← 返回
未分类 Key

gqllint

GraphQL anti-pattern & security analyzer -- detects query depth/complexity issues, resolver N+1 problems, over/under fetching, rate limiting & auth gaps, sch...
GraphQL 反模式与安全分析器——检测查询深度/复杂度问题、解析器 N+1问题、过度/不足获取、速率限制与认证缺口、模式...
suhteevah suhteevah 来源
未分类 clawhub v1.0.1 1 版本 100000 Key: 需要
★ 0
Stars
📥 344
下载
💾 0
安装
1
版本
#latest

概述

GQLLint -- GraphQL Anti-Pattern & Security Analyzer

GQLLint scans codebases for GraphQL anti-patterns: query depth/complexity issues, resolver N+1 problems, over/under fetching, rate limiting & auth gaps, schema design issues, and client query safety problems. It uses regex-based pattern matching against 90 GraphQL-specific patterns across 6 categories, lefthook for git hook integration, and produces markdown reports with actionable remediation guidance. 100% local. Zero telemetry.

Note: GQLLint focuses on GraphQL-specific patterns (schema definitions, resolvers, client queries, server configuration). It does NOT analyze general JavaScript/TypeScript quality or REST API patterns.

Commands

Free Tier (No license required)

gqllint scan [file|directory]

One-shot GraphQL quality scan of files or directories.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target]

What it does:

  1. Accepts a file path or directory (defaults to current directory)
  2. Discovers all source files (skips .git, node_modules, binaries, images, .min.js)
  3. Runs 30 GraphQL patterns against each file (free tier limit)
  4. Calculates a GraphQL quality score (0-100) per file and overall
  5. Grades: A (90-100), B (80-89), C (70-79), D (60-69), F (<60)
  6. Outputs findings with: file, line number, check ID, severity, description, recommendation
  7. Exit code 0 if score >= 70, exit code 1 if GraphQL quality is poor
  8. Free tier limited to first 30 patterns (QD + RN categories)

Example usage scenarios:

  • "Scan my code for GraphQL issues" -> runs gqllint scan .
  • "Check this file for N+1 resolver problems" -> runs gqllint scan src/resolvers/
  • "Find query depth vulnerabilities" -> runs gqllint scan src/
  • "Audit my GraphQL schema" -> runs gqllint scan .
  • "Check for introspection leaks" -> runs gqllint scan .

Pro Tier ($19/user/month -- requires GQLLINT_LICENSE_KEY)

gqllint scan --tier pro [file|directory]

Extended scan with 60 patterns covering depth, N+1, fetching, and auth issues.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target] --tier pro

What it does:

  1. Validates Pro+ license
  2. Runs 60 GraphQL patterns (QD, RN, OF, RL categories)
  3. Detects over/under fetching and missing pagination
  4. Identifies auth gaps, rate limiting issues, and open playgrounds
  5. Full category breakdown reporting

gqllint scan --format json [directory]

Generate JSON output for CI/CD integration.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format json

gqllint scan --format html [directory]

Generate HTML report for browser viewing.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format html

gqllint scan --category RN [directory]

Filter scan to a specific check category (QD, RN, OF, RL, SD, CQ).

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --category RN

Team Tier ($39/user/month -- requires GQLLINT_LICENSE_KEY with team tier)

gqllint scan --tier team [directory]

Full scan with all 90 patterns across all 6 categories including schema design and client safety.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --tier team

What it does:

  1. Validates Team+ license
  2. Runs all 90 patterns across 6 categories
  3. Includes schema design checks (input types, naming, JSON scalars, deprecation)
  4. Includes client query safety (injection, error handling, caching, codegen)
  5. Full category breakdown with per-file results

gqllint scan --verbose [directory]

Verbose output showing every matched line and pattern details.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --verbose

gqllint status

Show license and configuration information.

bash "<SKILL_DIR>/scripts/dispatcher.sh" status

gqllint patterns

List all available detection patterns with IDs, severities, and descriptions.

bash "<SKILL_DIR>/scripts/dispatcher.sh" patterns

Check Categories

GQLLint detects 90 GraphQL anti-patterns across 6 categories:

| Category | Code | Patterns | Description | Severity Range |

|----------|------|----------|-------------|----------------|

| Query Depth & Complexity | QD | 15 | Unbounded depth, no complexity limit, introspection leak, recursive fragments | low -- critical |

| Resolver N+1 | RN | 15 | Database calls in loops, no DataLoader, sequential awaits, missing batching | low -- critical |

| Over/Under Fetching | OF | 15 | SELECT *, no pagination, eager loading, missing projections, full object returns | low -- critical |

| Rate Limiting & Auth | RL | 15 | No auth on mutations, open playground, missing rate limit, no CORS, no persisted queries | low -- critical |

| Schema Design | SD | 15 | Raw scalars in mutations, no input types, JSON scalar, naming issues, no deprecation | low -- high |

| Client Query Safety | CQ | 15 | String concatenation, template injection, no error handling, missing variables, no codegen | low -- critical |

