrid, Mailgun, Twilio, DigitalOcean, and NPM publish tokens. Combined coverage is 20+ credential formats. Deep dive: How BrassCoders Catches Hardcoded Secrets in AI Code; further context in Secrets Your AI Might Leak and the secret-leakage research.

Privacy/PII scanner — flags personally identifiable information hardcoded in source: phone-number and SSN patterns, email addresses in test fixtures, and similar literals. PII in source is a distinct problem from PII in a database, and AI assistants generate realistic-looking fixtures freely. Deep dive: How BrassCoders Flags PII in AI-Generated Code.

Content-moderation scanner — checks for policy-relevant content in source and string literals, a safety layer for teams that need it. Like every BrassCoders detector, it reports matches; it doesn't adjudicate them.

JavaScript/TypeScript scanner — a Node.js Babel-parser layer that runs automatically on .js, .ts, .jsx, and .tsx files, covering secrets and common security patterns in JavaScript alongside the Python scan. Deep dive: Scanning AI-Generated JavaScript and TypeScript.

What the OSS Core Includes, and What Paid Adds

BrassCoders runs all 12 scanners in the free OSS core — Apache 2.0, no account, zero outbound network calls. The detection is complete at the free level; the Paid plan changes the output quality, not what gets found. Most teams should start free and upgrade when the raw output volume becomes the bottleneck — the honest decision line is in OSS Core vs Paid: When to Upgrade.

BrassCoders Paid ($12/dev/month) adds an AI-powered enrichment pass that deduplicates findings semantically and ranks them against your project's signature, taking a typical 1500+ raw findings down to roughly 300, then to a focused set of 50-80 worth a human's attention. The enrichment sends already-redacted findings plus a short project signature to the BrassCoders gateway; never raw source code. The per-token cost is passed through with no markup. See pricing, or the deep dive on what the Paid enrichment actually does.

Run the Full Stack

BrassCoders installs as one Python package and runs all 12 scanners with one command. No per-scanner configuration; no managing version compatibility across a dozen tools.

pipx install brasscoders
brasscoders --offline scan

Output lands in .brass/: ai_instructions.yaml (short, severity-ranked, built to paste into Claude Code or Cursor), detailed_analysis.yaml (every finding with file, line, scanner source, and evidence), and security_report.yaml (the security-only view). The --offline flag enforces zero network calls and exits non-zero if any are attempted — the auditable guarantee for regulated or air-gapped environments.