Show HN: CodeQL-Like Analyzer for Go

&quot;ruleguard parses gorules (e.g. rules.go) during the start to load the rule set. Loaded rules are then used to check the specified targets (Go files, packages). The rules.go file itself is never compiled, nor executed.&quot;<p>I understand why it&#x27;s doing this (in terms of being able to use the ast parser), but it&#x27;s a bit weird. I&#x27;m &quot;writing in Go&quot;, but I (assume I) can&#x27;t use loops, conditionals, actually run code, etc. That&#x27;s a weird affordance [1].<p>I&#x27;d suggest looking at the data structures coming out of the parse of the file, and considering whether or not you can offer a JSON&#x2F;YAML (de)serialization of that instead, and whether or not that might be an acceptable enough format. We still get &quot;tooling&quot; that can deal with it, but JSON&#x2F;YAML files don&#x27;t contain the promise of being Go code, so the affordances line up with expectations better. (That&#x27;s cleanly true of JSON. YAML nominally has some extensions that make that a bit less clear. Then again, you may find it helpful to let the extensions do their thing; I haven&#x27;t checked but go-yaml says it supports map merging [3], which may give you a nice little bit of abstraction for the users that costs you zero to implement.)<p>In the complete other direction, I also would be fine with mynegation&#x27;s suggestion of actually running it, and letting it be defined by a data structure the code returns. Then I do really have full Go power, and the affordances match capabilities again.<p>(I think I may actually have a slight preference for the JSON&#x2F;YAML case; it just <i>feels</i> more like something that can be integrated into CI better, even though there&#x27;s nothing technically stopping you from executing Go code. Still, it&#x27;s definitely easy both technically and conceptually to say &quot;I&#x27;m running this executable with this input configuration file across my code&quot;, where as &quot;I&#x27;m going to compile this specially for the CI process&quot; is just... cognitively larger.)<p>[1]: <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Affordance#As_perceived_action_possibilities" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Affordance#As_perceived_action...</a><p>[2]: <a href="https:&#x2F;&#x2F;github.com&#x2F;go-yaml&#x2F;yaml" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;go-yaml&#x2F;yaml</a><p>[3]: <a href="https:&#x2F;&#x2F;yaml.org&#x2F;type&#x2F;merge.html" rel="nofollow">https:&#x2F;&#x2F;yaml.org&#x2F;type&#x2F;merge.html</a>

Features:<p>* Custom linting rules without re-compilation.<p>* Diagnostics are written in a declarative way.<p>* Quickfix action support.<p>* Powerful match filtering features, like expression type pattern matching.<p>Uses gogrep for AST pattern matching.

I like the idea of using the language (golang) itself to write the rules, instead of DSL or specialized language like Datalog. But why go for a restricted ad hoc interpretation instead of just executing this code as a plugin?