SustainaBot — Ecological & Economic Code Analysis
The only tool that correlates security findings with sustainability impact.
SustainaBot statically analyzes your code and reports:
-
Eco Score (0-100) — energy efficiency, carbon intensity, resource waste patterns
-
Econ Score (0-100) — allocative efficiency, technical debt, complexity economics
-
Security-Sustainability Correlation — functions that are both high-energy AND have security weak points get elevated severity
-
Concrete Fix Suggestions — inline annotations with actionable improvements
Output formats: SARIF 2.1.0 (for GitHub Security tab / IDE annotations), JSON, text.
# Build from source
cargo install --path crates/sustainabot-cli --locked
# Analyze a single file
sustainabot analyze src/main.rs
# Check a directory with eco threshold
sustainabot check ./src --eco-threshold 50
# Generate SARIF for CI integration
sustainabot report ./src --format sarif --output results.sarif
# Include security-sustainability correlation (requires --features security)
sustainabot check ./src --security --format sarif --output results.sarif
# Run with Eclexia policy evaluation
sustainabot check ./src --policy-dir policies/Copy examples/sustainabot-ci.yml to .github/workflows/sustainabot.yml:
name: Sustainability Analysis
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
security-events: write
contents: read
jobs:
sustainabot:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install sustainabot
run: cargo install --path . --locked
- name: Run analysis
run: |
sustainabot report ./src \
--format sarif \
--output results.sarif \
--eco-threshold 50
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
category: sustainabotResults appear as inline PR annotations and in the Security tab.
SustainaBot is a Rust workspace with 6 crates:
| Crate | Purpose |
|---|---|
|
CLI binary ( |
|
tree-sitter AST parsing, pattern detection, dependency analysis, calibration |
|
Core types: |
|
SARIF 2.1.0 output with full physical locations and fix suggestions |
|
Policy engine integration (Eclexia language or built-in fallback) |
|
gitbot-fleet integration for multi-repo orchestration |
Source Code
|
v
tree-sitter AST parsing (Rust, JavaScript, Python)
|
v
Function-level analysis:
- Complexity metrics (cyclomatic, nesting depth)
- Resource estimation (energy, carbon, memory, duration)
- Pattern detection (7 anti-patterns with fix suggestions)
|
v
Optional enrichment:
- panic-attack security scan (--security flag)
- Eclexia policy evaluation (--policy-dir flag)
- Dependency analysis (Cargo.toml, package.json)
|
v
Output: SARIF / JSON / text
SustainaBot detects 7 resource-waste patterns:
| Pattern | Description | Impact |
|---|---|---|
|
O(n^k) complexity from nested iteration |
High energy |
|
Loops without sleep/await/yield |
CPU waste |
|
String allocation per iteration |
Memory waste |
|
Unnecessary deep copies in hot paths |
Memory + CPU |
|
I/O without BufReader/BufWriter |
Syscall overhead |
|
Single allocations >1MB |
Memory pressure |
|
|
Unnecessary allocation |
Each pattern produces a concrete fix suggestion that appears as a SARIF inline annotation.
When built with --features security, SustainaBot integrates with panic-attack to correlate security weak points with sustainability impact:
| Weak Point Category | Sustainability Impact |
|---|---|
|
Crash risk = all prior computation wasted (3x energy multiplier) |
|
Abort = energy/carbon sunk cost (2.5x) |
|
CPU waste, carbon spike (4x) |
|
Memory waste (2x) |
|
Ongoing waste — goroutines, handles (3.5x) |
|
Unpredictable resource usage (2x) |
Functions that are BOTH high-energy AND have security weak points get 1.5x boosted severity.
SustainaBot evaluates .ecl policy files written in Eclexia, a resource-aware language where every function declares its own energy budget:
def is_high_energy(energy_joules: Float) -> Bool
@requires: energy < 0.05J
{
energy_joules > 50.0
}Built-in policies (in policies/): energy threshold, carbon budget, memory efficiency, security-sustainability correlation.
SustainaBot runs as a gitbot-fleet member for multi-repo orchestration:
sustainabot fleet ./repo --context /path/to/context.jsonRespects .bot_directives/sustainabot.scm for scope control and threshold overrides.
SustainaBot respects .bot_directives/*.scm files for per-repo permissions:
;; .bot_directives/sustainabot.scm
(bot sustainabot
(allow #t)
(scopes (analysis policy fleet))
(deny ()))# Build all crates
cargo build --workspace
# Run tests (27 tests)
cargo test --workspace
# Build with security correlation
cargo build --workspace --features sustainabot-cli/security
# Clippy
cargo clippy --workspace
# Self-analysis (dogfooding)
cargo run -p sustainabot-cli -- self-analyzeSustainaBot analyzes itself:
$ sustainabot self-analyze
SustainaBot Self-Analysis (Dogfooding!)
==========================================
Analyzing sustainabot's own resource usage...
Function: analyze_source
Location: crates/sustainabot-analysis/src/analyzer.rs:45:4
Resources:
Energy: 0.50 J
Carbon: 0.0020 gCO2e
Memory: 1024 bytes
Health Index:
Eco: 75.0/100
Overall: 80.0/100
Meta-Analysis:
This analyzer used minimal resources to analyze itself.
Eclexia-inspired design: explicit resource tracking from day 1.-
Rust (
.rs) — full pattern detection -
JavaScript (
.js) — full pattern detection -
Python (
.py) — basic pattern detection
sustainabot/
+-- crates/
| +-- sustainabot-cli/ # CLI binary
| +-- sustainabot-analysis/ # AST analysis engine
| +-- sustainabot-metrics/ # Core types
| +-- sustainabot-sarif/ # SARIF 2.1.0 output
| +-- sustainabot-eclexia/ # Policy engine
| +-- sustainabot-fleet/ # Fleet integration
+-- policies/ # Eclexia policy files (.ecl)
+-- examples/ # CI workflow templates
+-- .bot_directives/ # Bot permission directives
+-- .machine_readable/ # SCM checkpoint files
+-- Cargo.toml # Workspace configurationLicensed under PMPL-1.0-or-later (Palimpsest License).
See LICENSE for full details.
Part of the hyperpolymath ecosystem.
