by Isaac Evans, CEO and co-founder @ r2c
This post was originally published on the Bento blog in late December 2019.
We believe every developer deserves access to powerful tools, but most don’t know about or can’t afford them. r2c’s mission is to make those tools available to those who want to find bugs, discover security problems, and save time but don’t work for a giant company that prioritizes these problems with nearly unlimited resources.
That’s why we’re excited to release Bento! It’s a free and opinionated toolkit for easily adopting linters and program analysis in a codebase. It includes analysis we’ve written and packages fantastic community-created tools, all running offline (no code is ever shipped off your machine). Over the next few months we’ll release more novel checks and include existing tools; subscribe for updates.
Some members of our team wrote early versions of these tools at places like Facebook. r2c started by building infrastructure to make it easy to run static analysis tools at massive scale (see our paper co-published at USENIX) but our goal has always been to take the learnings from scaling analysis to benefit individual developers directly: folks helping small teams writing voter registration systems for their city, non-profits who serve communities targeted by powerful hostile actors, startups who handle sensitive data about fellow humans, or developers who just want to automate away code review.
Bento is in alpha, but you can try it right away:
pip3 install bento-cli
Here’s a short demo:
Well yes, but actually, no; Bento is currently a union of curated AST-based lints, including new ones written by us, tuned to find bugs that matter. Our roadmap takes us far beyond AST-based linting though: finding sql injection through taint analysis, detecting dangerous dependency upgrades, etc.
As opposed to other tools that try to measure code-quality or concatenate linter output, we have skin in the analysis game; we’re already making some contributions back to the tools we include. We’re collaborating with a few linter authors already and we would love to offer free compute resources on our platform for measuring check quality to anyone else who might be interested (firstname.lastname@example.org).
Our immediate focus is writing custom analysis tools to find security and other issues for users of the Flask web framework. If you or someone you know uses Flask and has ideas on what we might detect, send us a note or make an issue!
Our first releases are about making it easy to install, adopt, and get started before we ship everything on our roadmap.
Find bugs that matter
Bento automatically enables and configures relevant analysis based on your dependencies and frameworks, and it will never report style-related issues. You won’t painstakingly configure your tooling, we did that already!
No one should have to dig through thousands of linter results and fix them before they can start using a tool. Bento ships with a built-in archiving feature that lets you establish a baseline without fixing all the issues at once and just look at any new problems entering the codebase.
This philosophy also applies to setup: Bento auto-configures in about 30 seconds, it’s easy to install in a Docker container, and it can even install itself as a pre-commit hook automatically.
Get better over time
Bento automatically tailors itself to your project by enabling checks that correspond to your language, framework, and dependencies. As time goes on and based on community feedback, we’ll be writing and shipping new checks that you can adopt automatically. And we want your feedback!