The critic your
code needs.

Free, fast, offline code security scanner. AI-powered analysis catches what regex misses. Zero dependencies, MIT license.

pip install critik

View on GitHub PyPI

11 check types

138 tests

0 dependencies

MIT license

~/my-project

$ critik scan .

CRITICAL secrets src/config.py:14
  Hardcoded AWS secret key: AKIA...EXAMPLE

HIGH injection src/db.py:42
  SQL injection via f-string in execute()

MEDIUM config settings.py:8
  DEBUG=True in production config

───────────────────────────────────────
2 critical · 1 medium · 3 findings in 0.4s

$ critik scan . --ai

AI reviewing 3 findings with Llama 3.3...
CONFIRMED secrets:14 (confidence: 0.97)
  "Real AWS key — rotate immediately and use env vars."
FALSE POS injection:42 (confidence: 0.91)
  "Parameterized query using SQLAlchemy ORM, not raw SQL."
CONFIRMED config:8 (confidence: 0.85)
  "DEBUG should be read from environment variable."

Detection

What it catches

11 check types across secrets, injection, auth, config, and framework-specific patterns.

Hardcoded Secrets

AWS keys, API tokens, private keys, database URLs, encryption keys

16 patterns

SQL & Command Injection

f-strings in execute(), eval/exec, os.system, subprocess with shell=True

6 patterns

Missing Authentication

Unprotected FastAPI and Express routes without auth decorators or middleware

2 checks

Insecure Config

DEBUG=True, CORS wildcards, insecure cookies, weak crypto algorithms

6 patterns

.env Exposure

Real secrets in .env files, missing .gitignore entries for sensitive files

3 checks

Framework-Specific

Supabase RLS, Firebase rules, Next.js server actions, NextAuth, Prisma, Stripe

8 checks

Setup

Running in 30 seconds

No accounts, no cloud, no config files. Install and scan.

Install

pip install critik — zero dependencies, Python 3.10+

Scan

critik scan . — scans your project, shows findings with severity + location

Fix

critik scan . --format fix — generates LLM-ready fix prompts for each finding

AI Review (optional)

critik scan . --ai — Groq/Llama 3.3 reviews each finding, filters false positives with explanations. Free Groq API key.

Features

More than regex

A real scanner with IDE integration, CI/CD support, and custom rules.

VS Code & Cursor Extension

Inline diagnostics, hover cards, quick fix actions. Scans on save.

GitHub Action

SARIF output for GitHub Code Scanning. Auto-scan every push.

Pre-commit Hook

critik hook install — block commits with critical findings.

Custom YAML Rules

Write your own rules in YAML. Share rule packs with your team.

Watch Mode

critik watch . — continuous scanning as you code.

Baseline Support

Save current findings, only see new ones. No noise from known issues.

Comparison

How Critik stacks up

Free doesn't mean weak.

	Critik	Snyk	Semgrep	Bandit
Price	Free	$25-98/dev/mo	Free-$40/mo	Free
Offline	Yes	No	Yes	Yes
AI analysis	Built-in	Add-on	No	No
Multi-language	Python, JS/TS, configs	20+ languages	20+ languages	Python only
Framework checks	6 frameworks	Generic	Community rules	None
Fix prompts	Free	Paid	No	No
Custom rules	YAML	Platform	YAML	Python plugins
IDE extension	VS Code / Cursor	VS Code	VS Code	No
Dependencies	Zero	Node.js runtime	Python + OCaml	Zero

Your code deserves a critic.

Free, fast, offline. One command to find what you missed.

pip install critik && critik scan .