Skip to main content
LTHN Documentation
Back to website
Components

Core Lint

A YAML pattern catalogue and regex code checker that also wraps Go and PHP quality tooling behind one structured API.

doc/components/lint.md

Core Lint is a pattern catalogue, a regex-based code checker, and a multi-language QA toolkit. It loads YAML rule definitions, compiles them to regexes, and matches them against source files line by line. On top of the catalogue, it wraps Go and PHP quality tooling — complexity, coverage, and vulnerability checks — behind one structured API. It has zero framework dependencies and ships as the core-lint binary.

Quick start

Scan a tree against the catalogue, or run the full QA pipeline.

core lint
core go qa

core lint matches the catalogue against a file or directory and emits findings as text, JSON, or JSONL. core go qa runs vet, lint, and test in one pass. The binary itself is built as core-lint.

The pattern catalogue

Rules live as YAML in the catalogue and are embedded at compile time, then compiled to regexes and matched line by line. Each rule is validated on load: required fields are checked and the regex patterns are compiled. Only rules with detection: regex are actively matched; other detection types are stored but skipped.

- id: go-sec-001
  title: "..."
  severity: high            # info | low | medium | high | critical
  languages: [go]
  tags: [security]
  pattern: 'regex'          # Go regexp syntax
  exclude_pattern: 'regex'  # optional
  fix: "..."
  detection: regex

Every match is a Finding carrying the rule ID, file, line, severity, and a fix suggestion.

Language-aware scanning

The scanner walks a directory tree and detects each file's language from its extension. It skips the directories you would not want scanned — vendor, node_modules, .git, testdata, and .core — so the catalogue only runs against your own source.

Output is available as text, JSON, or JSONL, so findings can be read by a person or piped into another tool.

The quality toolkit

Beyond the regex catalogue, Core Lint wraps the real quality tooling behind typed APIs.

  • Go. go vet, govulncheck, gocyclo, gitleaks, and git are run as subprocesses and parsed into typed structs. Cyclomatic complexity is computed natively from the Go AST, with no external tool. Coverage snapshots can be persisted and compared over time to detect regressions.
  • PHP. Pint, PHPStan and Larastan, Psalm, Rector, Infection, PHPUnit and Pest, and composer audit are wrapped into a staged pipeline: quick (audit, format, stan), then standard (adds Psalm and tests), then full (adds Rector and Infection).

Project type is detected from filesystem markers — go.mod for Go, composer.json for PHP.

Standalone by design

Core Lint has zero framework dependencies. It uses core/cli for command scaffolding only, so the resulting core-lint binary runs anywhere and holds every repository to the same catalogue.