ACI (Automated Code Investigation) is an open-source project developed by AIPotheosis Labs aimed at automating the process of identifying potential security vulnerabilities and code quality issues within software projects, specifically focusing on Go code. It's designed to be a comprehensive, customizable, and extensible static analysis tool, going beyond simple linting to provide deeper insights into code behavior and potential risks. The core philosophy revolves around defining "investigations" – sets of rules and checks – that can be applied to a codebase to uncover specific types of problems.

At its heart, ACI utilizes a custom domain-specific language (DSL) called "Investigation Definition Language" (IDL) to define these investigations. IDL allows developers to express complex code patterns and conditions that indicate potential vulnerabilities, such as insecure use of cryptographic functions, improper error handling, or potential race conditions. This DSL is a key differentiator, enabling users to create highly tailored analyses that address their specific security concerns and coding standards. The IDL is designed to be relatively easy to learn and use, even for those without extensive experience in static analysis. Investigations are then compiled into executable checks that are run against the target Go code.

The repository contains several pre-built investigations covering common security issues like SQL injection, cross-site scripting (XSS), command injection, and insecure random number generation. These serve as a starting point for users, and can be customized or extended to fit their needs. ACI isn't limited to security; investigations can also be written to enforce coding style guidelines, detect performance bottlenecks, or identify potential bugs. The project emphasizes a modular design, allowing users to easily add new investigations without modifying the core ACI engine.

ACI's execution pipeline involves parsing the Go code into an Abstract Syntax Tree (AST), then applying the compiled investigations to the AST. When an investigation finds a match, it reports a finding with detailed information, including the location of the problematic code, a description of the issue, and potentially suggested remediation steps. The reporting format is flexible, supporting output in various formats like JSON, text, and potentially others through extensions. The tool is designed to be integrated into CI/CD pipelines, allowing for automated security checks with every code change.

Beyond the core engine and IDL, the repository includes supporting tools and documentation. There's a command-line interface (CLI) for running investigations, managing configurations, and generating reports. The documentation provides detailed explanations of the IDL syntax, examples of investigations, and instructions on how to integrate ACI into existing workflows. The project is actively maintained and welcomes contributions from the community, with a focus on expanding the library of pre-built investigations and improving the overall usability and performance of the tool. ACI aims to empower developers to proactively identify and address security vulnerabilities in their Go applications, ultimately leading to more secure and reliable software.