技术债务扫描器 - 自动化代码质量检测工具 | 并行子代理架构 | SkillsMD技术债务扫描器 - 自动化代码质量检测工具 | 并行子代理架构
techdebt by 0xdarkmatter/claude-mods
npx skills add https://github.com/0xdarkmatter/claude-mods --skill techdebt🇨🇳中文介绍
技术债务扫描器
使用并行子代理进行自动化技术债务检测。设计用于在会话结束时运行,以便在上下文尚新时发现问题。
快速开始
# 会话结束 - 扫描自上次提交以来的变更(默认)
/techdebt
# 深度扫描 - 分析整个代码库
/techdebt --deep
# 特定类别
/techdebt --duplicates # 仅重复代码
/techdebt --security # 仅安全问题
/techdebt --complexity # 仅复杂度热点
/techdebt --deadcode # 仅死代码
# 自动修复模式(交互式)
/techdebt --fix
架构
始终使用并行子代理以实现快速分析:
Main Agent (orchestrator)
│
├─> Subagent 1: Duplication Scanner
├─> Subagent 2: Security Scanner
├─> Subagent 3: Complexity Scanner
└─> Subagent 4: Dead Code Scanner
↓ All run in parallel (2-15s depending on scope)
Main Agent: Consolidate findings → Rank by severity → Generate report
优势:
- 🚀 并行执行 - 所有扫描同时运行
- 🧹 保持主上下文清洁 - 不受分析工作污染
- 💪 可扩展 - 高效处理大型代码库
- 🎯 快速 - 即使是小规模差异也能从并行化中受益
工作流程
步骤 1:确定范围
默认(无标志):
- 扫描自上次提交以来更改的文件:
git diff --name-only HEAD
🇺🇸English
Tech Debt Scanner
Automated technical debt detection using parallel subagents. Designed to run at session end to catch issues while context is fresh.
Quick Start
# Session end - scan changes since last commit (default)
/techdebt
# Deep scan - analyze entire codebase
/techdebt --deep
# Specific categories
/techdebt --duplicates # Only duplication
/techdebt --security # Only security issues
/techdebt --complexity # Only complexity hotspots
/techdebt --deadcode # Only dead code
# Auto-fix mode (interactive)
/techdebt --fix
Architecture
Always uses parallel subagents for fast analysis:
Main Agent (orchestrator)
│
├─> Subagent 1: Duplication Scanner
├─> Subagent 2: Security Scanner
├─> Subagent 3: Complexity Scanner
└─> Subagent 4: Dead Code Scanner
↓ All run in parallel (2-15s depending on scope)
Main Agent: Consolidate findings → Rank by severity → Generate report
Benefits:
- 🚀 Parallel execution - all scans run simultaneously
- 🧹 Clean main context - no pollution from analysis work
- 💪 Scalable - handles large codebases efficiently
- 🎯 Fast - even small diffs benefit from parallelization
广告位招租
在这里展示您的产品或服务
触达数万 AI 开发者,精准高效
- 扫描整个代码库
- 全面分析(中型项目约 10-15 秒)
- 在重构或准备主要发布时使用
步骤 2:生成并行子代理
同时启动 4 个子代理(如果指定了类别,则启动子集):
- 任务:使用 AST 相似性查找重复的代码块
- 工具:
ast-grep、结构搜索、令牌分析
- 输出:带有相似性分数的重复代码块列表
- 任务:检测安全漏洞和反模式
- 检查项:硬编码密钥、SQL 注入、XSS、不安全的加密
- 输出:带有严重性和修复指导的安全发现
- 任务:识别过于复杂的函数和方法
- 指标:圈复杂度、嵌套深度、函数长度
- 输出:带有重构建议的复杂度热点
- 任务:查找未使用的导入、变量和不可达代码
- 检查项:未使用的导入、死分支、孤立函数
- 输出:带有安全移除说明的死代码列表
Scan {scope} for {category} issues.
