July 9, 2026
Sniffing out bugs and bruised egos
Show HN: Sighthound - open-source vulnerability scanner for source code
A new bug-sniffing code checker drops, and the crowd is split between hype and eye-rolls
TLDR: Sighthound is a new free tool that checks source code for security problems across several major programming languages. The community reaction is a mix of excitement over an open, flexible scanner and skepticism from people tired of noisy tools that cry wolf.
A fresh Show HN launch has people buzzing over Sighthound, a free, open-source tool that scans software projects for possible security problems before they turn into real disasters. In plain English: it combs through code, follows suspicious data trails, and spits out warnings in text, JSON, or CSV. It works across a long list of popular languages, from Python and JavaScript to Go, Java, and PHP, and the creator is pitching it as fast, rule-based, and friendly to custom checks.
But the real action is in the peanut gallery. The strongest reactions fall into two camps: "finally, a transparent alternative" versus "great, another scanner promising to save us all." Fans are cheering the open-source angle and the fact that it can inspect whole projects instead of just single files, with several commenters basically saying, "Security tools are too often black boxes, so this is refreshing." Skeptics, meanwhile, are doing the classic Hacker News side-eye, warning that scanners love to flood developers with false alarms and that real-world security bugs often hide in messy runtime behavior no static tool can fully see.
And yes, the jokes arrived right on cue. There were quips about developers running it on old side projects "for emotional damage," and wisecracks that the supported-language list reads like a buffet while C and C++ users sit outside in the rain. The vibe is half "this could actually be useful" and half "show me fewer false positives and then we’ll talk."
Key Points
- •Sighthound is an open-source static vulnerability scanner that uses Tree-sitter, AST-aware rules, and taint-flow analysis.
- •The tool supports multi-file projects, parallel execution, and result export in text, JSON, or CSV formats.
- •Supported languages include Python, JavaScript, TypeScript, Java, PHP, C#, Go, Ruby, HTML, and Django templates, while Razor and C/C++ are not currently supported.
- •Rules are written in RON and support both search-based pattern matching and taint analysis with sources, sinks, and sanitizers.
- •The project requires Rust 1.85+ and Git to build from source, and its listed limitations include missed runtime-only issues, slower scans on very large files, and taint analysis that still needs hardening across multiple files.