Tier-Based Pattern Access

| Tier | Patterns | Categories |

|------|----------|------------|

| Free | 30 | QD, RN |

| Pro | 60 | QD, RN, OF, RL |

| Team | 90 | QD, RN, OF, RL, SD, CQ |

| Enterprise | 90 | QD, RN, OF, RL, SD, CQ + priority support |

Scoring

GQLLint uses a deductive scoring system starting at 100 (perfect):

| Severity | Point Deduction | Description |

|----------|-----------------|-------------|

| Critical | -25 per finding | Severe risk (query injection, N+1 loops, introspection leak, unauth mutations) |

| High | -15 per finding | Significant problem (no depth limit, no pagination, open playground, resolver waterfalls) |

| Medium | -8 per finding | Moderate concern (schema design gaps, missing rate limits, over-fetching) |

| Low | -3 per finding | Informational / best practice suggestion |

Grading Scale

| Grade | Score Range | Meaning |

|-------|-------------|---------|

| A | 90-100 | Excellent GraphQL quality |

| B | 80-89 | Good GraphQL with minor issues |

| C | 70-79 | Acceptable but needs improvement |

| D | 60-69 | Poor GraphQL quality |

| F | Below 60 | Critical GraphQL problems |

  • Pass threshold: 70 (Grade C or better)
  • Exit code 0 = pass (score >= 70)
  • Exit code 1 = fail (score < 70)

Configuration

Users can configure GQLLint in ~/.openclaw/openclaw.json:

{
  "skills": {
    "entries": {
      "gqllint": {
        "enabled": true,
        "apiKey": "YOUR_LICENSE_KEY_HERE",
        "config": {
          "severityThreshold": "medium",
          "ignorePatterns": ["**/test/**", "**/fixtures/**", "**/*.test.*"],
          "ignoreChecks": [],
          "reportFormat": "text"
        }
      }
    }
  }
}

Important Notes

  • Free tier works immediately with no configuration
  • All scanning happens locally -- no code is sent to external servers
  • License validation is offline -- no phone-home or network calls
  • Pattern matching only -- no AST parsing, no external dependencies beyond bash
  • Supports scanning all file types in a single pass
  • Git hooks use lefthook which must be installed (see install metadata above)
  • Exit codes: 0 = pass (score >= 70), 1 = fail (for CI/CD integration)
  • Output formats: text (default), json, html

Error Handling

  • If lefthook is not installed and user tries hooks, prompt to install it
  • If license key is invalid or expired, show clear message with link to https://gqllint.pages.dev/renew
  • If a file is binary, skip it automatically with no warning
  • If no scannable files found in target, report clean scan with info message
  • If an invalid category is specified with --category, show available categories

When to Use GQLLint

The user might say things like:

  • "Scan my code for GraphQL issues"
  • "Check my resolvers for N+1 problems"
  • "Find query depth vulnerabilities"
  • "Detect over-fetching in my GraphQL API"
  • "Are there any auth gaps in my GraphQL schema?"
  • "Check if introspection is enabled in production"
  • "Audit my GraphQL schema design"
  • "Find security issues in my GraphQL setup"
  • "Check for query injection vulnerabilities"
  • "Scan for missing pagination on list fields"
  • "Run a GraphQL quality audit"
  • "Generate a GraphQL health report"
  • "Check if my resolvers use DataLoader"
  • "Find N+1 database query patterns"
  • "Check my client code for unsafe GraphQL patterns"

版本历史

共 1 个版本

  • v1.0.1 当前
    2026-05-07 17:40 安全 安全

安全检测

腾讯云安全 (Keen)

安全,无风险
查看报告

腾讯云安全 (Sanbu)

安全,无风险
查看报告

🔗 相关推荐

dev-programming

Mcporter

steipete
使用 mcporter CLI 直接列出、配置、认证及调用 MCP 服务器/工具(支持 HTTP 或 stdio),涵盖临时服务器、配置编辑及 CLI/类型生成功能。
★ 198 📥 68,186
it-ops-security

DepGuard

suhteevah
使用原生包管理器审计扫描项目依赖的漏洞和许可证合规性,并生成安全或合规报告。
★ 0 📥 1,260
dev-programming

Github

steipete
使用 `gh` CLI 与 GitHub 交互,通过 `gh issue`、`gh pr`、`gh run` 和 `gh api` 管理议题、PR、CI 运行及高级查询。
★ 686 📥 330,844