Scope: {file_list or "entire codebase"}
Language: {detected from file extensions}
Focus: {category-specific patterns}
Output format:
- File path + line number
- Issue description
- Severity (P0-P3)
- Suggested fix (if available)
Use appropriate tools:
- Duplication: ast-grep for structural similarity
- Security: pattern matching + known vulnerability patterns
- Complexity: cyclomatic complexity calculation
- Dead Code: static analysis for unused symbols
步骤 3:整合发现
- 去重 - 移除跨类别的重复发现
- 按严重性排序:
- P0(严重): 安全漏洞、阻塞性问题
- P1(高): 主要重复、高复杂度
- P2(中): 次要重复、中等复杂度
- P3(低): 死代码、风格问题
- 按文件分组 - 按受影响文件组织发现
- 计算债务分数 - 总体技术债务指标
步骤 4:生成报告
# Tech Debt Report
**Scope:** {X files changed | Entire codebase}
**Scan Time:** {duration}
**Debt Score:** {0-100, lower is better}
## Summary
| Category | Findings | P0 | P1 | P2 | P3 |
|----------|----------|----|----|----|----|
| Duplication | X | - | X | X | - |
| Security | X | X | - | - | - |
| Complexity | X | - | X | X | - |
| Dead Code | X | - | - | X | X |
## Critical Issues (P0)
### {file_path}:{line}
**Category:** {Security}
**Issue:** Hardcoded API key detected
**Impact:** Credential exposure risk
**Fix:** Move to environment variable
## High Priority (P1)
### {file_path}:{line}
**Category:** {Duplication}
**Issue:** 45-line block duplicated across 3 files
**Impact:** Maintenance burden, inconsistency risk
**Fix:** Extract to shared utility function
[... continue for all findings ...]
## Recommendations
1. Address all P0 issues before merge
2. Consider refactoring high-complexity functions
3. Remove dead code to reduce maintenance burden
## Auto-Fix Available
Run `/techdebt --fix` to interactively apply safe automated fixes.
步骤 5:自动修复模式(可选)
-
识别安全修复:
- 移除未使用的导入(安全)
- 简单的重复代码提取(需要审查)
- 格式化修复(安全)
-
交互式提示:
Fix: Remove unused import 'requests' from utils.py:5
[Y]es / [N]o / [A]ll / [Q]uit
-
应用更改:
- 使用确认的修复编辑文件
- 显示更改的 git diff
- 提示提交
- 永不自动修复安全问题(需要人工审查)
- 永不自动修复复杂度问题(需要设计决策)
- 仅在获得用户明确确认后进行自动修复
检测模式
重复代码
- 使用
ast-grep 进行结构模式匹配
- 检测结构相似度 >80% 的代码块
- 忽略细微差异(变量名、空白字符)
- 比较令牌序列以查找完全重复
- 最小阈值:连续 6 行
- 跨文件分组相似的重复项
- P1:30+ 行代码在 3+ 个位置重复
- P2:15+ 行代码在 2+ 个位置重复
- P3:6+ 行代码在 2 个位置重复
安全性
| 模式 | 严重性 | 示例 |
|---|
| 硬编码密钥 | P0 | API_KEY = "sk-..." |
| SQL 注入风险 | P0 | f"SELECT * FROM users WHERE id={user_id}" |
| 不安全的加密 | P0 | hashlib.md5(), random.random() for tokens |
| 路径遍历 | P0 | open(user_input) 无验证 |
| XSS 漏洞 | P0 | HTML 中未转义的用户输入 |
| Eval/exec 使用 | P1 | eval(user_input) |
| 弱密码 | P2 | 硬编码的默认密码 |
- Python:
pickle 使用、yaml.load() 未使用 SafeLoader
- JavaScript:
eval()、innerHTML 包含用户数据
- SQL:查询中的字符串拼接
复杂度
| 指标 | P1 阈值 | P2 阈值 |
|---|
| 圈复杂度 | >15 | >10 |
| 函数长度 | >100 行 | >50 行 |
| 嵌套深度 | >5 层 | >4 层 |
| 参数数量 | >7 | >5 |
- 为长函数提取方法
- 为多个参数引入参数对象
- 使用卫语句简化条件判断
- 分解深度嵌套的逻辑
死代码
- 未使用的导入(语言特定的 linter)
- 不可达代码(在 return/break/continue 之后)
- 未使用的变量(已写入但从未读取)
- 孤立函数(在代码库中从未调用)
- 未找到外部引用
- 不是公共 API 的一部分
- 未动态导入/调用
语言支持
- Python:
ast-grep、radon、pylint
- JavaScript/TypeScript:
ast-grep、eslint、jscpd
- Go:
gocyclo、golangci-lint
- Rust:
clippy、cargo-audit
- Java、C#、Ruby、PHP:仅基于模式的检测
- 根据文件扩展名自动检测
- 每种语言使用适当的工具
- 如果特定工具不可用,则回退到通用模式
集成模式
会话结束自动化
## Session Wrap-Up Checklist
- [ ] Run `/techdebt` to scan changes
- [ ] Address any P0 issues found
- [ ] Create tasks for P1/P2 items
- [ ] Commit clean code
预提交钩子
创建 .claude/hooks/pre-commit.sh:
#!/bin/bash
# Auto-run tech debt scan before commits
echo "🔍 Scanning for tech debt..."
