I saw 0github.com. I thought that it was compelling, but also it kinda shocked me that it needs to spin up a VM and run an LLM over the diff to create each view. It also totally leaves the rules of how to create the heat map grading up to the LLM as far as I could tell, so it isn't deterministic. This project does the same thing locally, without 3rd party dependencies, or using anyone else's computer all while have a clearly defined set of rules, meaning you know what you are gonna get every time you run it.
Here's a blog post with some more info in it.
chmod +x diff-heatmap.js
ln -s $(pwd)/diff-heatmap.js /usr/local/bin/diff-heatmapFor the terminal (kinda lame, tbh)
git diff | diff-heatmap
git diff main..feature-branch | diff-heatmapBeautiful HTML view (very awesome, not lame)
git diff | diff-heatmap --open
diff-heatmap https://github.com/simonw/datasette/pull/2548 --openAbsolutely most useful, side-by-side HTML view (ngl, 10/10, this is what should probably be the default)
git diff | diff-heatmap --side-by-side --open
diff-heatmap https://github.com/simonw/datasette/pull/2548 -s -oAvailable flags include,
--html Output HTML (unified view)
--open, -o Generate HTML and open in browser
--side-by-side, -s Split view with line numbers (HTML only)
--cleanup Remove all temporary HTML files
--list-rules Show all detection patterns
--help, -h Show help
When you use --open, temporary HTML files are created in /tmp/diff-heatmap-{timestamp}.html. These files persist after the program exits. Use --cleanup to remove them if you wanna,
diff-heatmap --cleanupThis program isn't super duper clever, it uses regex patterns to apply scores to the lines of a diff that are used to generate the color coding.
- Parses git diff line by line
- Scores each added line using regex patterns
- Colors output based on risk score (0.0 = safe, 1.0 = critical)
- Highlights specific dangerous patterns inline
The rules look for stuff like,
- Hardcoded secrets (API keys, tokens, passwords)
- Deserialization vulnerabilities (Java, Python, PHP)
- Buffer overflows (C/C++)
- SQL injection (all languages)
- XSS vectors (HTML, JavaScript, React)
- Command injection (shell, PHP)
- Prototype pollution (JavaScript)
- XXE attacks (XML parsers)
- SSRF patterns (HTTP clients)
- Memory safety issues (use-after-free, double-free)
- Removed focus outlines (CSS outline: none)
- Missing alt text on images
- Missing ARIA labels on inputs/buttons
- Incorrect ARIA attribute usage
- ARIA relationships without matching IDs
onClickhandlers without keyboard support- Positive
tabindexvalues (breaks tab order) - Non-semantic HTML (div/span as buttons)
- Missing labels on form elements
- Skipped heading levels
- Non-descriptive link text
- Missing iframe titles
- Disabled viewport zoom
- Auto-playing media
- Mutable global state
- Shared state in concurrent code
- Collection mutations
- Complex conditionals
- Resource leaks
Examples of this program in action,
For reviewing a pull request,
diff-heatmap https://github.com/simonw/datasette/pull/2548 -s -oFor checking work before committing,
git diff | diff-heatmapFor comapring branches to one another,
git diff main..feature | diff-heatmap --openFor auditing secrets in history,
git log -p --all | diff-heatmap | grep -C3 "secret"Run all tests,
node tests/run-all.jsRun individual tests,
node tests/test-critical-patterns.js # Security pattern detection
node tests/test-mutable-state.js # Mutable state patterns
node tests/test-new-features.js # Language detection & HTML rendering
etc...To add/modify/extend you can modify the RULES object at the top of diff-heatmap.js,
my_custom_rule: {
score: 0.85,
highlightClass: 'danger',
languages: ['python'],
patterns: [
{ regex: /dangerous_pattern/g, desc: 'Description' }
]
}