Analyze functions for security, performance, maintainability, and documentation issues.

afa analyze

Analyze every function in a target path using tree-sitter parsing and four LLM analysis agents.

Usage

afa analyze <path> [options]

Arguments

Argument	Required	Description
`path`	Yes	File or directory to analyze

Options

Flag	Values	Default	Description
`--provider`	`anthropic`, `openai`, `gemini`	`anthropic`	LLM provider for analysis
`--format`	`table`, `json`, `sarif`	`table`	Output format
`--depth`	`quick`, `comprehensive`	`comprehensive`	Analysis depth

What it does

Parse -- tree-sitter extracts every function from the target files (Python, TypeScript, Go, Java, Rust)
Analyze -- four agents evaluate each function in parallel:
- Security -- vulnerabilities, injection risks, unsafe patterns
- Performance -- inefficiencies, unnecessary allocations, O(n) issues
- Maintainability -- cyclomatic complexity, cognitive complexity, coupling
- Documentation -- missing docstrings, parameter docs, return type docs
Score -- each function gets per-category scores and an overall eligibility flag
Report -- findings are aggregated and formatted

Output formats

Table (default)

Human-readable table with color-coded severity:

afa analyze src/afa/gates/

Function                  Security  Perf  Maintain  Docs  Eligible
evaluate_all              0.85      0.90  0.75      0.80  Yes
check_complexity_floor    0.95      0.95  0.90      0.85  Yes
compute_entropy           0.80      0.70  0.65      0.60  Yes

JSON

Machine-readable output for CI pipelines:

afa --format json analyze src/afa/gates/

{
  "results": [
    {
      "function": "evaluate_all",
      "file": "src/afa/gates/engine.py",
      "scores": {
        "security": 0.85,
        "performance": 0.90,
        "maintainability": 0.75,
        "documentation": 0.80
      },
      "findings": [...],
      "enhancement_eligible": true
    }
  ],
  "summary": {
    "functions_analyzed": 15,
    "llm_calls": 60,
    "enhancement_eligible": 12
  }
}

SARIF 2.1.0

Standard format for IDE integration (VS Code, GitHub Code Scanning):

afa --format sarif analyze src/ > results.sarif

Upload to GitHub Code Scanning or open in any SARIF viewer.

Provider selection

# Anthropic (default) -- claude-sonnet-4-6
afa analyze src/

# OpenAI -- gpt-5.4 with fallback to gpt-4.1
afa --provider openai analyze src/

# Google Gemini -- gemini-3-flash-preview
afa --provider gemini analyze src/

Each provider has a fallback chain for transient errors:

Provider	Primary	Fallback chain
Anthropic	claude-sonnet-4-6	claude-opus-4-6, claude-haiku-4-5
OpenAI	gpt-5.4	gpt-4.1, gpt-4.1-mini
Gemini	gemini-3-flash-preview	gemini-2.5-flash, gemini-2.5-flash-lite

Permanent errors (auth failures 401/403, bad requests 400, unprocessable 422) are wrapped as PermanentProviderError and re-raised immediately without cascading through the remaining providers. Transient errors (rate limit 429, server 5xx, network, timeout) still fall through to the next provider in the chain. See ADR-004 for the classification contract.

Configuration

Analysis behavior can be customized in .afa.yaml:

analysis:
  languages:
    - python
    - typescript
  exclude:
    - "tests/**"
    - "vendor/**"
    - "node_modules/**"
  max_function_size: 500
  protected_paths:
    - "migrations/"

See Configuration for all options.

afa analyze

On this page