claude skill techdebt --quiet
if [ $? -eq 1 ]; then
echo "❌ P0 issues detected. Fix before committing."
exit 1
fi
echo "✅ No critical issues found"
CI/CD 集成
# .github/workflows/techdebt.yml
name: Tech Debt Check
on: [pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run tech debt scan
run: claude skill techdebt --deep --ci
高级用法
基线跟踪
# 初始基线
/techdebt --deep --save-baseline
# 与基线比较
/techdebt --compare-baseline
# 输出:"Debt increased by 15% since baseline"
基线存储在 .claude/techdebt-baseline.json:
{
"timestamp": "2026-02-03T10:00:00Z",
"commit": "a28f0fb",
"score": 42,
"findings": {
"duplication": 8,
"security": 0,
"complexity": 12,
"deadcode": 5
}
}
自定义模式
在 .claude/techdebt-rules.json 中添加项目特定模式:
{
"security": [
{
"pattern": "TODO.*security",
"severity": "P0",
"message": "Security TODO must be resolved"
}
],
"complexity": {
"cyclomatic_threshold": 12,
"function_length_threshold": 80
}
}
报告格式
/techdebt --format=json # JSON 输出用于工具集成
/techdebt --format=markdown # Markdown 报告(默认)
/techdebt --format=sarif # SARIF 用于 IDE 集成
故障排除
- 解决方案:仅对较小模块使用
--deep,或增加超时时间
- 考虑:将大型代码库分解为较小的扫描块
- 解决方案:在
.claude/techdebt-rules.json 中调整阈值
- 考虑:使用
--ignore-patterns 标志排除测试文件
- 解决方案:通过
npm install -g @ast-grep/cli 安装工具,或跳过该类别
- 回退方案:即使没有专用工具,基于模式的检测仍然有效
最佳实践
- 在每次会话结束时运行 - 在上下文尚新时发现债务
- 立即处理 P0 问题 - 不要提交严重问题
- 为 P1/P2 问题创建任务 - 在待办事项中跟踪技术债务
- 使用基线跟踪趋势 - 监控债务随时间的积累
- 在 CI/CD 中自动化 - 防止债务合并
- 教育团队 - 分享发现,讨论重构策略
参考
Workflow
Step 1: Determine Scope
- Scan files changed since last commit:
git diff --name-only HEAD
- Fast session-end workflow (~2-3 seconds)
- Perfect for "wrap up" scenarios
- Scan entire codebase
- Comprehensive analysis (~10-15 seconds for medium projects)
- Use when refactoring or preparing major releases
Specific category (e.g.,--duplicates):
- Run only specified scanner
- Fastest option for targeted analysis
Step 2: Spawn Parallel Subagents
Launch 4 subagents simultaneously (or subset if category specified):
Subagent 1: Duplication Scanner
- Task: Find duplicated code blocks using AST similarity
- Tools:
ast-grep, structural search, token analysis
- Output: List of duplicate code blocks with similarity scores
Subagent 2: Security Scanner
- Task: Detect security vulnerabilities and anti-patterns
- Checks: Hardcoded secrets, SQL injection, XSS, insecure crypto
- Output: Security findings with severity and remediation guidance
Subagent 3: Complexity Scanner
- Task: Identify overly complex functions and methods
- Metrics: Cyclomatic complexity, nested depth, function length
- Output: Complexity hotspots with refactoring suggestions
Subagent 4: Dead Code Scanner
- Task: Find unused imports, variables, and unreachable code
- Checks: Unused imports, dead branches, orphaned functions
- Output: Dead code list with safe removal instructions
Subagent instructions template:
Scan {scope} for {category} issues.
