HackerNews中文版HackerNews CN
GitHubTwitter

展示HN:Autofix Bot – 混合静态分析与人工智能代码审查代理

9作者: sanketsaurav大约 2 个月前原帖
大家好,HN!我们是来自DeepSource的Jai和Sanket(YC W20),今天我们推出了Autofix Bot,这是一款结合静态分析和人工智能的混合型代理,专为与AI编码代理协同使用而设计。 AI编码代理使得代码生成几乎变得免费,但它们将瓶颈转移到了代码审查上。仅依靠静态分析和固定检查器的方式已经不够。仅使用大型语言模型(LLM)进行审查存在几个局限性:运行结果的不确定性、安全问题的召回率低、在大规模使用时成本高昂,以及容易“分心”。 在过去的六年里,我们一直在构建一个确定性的、仅基于静态分析的代码审查产品。今年早些时候,我们从头开始思考这个问题,意识到静态分析可以解决LLM审查的一些关键盲点。在过去六个月中,我们构建了一个新的“混合”代理循环,结合静态分析和前沿的AI代理,以便在发现和修复代码质量及安全问题方面超越仅使用静态分析和仅使用LLM的工具。今天,我们将其公开发布。 以下是混合架构的工作原理: - 静态检查:5000多个确定性检查器(代码质量、安全性、性能)建立了一个高精度的基线。子代理抑制特定上下文的误报。 - AI审查:代理使用静态发现作为锚点来审查代码。可以访问抽象语法树(AST)、数据流图、控制流图、导入图等工具,而不仅仅是使用grep和常规的shell命令。 - 修复:子代理生成修复方案。静态工具验证所有编辑,然后再输出干净的git补丁。 静态分析解决了LLM的一些关键问题:运行结果的不确定性、安全问题的低召回率(LLM容易被风格分散注意力)以及成本(静态分析缩小了提示大小和工具调用)。 在OpenSSF CVE基准测试中(200多个真实的JS/TS漏洞),我们的准确率为81.2%,F1值为80.0%;相比之下,Cursor Bugbot的准确率为74.5%,F1值为77.42%;Claude Code的准确率为71.5%,F1值为62.99%;CodeRabbit的准确率为59.4%,F1值为36.19%;Semgrep CE的准确率为56.9%,F1值为38.26%。在秘密检测方面,我们的F1值为92.8%;相比之下,Gitleaks为75.6%,detect-secrets为64.1%,TruffleHog为41.2%。我们使用了我们的开源分类模型来实现这一点。 完整的方法论以及我们如何评估每个工具的详细信息,请访问: [https://autofix.bot/benchmarks](https://autofix.bot/benchmarks) 您可以通过我们的终端用户界面(TUI)在任何代码库上互动使用Autofix Bot,或者作为Claude Code的插件,或在任何兼容的AI客户端(如OpenAI Codex)上使用我们的MCP。我们特别为AI编码代理优先的工作流程构建,因此您可以要求您的代理在每个检查点自主运行Autofix Bot。 今天就来试试吧:[https://autofix.bot](https://autofix.bot)。我们期待您的反馈! --- [1] [https://github.com/ossf-cve-benchmark/ossf-cve-benchmark](https://github.com/ossf-cve-benchmark/ossf-cve-benchmark) [2] [https://huggingface.co/deepsource/Narada-3.2-3B-v1](https://huggingface.co/deepsource/Narada-3.2-3B-v1) [3] [https://autofix.bot/manual/#terminal-ui](https://autofix.bot/manual/#terminal-ui)
查看原文
Hi there, HN! We’re Jai and Sanket from DeepSource (YC W20), and today we’re launching Autofix Bot, a hybrid static analysis + AI agent purpose-built for in-the-loop use with AI coding agents.<p>AI coding agents have made code generation nearly free, and they’ve shifted the bottleneck to code review. Static-only analysis with a fixed set of checkers isn’t enough. LLM-only review has several limitations: non-deterministic across runs, low recall on security issues, expensive at scale, and a tendency to get ‘distracted’.<p>We spent the last 6 years building a deterministic, static-analysis-only code review product. Earlier this year, we started thinking about this problem from the ground up and realized that static analysis solves key blind spots of LLM-only reviews. Over the past six months, we built a new ‘hybrid’ agent loop that uses static analysis and frontier AI agents together to outperform both static-only and LLM-only tools in finding and fixing code quality and security issues. Today, we’re opening it up publicly.<p>Here’s how the hybrid architecture works:<p>- Static pass: 5,000+ deterministic checkers (code quality, security, performance) establish a high-precision baseline. A sub-agent suppresses context-specific false positives.<p>- AI review: The agent reviews code with static findings as anchors. Has access to AST, data-flow graphs, control-flow, import graphs as tools, not just grep and usual shell commands.<p>- Remediation: Sub-agents generate fixes. Static harness validates all edits before emitting a clean git patch.<p>Static solves key LLM problems: non-determinism across runs, low recall on security issues (LLMs get distracted by style), and cost (static narrowing reduces prompt size and tool calls).<p>On the OpenSSF CVE Benchmark [1] (200+ real JS&#x2F;TS vulnerabilities), we hit 81.2% accuracy and 80.0% F1; vs Cursor Bugbot (74.5% accuracy, 77.42% F1), Claude Code (71.5% accuracy, 62.99% F1), CodeRabbit (59.4% accuracy, 36.19% F1), and Semgrep CE (56.9% accuracy, 38.26% F1). On secrets detection, 92.8% F1; vs Gitleaks (75.6%), detect-secrets (64.1%), and TruffleHog (41.2%). We use our open-source classification model for this. [2]<p>Full methodology and how we evaluated each tool: <a href="https:&#x2F;&#x2F;autofix.bot&#x2F;benchmarks" rel="nofollow">https:&#x2F;&#x2F;autofix.bot&#x2F;benchmarks</a><p>You can use Autofix Bot interactively on any repository using our TUI, as a plugin in Claude Code, or with our MCP on any compatible AI client (like OpenAI Codex).[3] We’re specifically building for AI coding agent-first workflows, so you can ask your agent to run Autofix Bot on every checkpoint autonomously.<p>Give us a shot today: <a href="https:&#x2F;&#x2F;autofix.bot" rel="nofollow">https:&#x2F;&#x2F;autofix.bot</a>. We’d love to hear any feedback!<p>---<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;ossf-cve-benchmark&#x2F;ossf-cve-benchmark" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;ossf-cve-benchmark&#x2F;ossf-cve-benchmark</a><p>[2] <a href="https:&#x2F;&#x2F;huggingface.co&#x2F;deepsource&#x2F;Narada-3.2-3B-v1" rel="nofollow">https:&#x2F;&#x2F;huggingface.co&#x2F;deepsource&#x2F;Narada-3.2-3B-v1</a><p>[3] <a href="https:&#x2F;&#x2F;autofix.bot&#x2F;manual&#x2F;#terminal-ui" rel="nofollow">https:&#x2F;&#x2F;autofix.bot&#x2F;manual&#x2F;#terminal-ui</a>