CodeVista: Code Analysis & Security Scanner — 80+ Languages, Zero Dependencies
March 27, 2026 · 9 min read
Why Build Another Code Analysis Tool?
Existing tools like SonarQube require a server, a database, and a subscription. Pylint only handles Python. CodeClimate needs a CI pipeline. I wanted a single command that gives you a comprehensive analysis of any codebase, outputs a beautiful HTML report, and works locally with zero setup.
CodeVista is that tool. Written in pure Python with zero runtime dependencies, it analyzes 80+ languages and produces an interactive HTML report in seconds.
Features That Don't Exist Anywhere Else
CodeDNA Fingerprinter — Every codebase has a unique "DNA" based on its language distribution, complexity patterns, naming conventions, comment density, and dependency topology. CodeVista generates a SHA-based fingerprint and even an ASCII barcode. You can compare two codebases and see their similarity percentage. This is useful for detecting code clones or verifying that two projects are genuinely different.
Architectural Decay Detector — This feature uses git history to track how your code degrades over time. It calculates debt velocity, identifies the files degrading fastest, and predicts what your code quality will look like 12 weeks from now using linear regression. It even suggests when and what to refactor.
38 Language-Specific Lint Rules — Instead of just generic checks, CodeVista has rules tailored to each language: PEP 8 for Python, Airbnb for JavaScript, gofmt for Go, clippy-lite for Rust, and Google style for Java. Each rule has an ID, severity level, and specific regex or function-based detection.
Security Scanning
CodeVista detects 30+ security patterns including hardcoded API keys (Stripe, AWS, GitHub, Google), SQL injection patterns, XSS vulnerabilities, exposed credentials, and suspicious TODO/FIXME comments that mention secrets. It outputs results in SARIF format for GitHub Code Scanning integration.
The HTML Report
Run codevista analyze ./your-project/ and it generates a single self-contained HTML file. The report includes interactive charts for complexity distribution, language breakdown, and dependency graphs. It's designed to be shared — just send the HTML file to your team.
117 Tests, All Passing
Every module is tested: the analyzer, security scanner, code smell detector, trend analyzer, team metrics, export module, and the new decay detector and DNA fingerprinter. The project has 117 tests with zero failures.
Try It
pip install codevista
codevista analyze ./your-project/Sample Output
Here's what a typical CodeVista run looks like:
$ codevista analyze ./my-project/
📁 23 files analyzed
📝 14,046 lines of code
🧩 1 languages detected
⚡ 466 functions
🔒 52 security issues
📦 0 dependencies
🏥 Health score: 15/100
⏱️ Completed in 4.03s
✅ Report generated: codevista_report.htmlThe HTML report includes interactive charts for complexity distribution, a file-by-file breakdown, security findings with severity levels, and actionable recommendations.
Architecture
┌─────────────┐ ┌──────────────┐ ┌──────────────┐
│ CLI Entry │───▶│ Analyzer │───▶│ Report Gen │
│ (cli.py) │ │ (analyzer.py)│ │ (report.py) │
└─────────────┘ └──────┬───────┘ └──────────────┘
│
┌───────────┼───────────┐
▼ ▼ ▼
┌──────────┐ ┌────────┐ ┌──────────┐
│ Security │ │ Smells │ │ Decay │
│ Scanner │ │ Detect │ │ Detector │
└──────────┘ └────────┘ └──────────┘
│ │ │
└───────────┼───────────┘
▼
┌──────────────┐
│ HTML Report │
│ (single .html)│
└──────────────┘How CodeDNA Works
The CodeDNA fingerprinter generates a unique signature for any codebase by analyzing multiple dimensions: language distribution (percentage breakdown), complexity distribution (function complexity histogram), naming convention ratios (camelCase vs snake_case vs PascalCase), comment density, function size distribution, file size distribution, and dependency topology. Each dimension is hashed independently and combined into a final SHA-256 fingerprint. Two codebases with similar DNA fingerprints likely share common patterns or origins.
Decay Detection: The Math
The architectural decay detector uses linear regression on git history data. For each week, it calculates aggregate code quality metrics (complexity, coupling, duplication). It then fits a line: y = mx + b where y is quality score and x is time. A negative slope (m) indicates decay. The detector extrapolates this line 12 weeks into the future to predict quality scores, and identifies inflection points where the slope changed significantly.
Comparison: CodeVista vs Others
| Feature | CodeVista | SonarQube | Pylint |
|---|---|---|---|
| Languages | 80+ | 30+ | 1 |
| Setup Required | None | Server + DB | pip install |
| Zero Dependencies | ✅ | ❌ | ✅ |
| CodeDNA Fingerprint | ✅ | ❌ | ❌ |
| Decay Prediction | ✅ | ❌ | ❌ |
| Cost | Free | $150+/yr | Free |
What's Next
Future plans include: GitHub Action integration for automated analysis on PRs, VS Code extension for in-editor feedback, historical trend dashboards, and team collaboration features with code ownership tracking.