Zod Audit

Audit reports missing Zod schemas but safeParse is actually used

Search for .safeParse() usage: rg 'safeParse' --type ts. Zod validation might be in separate files. Check imports: rg 'from "zod"' -l. Update audit config to recognize custom validators.

Command fails to detect unvalidated API endpoints in Next.js

Audit scans route handlers in app/ and pages/api/. Check file naming: API routes need route.ts or .ts in pages/api/. Run: /zod-audit validation app/ --framework=nextjs for targeted scan.

False positives flagging validated environment variables

Environment validation requires explicit schema exports. Use t3-env or zod-env pattern. Ensure schema file imports process.env. Add to .claudeaudit.yml: ignore: ['env.schema.ts'] if already validated.

Duplication detector misses near-duplicates across modules

Use --duplication flag with lower threshold: /zod-audit duplication --similarity=70. Check abstract syntax tree (AST) analysis enabled. Manual review needed; current tools detect ~60% of duplicates.

Security audit overwhelms with low-priority TypeScript issues

Filter by severity: /zod-audit security --severity=critical. Focus on OWASP Top 10: XSS, SQL injection, auth bypass. Use --format=json | jq '.issues[] | select(.priority=="CRITICAL")' for critical only.

Zod audit fails to detect schemas or reports incorrect coverage

Verify Zod schemas are properly imported and used. Check schema file locations are included in scan. Review audit configuration for correct patterns. Ensure Zod version is compatible.

Audit reports too many false positives for missing validations

Configure audit to exclude intentional unvalidated paths. Review audit rules for overly strict patterns. Use --exclude flag for known exceptions. Adjust validation requirements.

Schema audit is slow or times out on large codebases

Run audit on specific directories with --scope flag. Exclude node_modules and build directories. Use --cache flag if available. Run audit incrementally by module.