17 Repos
Tools that analyze source code without executing it to find security vulnerabilities.
Distinct from Vulnerability Scanning: Distinct from Vulnerability Scanning: specifically focuses on source code analysis (SAST) rather than container image or runtime scanning.
Explore 17 awesome GitHub repositories matching security & cryptography · Static Analysis Security Testing. Refine with filters or upvote what's useful.
CodeQL is a semantic code analysis engine and vulnerability scanning tool that treats source code as data. It utilizes a static analysis query language to define complex patterns and security vulnerabilities within a code graph database. The system represents source code as a relational database, enabling the execution of structural queries and data flow analysis. This approach allows for the detection of security flaws and coding errors across large-scale repositories. The tool provides capabilities for automated code auditing, static analysis security testing, and custom vulnerability dete
Provides an automated system for detecting security flaws and coding errors across large scale source code repositories using static analysis.
gosec is a static analysis security tool designed to scan Go source code for vulnerabilities and common coding flaws. It functions as a security analyzer that inspects the abstract syntax tree to identify insecure function calls, API usage, and potential security risks. The tool distinguishes itself by mapping detected vulnerabilities to Common Weakness Enumeration identifiers for standardized reporting and integrating with external AI models to suggest code fixes for identified issues. Its capabilities cover the detection of injection vulnerabilities, hardcoded credentials, weak cryptograph
Provides a static analysis engine to scan Go source code for security vulnerabilities and coding flaws.
Gixy is a static configuration analyzer and security auditor for Nginx. It functions as an infrastructure-as-code security scanner and web server configuration linter designed to identify vulnerabilities and misconfigurations in server definitions before deployment. The tool focuses on detecting high-risk security flaws, including host header spoofing, server-side request forgery, and path traversal. It specifically audits Nginx configurations for risks such as HTTP splitting, multiline header issues, and unauthorized third-party access resulting from incorrect Referer or Origin header patter
Performs static analysis on Nginx configuration files to identify security vulnerabilities without executing the server.
Bandit is a static analysis security testing tool and vulnerability detection scanner for Python source code. It functions as a security-focused linter and static analyzer that identifies common vulnerabilities and architectural flaws without executing the program. The tool utilizes an abstract syntax tree to analyze code patterns and identifies risky function calls or insecure configurations. It employs a plugin-based rule engine to decouple scanning logic from individual security checks and supports configuration-driven filtering to exclude specific files or ignore certain warnings. The sy
Analyzes source code without execution to find security vulnerabilities through a specialized SAST approach.
Brakeman is a static analysis security tool and scanner specifically designed for Ruby on Rails source code. It identifies common security vulnerabilities, such as injection and cross-site scripting, by analyzing the application codebase without executing the application. The tool functions as a security auditor that detects mass assignment risks and template vulnerabilities. It evaluates the final output of rendered views and identifies unrestricted assignment patterns that could allow unauthorized modification of model attributes. The system provides vulnerability management through the us
Analyzes Ruby on Rails source code to identify common security vulnerabilities without executing the application.
Pyre is a high-performance static type checker and analysis tool for Python. It identifies type errors and ensures type safety without executing the program, utilizing a static type inference engine to maintain consistency across functions. The project is distinguished by an incremental type analysis engine that operates as a background daemon. This system monitors filesystem changes to re-validate only modified parts of a project, reducing the time required for repeated analysis. It also includes a static analysis security tool that uses taint analysis to track untrusted data flows and ident
Implements a taint analysis engine for identifying security vulnerabilities through static source code analysis.
This project is a framework for the autonomous discovery and remediation of security vulnerabilities using large language model agents. It functions as a security research pipeline that automates the process of reconnaissance, crash discovery, and exploitability analysis to identify reproducible software bugs. The system distinguishes itself by utilizing a containerized agent sandbox that restricts network egress and filesystem access to prevent host compromise. It employs a specialized patch generation and validation loop, which includes adversarial re-attack testing where a fresh agent atte
Scans source code without execution to identify potential security flaws and construct a threat model.