Scope: {file_list or "entire codebase"}
Language: {detected from file extensions}
Focus: {category-specific patterns}
Output format:
- File path + line number
- Issue description
- Severity (P0-P3)
- Suggested fix (if available)
Use appropriate tools:
- Duplication: ast-grep for structural similarity
- Security: pattern matching + known vulnerability patterns
- Complexity: cyclomatic complexity calculation
- Dead Code: static analysis for unused symbols
Step 3: Consolidate Findings
Main agent collects results from all subagents and:
- Deduplicate - Remove duplicate findings across categories
- Rank by severity:
- P0 (Critical): Security vulnerabilities, blocking issues
- P1 (High): Major duplication, high complexity
- P2 (Medium): Minor duplication, moderate complexity
- P3 (Low): Dead code, style issues
- Group by file - Organize findings by affected file
- Calculate debt score - Overall technical debt metric
Step 4: Generate Report
Create actionable report with:
# Tech Debt Report
**Scope:** {X files changed | Entire codebase}
**Scan Time:** {duration}
**Debt Score:** {0-100, lower is better}
## Summary
| Category | Findings | P0 | P1 | P2 | P3 |
|----------|----------|----|----|----|----|
| Duplication | X | - | X | X | - |
| Security | X | X | - | - | - |
| Complexity | X | - | X | X | - |
| Dead Code | X | - | - | X | X |
## Critical Issues (P0)
### {file_path}:{line}
**Category:** {Security}
**Issue:** Hardcoded API key detected
**Impact:** Credential exposure risk
**Fix:** Move to environment variable
## High Priority (P1)
### {file_path}:{line}
**Category:** {Duplication}
**Issue:** 45-line block duplicated across 3 files
**Impact:** Maintenance burden, inconsistency risk
**Fix:** Extract to shared utility function
[... continue for all findings ...]
## Recommendations
1. Address all P0 issues before merge
2. Consider refactoring high-complexity functions
3. Remove dead code to reduce maintenance burden
## Auto-Fix Available
Run `/techdebt --fix` to interactively apply safe automated fixes.
Step 5: Auto-Fix Mode (Optional)
-
Identify safe fixes:
- Dead import removal (safe)
- Simple duplication extraction (review required)
- Formatting fixes (safe)
-
Interactive prompts:
Fix: Remove unused import 'requests' from utils.py:5
[Y]es / [N]o / [A]ll / [Q]uit
-
Apply changes:
- Edit files with confirmed fixes
- Show git diff of changes
- Prompt for commit
- Never auto-fix security issues (require manual review)
- Never auto-fix complexity (requires design decisions)
- Only auto-fix with explicit user confirmation
Detection Patterns
Duplication
AST Similarity Detection:
- Use
ast-grep for structural pattern matching
- Detect code blocks with >80% structural similarity
- Ignore trivial differences (variable names, whitespace)
- Compare token sequences for exact duplicates
- Minimum threshold: 6 consecutive lines
- Group similar duplicates across files
- P1: 30+ lines duplicated in 3+ locations
- P2: 15+ lines duplicated in 2+ locations
- P3: 6+ lines duplicated in 2 locations
Security
| Pattern | Severity | Example |
|---|
| Hardcoded secrets | P0 | API_KEY = "sk-..." |
| SQL injection risk | P0 | f"SELECT * FROM users WHERE id={user_id}" |
| Insecure crypto | P0 | hashlib.md5(), random.random() for tokens |
| Path traversal | P0 | open(user_input) without validation |
| XSS vulnerability | P0 | Unescaped user input in HTML |
| Eval/exec usage | P1 | eval(user_input) |
| Weak passwords | P2 | Hardcoded default passwords |
Language-specific checks:
- Python:
pickle usage, yaml.load() without SafeLoader
