Our quest to make world-class security and bugfinding available to all developers, for free

Introducing Bento, a free and opinionated toolkit for easily adopting linters and program analysis in a codebase
by Isaac Evans, CEO and co-founder @ r2c

Why we’re building

One thing we’ve learned at r2c is that most Python or JavaScript developers have never heard of—let alone tried—the tools some devs use to find deep flaws in code: like Codenomicon, which found Heartbleed, or Zoncolan at Facebook, which finds more top-severity security issues than any human effort. Not only do these tools find severe issues, they save time by pointing out hundreds of thousands of issues before humans do.

We believe every developer deserves access to powerful tools, but most don’t know about or can’t afford them. r2c’s mission is to make those tools available to those who want to find bugs, discover security problems, and save time but don’t work for a giant company that prioritizes these problems with nearly unlimited resources.

That’s why we’re excited to release Bento! It’s a free and opinionated toolkit for easily adopting linters and program analysis in a codebase. It includes analysis we’ve written and packages fantastic community-created tools, all running offline (no code is ever shipped off your machine). Over the next few months we’ll release more novel checks and include existing tools; subscribe for updates.

Some members of our team wrote early versions of these tools at places like Facebook. r2c started by building infrastructure to make it easy to run static analysis tools at massive scale (see our paper co-published at USENIX) but our goal has always been to take the learnings from scaling analysis to benefit individual developers directly: folks helping small teams writing voter registration systems for their city, non-profits who serve communities targeted by powerful hostile actors, startups who handle sensitive data about fellow humans, or developers who just want to automate away code review.

How can I get Bento now?

Bento is in alpha, but you can try it right away:

pip3 install bento-cli

Here’s a short demo:

A lot of love from our small team has gone into Bento. Please try it on your Python or JavaScript projects and send us feedback!

But is this just a glorified linter?

Well yes, but actually, no; Bento is currently a union of curated AST-based lints, including new ones written by us, tuned to find bugs that matter. Our roadmap takes us far beyond AST-based linting though: finding sql injection through taint analysis, detecting dangerous dependency upgrades, etc.

Linters have done a good job reaching developers and improving code consistency, especially style. But we want to surface issues and checks that are deep and avoid arguing about spaces vs tabs in code review. Bento ships with configurations that are tuned on real-world data and focuses the finding on correctness and security. They are based on using our platform to analyze swathes of open-source repositories and see what checks developers turn on and off (Three Things Your Linter Shouldn’t Tell You). Our opinion is that you should forget about style and use a deterministic, zero-config formatter (Black for Python or Prettier for JavaScript).

As opposed to other tools that try to measure code-quality or concatenate linter output, we have skin in the analysis game; we’re already making some contributions back to the tools we include. We’re collaborating with a few linter authors already and we would love to offer free compute resources on our platform for measuring check quality to anyone else who might be interested (hello@r2c.dev).

Here’s what’s coming next

Our immediate focus is writing custom analysis tools to find security and other issues for users of the Flask web framework. If you or someone you know uses Flask and has ideas on what we might detect, send us a note or make an issue!

Bento core values

Our first releases are about making it easy to install, adopt, and get started before we ship everything on our roadmap.

Find bugs that matter Bento automatically enables and configures relevant analysis based on your dependencies and frameworks, and it will never report style-related issues. You won’t painstakingly configure your tooling, we did that already!

Go fast No one should have to dig through thousands of linter results and fix them before they can start using a tool. Bento ships with a built-in archiving feature that lets you establish a baseline without fixing all the issues at once and just look at any new problems entering the codebase.

This philosophy also applies to setup: Bento auto-configures in about 30 seconds, it’s easy to install in a Docker container, and it can even install itself as a pre-commit hook automatically.

Get better over time Bento automatically tailors itself to your project by enabling checks that correspond to your language, framework, and dependencies. As time goes on and based on community feedback, we’ll be writing and shipping new checks that you can adopt automatically. And we want your feedback!