← Ripplex

The four scanners

Each one runs in its own isolated process, with its own timeout and failure boundary. If one crashes, the others still post their findings.

semgrep

Security

Finds security vulnerabilities by pattern matching across your codebase.

What it catches

  • SQL injection
  • XSS (cross-site scripting)
  • Hardcoded API keys and secrets
  • Insecure dependencies
  • Dangerous function calls

Example finding

  crit  auth.ts:42
        SQL query built with string concatenation.
        fix: use a parameterised query

oxlint

Code quality

Rust-powered linter that runs 50--œ100x faster than ESLint.

What it catches

  • Unused variables and imports
  • Unreachable code
  • Bad async/await patterns
  • Type coercion bugs
  • Shadowed variables

Example finding

  warn  session.ts:14
        'authToken' is assigned but never read.
        fix: remove the assignment or use the value

jscpd

Duplicates

Finds copy-pasted code blocks across your entire codebase.

What it catches

  • Duplicated logic across files
  • Near-identical functions
  • Repeated business rules that should be extracted

"Duplicated code means bugs get fixed in one place and not the other."

Example finding

  warn  api/orders.ts:88--œ126
        38-line block also appears in api/cart.ts:44--œ82
        similarity: 94%

knip

Dead code

Finds exports, files, and functions that nobody uses.

What it catches

  • Unused exports
  • Files that are never imported
  • Functions removed from all callers but never deleted

"Dead code is future confusion. Every unused export is a question mark for the next developer."

Example finding

  info  lib/utils.ts
        export 'formatCurrency' -- 0 references found.
        fix: delete or move to a private helper
See them in action on your PR → Get early access