- JavaScript:
eval(), innerHTML with user data
- SQL: String concatenation in queries
Complexity
| Metric | P1 Threshold | P2 Threshold |
|---|
| Cyclomatic Complexity | >15 | >10 |
| Function Length | >100 lines | >50 lines |
| Nested Depth | >5 levels | >4 levels |
| Number of Parameters | >7 | >5 |
- Extract method for long functions
- Introduce parameter object for many parameters
- Simplify conditionals with guard clauses
- Break up deeply nested logic
Dead Code
- Unused imports (language-specific linters)
- Unreachable code (after return/break/continue)
- Unused variables (written but never read)
- Orphaned functions (never called in codebase)
- No external references found
- Not part of public API
- Not dynamically imported/called
Language Support
- Python:
ast-grep, radon, pylint
- JavaScript/TypeScript:
ast-grep, eslint, jscpd
- Go:
gocyclo, golangci-lint
- Rust:
clippy, cargo-audit
- Java, C#, Ruby, PHP: Pattern-based detection only
- Auto-detect from file extensions
- Use appropriate tools per language
- Fallback to universal patterns if specific tools unavailable
Integration Patterns
Session End Automation
## Session Wrap-Up Checklist
- [ ] Run `/techdebt` to scan changes
- [ ] Address any P0 issues found
- [ ] Create tasks for P1/P2 items
- [ ] Commit clean code
Pre-Commit Hook
Create .claude/hooks/pre-commit.sh:
#!/bin/bash
# Auto-run tech debt scan before commits
echo "🔍 Scanning for tech debt..."
claude skill techdebt --quiet
if [ $? -eq 1 ]; then
echo "❌ P0 issues detected. Fix before committing."
exit 1
fi
echo "✅ No critical issues found"
CI/CD Integration
Run deep scan on pull requests:
# .github/workflows/techdebt.yml
name: Tech Debt Check
on: [pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run tech debt scan
run: claude skill techdebt --deep --ci
Advanced Usage
Baseline Tracking
# Initial baseline
/techdebt --deep --save-baseline
# Compare against baseline
/techdebt --compare-baseline
# Output: "Debt increased by 15% since baseline"
Baseline stored in .claude/techdebt-baseline.json:
{
"timestamp": "2026-02-03T10:00:00Z",
"commit": "a28f0fb",
"score": 42,
"findings": {
"duplication": 8,
"security": 0,
"complexity": 12,
"deadcode": 5
}
}
Custom Patterns
Add project-specific patterns in .claude/techdebt-rules.json:
{
"security": [
{
"pattern": "TODO.*security",
"severity": "P0",
"message": "Security TODO must be resolved"
}
],
"complexity": {
"cyclomatic_threshold": 12,
"function_length_threshold": 80
}
}
Report Formats
/techdebt --format=json # JSON output for tooling
/techdebt --format=markdown # Markdown report (default)
/techdebt --format=sarif # SARIF for IDE integration
Troubleshooting
- Solution: Use
--deep only on smaller modules, or increase timeout
- Consider: Break large codebases into smaller scan chunks
Issue: Too many false positives
- Solution: Adjust thresholds in
.claude/techdebt-rules.json
- Consider: Use
--ignore-patterns flag to exclude test files
Issue: Missing dependencies (ast-grep, etc.)
- Solution: Install tools via
npm install -g @ast-grep/cli or skip category
- Fallback: Pattern-based detection still works without specialized tools
Best Practices
- Run at every session end - Catch debt while context is fresh
- Address P0 immediately - Don't commit critical issues
- Create tasks for P1/P2 - Track technical debt in backlog
- Use baselines for trends - Monitor debt accumulation over time
- Automate in CI/CD - Prevent debt from merging
- Educate team - Share findings, discuss refactoring strategies
References
AI新闻播客制作技能:实时新闻转对话式播客脚本与音频生成
