AI models generate code that looks right but isn't. BOLO ("Be On the Lookout") scans it before it ships.
$ naab-lang scan.naab ./src --profile enterprise
✗ src/auth.py:12 [no_secrets] Hardcoded API key detected
✗ src/db.py:8 [no_sql_injection] String formatting in SQL query
✗ src/utils.py:45 [oversimplification] validate_input() contains only 'pass'
3 violations — fix before merging
50+ checks · Hardcoded secrets · Hallucinated APIs · Stub functions shipped as real code · Empty catch blocks · SQL injection · SARIF output for GitHub Code Scanning · Part of the NAAb ecosystem
Every block uses the right language for the job:
| Task | Language | Why |
|---|---|---|
| Pattern matching (50+ regex) | C++ | std::regex compiles once, scans at native speed. 50x faster than Python re. |
| Report generation (SARIF/HTML) | Python | json.dumps for SARIF, f-strings + html.escape for HTML, xml.etree for JUnit. |
| Enforcement gates (7 gates) | Python | Gates RUN Python tools (pytest, flake8, bandit). You need Python to run Python tools. |
| AI governance (4 validators) | Python | AI/ML ecosystem is Python-native. YAML configs, model metadata, SHAP/LIME. |
| File discovery | Shell | find is universal, portable, and fast enough for file listing. |
| CLI orchestration | NAAb | Clean argument parsing, profile management, colored output, flow control. |
Zero standalone .py files. Zero standalone .cpp files. Everything lives in 5 NAAb scripts.
See NAAb BOLO detecting security vulnerabilities and LLM-generated issues in real code:
Example authentication code with 4 security issues:
Enterprise profile scan detects all violations with detailed help:
BOLO detected:
- ✗ Hardcoded secrets - API key and password in source
- ✗ SQL injection - String concatenation in queries
- ✗ LLM stub function -
validate_input()only containspass - ✗ Code injection - Unsafe
function()in Python block
Files scanned: 2 | Violations: 4 | Execution time: 3.01ms
Shows how to fix the issues:
Try the demo yourself:
cd demos
./bolo-demo.shSee DEMO_GUIDE.md for recording instructions.
# Clone with NAAb submodule
git clone --recursive https://github.com/b-macker/naab-bolo.git
cd naab-bolo
# Build NAAb
bash build.sh
# Scan your code
./naab/build/naab-lang scan.naab /path/to/project --profile enterprise
# Generate SARIF report
./naab/build/naab-lang report.naab /path/to/project --format sarif --output report.sarif
# Run enforcement pipeline
./naab/build/naab-lang enforce.naab /path/to/project --stage ci
# AI governance check
./naab/build/naab-lang ai-check.naab /path/to/ml-project| Command | Script | Description |
|---|---|---|
scan |
scan.naab |
Static analysis — 50+ checks via C++ governance engine |
report |
report.naab |
Generate reports — SARIF 2.1.0, HTML, JSON, CSV, JUnit XML |
enforce |
enforce.naab |
Enforcement pipeline — 7 gates, 17 validators, stage-based |
ai-check |
ai-check.naab |
AI governance — model attestation, rate limiting, explainability |
profiles |
bolo.naab |
List available governance profiles |
| Profile | Focus | Checks |
|---|---|---|
enterprise |
Everything | All 50+ checks: LLM + security + AI + quality |
llm |
AI code quality | Oversimplification, hallucinated APIs, placeholders, apologetic language |
security |
Vulnerabilities | Secrets, injection, escalation, traversal, exfiltration |
ai-governance |
ML compliance | Model attestation, rate limiting, explainability, governance config |
standard |
Balanced | Core secrets + LLM anti-drift + shell injection |
# SARIF 2.1.0 — for GitHub Code Scanning / VS Code
naab-lang report.naab ./src --format sarif --output report.sarif
# HTML — rich visual report with severity badges
naab-lang report.naab ./src --format html --output report.html
# JSON — structured data for tooling integration
naab-lang report.naab ./src --format json --output report.json
# CSV — spreadsheet-friendly
naab-lang report.naab ./src --format csv --output report.csv
# JUnit XML — CI test result integration
naab-lang report.naab ./src --format junit --output report.xml# Pre-commit: fast checks only (compilation + lint)
naab-lang enforce.naab ./src --stage pre-commit
# CI: standard pipeline (6 gates + validators)
naab-lang enforce.naab ./src --stage ci
# PR merge: full validation (all 7 gates + all 17 validators)
naab-lang enforce.naab ./src --stage pr-merge- uses: b-macker/naab-bolo@v1
with:
path: ./src
profile: enterprise
format: sarif5 NAAb scripts, 4 languages, 50+ checks, 6 test suites
bolo.naab ──── NAAb + Shell ──── CLI orchestration + file discovery
scan.naab ──── NAAb + Shell + C++ (via bolo stdlib) ──── Pattern matching engine
report.naab ── NAAb + Python ──── SARIF/HTML/JSON/CSV/JUnit generation
enforce.naab ─ NAAb + Python ──── 7 gates + 17 validators
ai-check.naab NAAb + Python ──── 4 AI governance validators
# Run all 6 test suites
bash tests/run-all-tests.sh
# Run individual suites
./naab/build/naab-lang tests/test-profiles.naab
./naab/build/naab-lang tests/test-scan.naab
./naab/build/naab-lang tests/test-report.naab
./naab/build/naab-lang tests/test-enforce.naab
./naab/build/naab-lang tests/test-ai.naab
./naab/build/naab-lang tests/test-integration.naabNAAb BOLO is part of the NAAb ecosystem:
- NAAb Language — Core polyglot scripting language with governance
- NAAb BOLO (this project) — Code governance & AI validation
- NAAb Pivot — Code evolution & optimization (3-60x speedups)
- NAAb Passage — Data gateway & PII protection (zero leakage)
Contributions are welcome! See CONTRIBUTING.md for build instructions and guidelines.
- Additional governance checks
- New enforcement validators
- IDE integrations
- Documentation improvements
MIT License - see LICENSE for details.
Brandon Mackert - @b-macker
NAAb BOLO — Governance without the gatekeeping.