I maintain open-source projects and got tired of reviewing "Agentic Slop"—PRs that contain hallucinated dependencies, unsafe memory pointers, and structural clones generated by AI tools. Existing scanners like CodeQL are too heavy to run locally on my 8GB laptop.
I built The Janitor. It is a deterministic, zero-copy static analyzer written in Rust.
The architecture relies on Tree-Sitter for polyglot parsing, memmap2 and rkyv for zero-copy registry access, and MinHash/LSH for duplicate detection. It does not use LLMs to guess intent.
The Benchmarks:
• Scans the Godot Engine (3.5M LOC) in 33 seconds using 58MB of peak RAM.
• In my recent gauntlet test, it caught GitHub's own copilot-swe-agent hallucinating a fake RCE vulnerability in the microsoft/vscode repository (PR #298806) by cross-referencing the PR text against the file-extension diff.
• It detects "Zombie Dependencies" (packages added to Cargo.toml/package.json but never imported in the source).
The CLI is free and BSL-licensed. I also built a SaaS wrapper that issues NIST FIPS 204 (ML-DSA-65) post-quantum cryptographic bonds for clean merges.
Happy to answer questions on the architecture or the memory mapping.
I maintain open-source projects and got tired of reviewing "Agentic Slop"—PRs that contain hallucinated dependencies, unsafe memory pointers, and structural clones generated by AI tools. Existing scanners like CodeQL are too heavy to run locally on my 8GB laptop.
I built The Janitor. It is a deterministic, zero-copy static analyzer written in Rust.
The architecture relies on Tree-Sitter for polyglot parsing, memmap2 and rkyv for zero-copy registry access, and MinHash/LSH for duplicate detection. It does not use LLMs to guess intent.
The Benchmarks: • Scans the Godot Engine (3.5M LOC) in 33 seconds using 58MB of peak RAM. • In my recent gauntlet test, it caught GitHub's own copilot-swe-agent hallucinating a fake RCE vulnerability in the microsoft/vscode repository (PR #298806) by cross-referencing the PR text against the file-extension diff. • It detects "Zombie Dependencies" (packages added to Cargo.toml/package.json but never imported in the source).
The CLI is free and BSL-licensed. I also built a SaaS wrapper that issues NIST FIPS 204 (ML-DSA-65) post-quantum cryptographic bonds for clean merges.
Happy to answer questions on the architecture or the memory mapping.