Dieses Projekt ist eine Cookiecutter-Vorlage für das Bootstrapping von Python-Paketen mit einem standardisierten Verzeichnislayout und Konfigurationsdateien. Es bietet ein Fundament für neue Bibliotheken durch die Generierung von Projektstrukturen, Boilerplate-Dateien und Befehlszeilen-Einstiegspunkten. Die Vorlage betont eine sichere Software-Lieferkette durch gehärtete Build-Pipelines. Sie nutzt Commit-SHA-Pinning für Actions und minimale Berechtigungssätze zum Schutz vor Angriffen, während sie ein Setup für das Erstellen und Hochladen signierter Pakete in Registries unter Verwendung sicherer Identitätsanbieter bereitstellt. Das Projekt deckt eine breite Palette an Funktionen ab, einschließlich CI-Automatisierung für Multi-Version-Tests, Linting und Typ-Prüfung. Es enthält zudem eine automatisierte Dokumentations-Pipeline, die API-Referenzen aus Docstrings extrahiert und auf Hosting-Anbietern bereitstellt. Zusätzliche Tools handhaben Abhängigkeitsmanagement, die Kompilierung von Distributionsartefakten und statische Schwachstellen-Scans.
Performs static analysis of source code to detect security vulnerabilities and flaws.
This project is a static analysis tool and linter for Ruby on Rails designed to identify architectural smells and violations of best practices. It serves as a code quality linter, architectural auditor, security scanner, and performance analyzer for Rails applications. The tool evaluates the separation of concerns between controllers, models, and view templates to reduce technical debt. It identifies suboptimal coding patterns and enforces stylistic consistency, while specifically scanning for security vulnerabilities such as unprotected mass assignment in models. The analysis surface covers
Performs static analysis on model and controller definitions to detect security vulnerabilities like unprotected mass assignment.
shhgit ist ein statisches Analyse-Sicherheitstool und ein Secret-Detection-Scanner, der entwickelt wurde, um geleakte Anmeldeinformationen, API-Token und private Schlüssel zu identifizieren. Es fungiert als Sicherheitsauditor für Versionskontrollsysteme und analysiert sowohl lokale Dateien als auch Remote-Repositorys auf Plattformen wie GitHub, GitLab und Bitbucket. Das Tool nutzt eine Erkennungs-Engine, die auf Signaturabgleich, benutzerdefinierten regulären Ausdrücken und Entropieprüfungen basiert, um sensible Daten zu lokalisieren. Es ermöglicht die Verwendung benutzerdefinierter Suchsignaturen und Abfragen, um nicht standardmäßige Secrets zu identifizieren, die möglicherweise nicht von vordefinierten Mustern abgedeckt werden. Die Scan-Oberfläche erstreckt sich auf Remote-Repository-Metadaten, wie z. B. Issue-Kommentare, und enthält Filterfunktionen, um bestimmte Dateierweiterungen oder Verzeichnispfade auszuschließen. Ergebnisse können über CSV-Dateien exportiert oder per Webhook-Benachrichtigungen übertragen werden.
Analyzes source code without executing it to find security vulnerabilities and leaked credentials.
SpotBugs ist ein statisches Analysetool und Bytecode-Analyzer für Java-Anwendungen. Es scannt kompilierte Klassendateien, um Bugs, Sicherheitslücken und Leistungsprobleme zu identifizieren, ohne den Code auszuführen. Das System fungiert sowohl als Bug-Detektor als auch als Tool für statische Anwendungssicherheitstests (SAST), um logische Fehler und API-Missbrauch aufzuspüren. Das Projekt zeichnet sich durch eine Plugin-basierte Detektor-Architektur aus, die die Integration externer Bibliotheken zur Hinzufügung benutzerdefinierter Erkennungsregeln ermöglicht. Es bietet spezialisierte Sicherheitsaudits für Schwachstellen wie SQL-Injection, Cross-Site Scripting und Path Traversal sowie ein modulares System zur Verfeinerung der Analysepräzision und Reduzierung von False Positives. Das Tool deckt ein breites Spektrum an Erkennungsbereichen ab, einschließlich Synchronisationsfehlern bei Nebenläufigkeit, Null-Pointer-Dereferenzierungen, Ressourcenlecks und Typumwandlungsfehlern. Es identifiziert zudem toten Code, Leistungsineffizienzen und Verstöße gegen Serialisierungs-Idiome. Diese Funktionen sind über eine Kommandozeilenschnittstelle, eine grafische Benutzeroberfläche und die direkte Integration in IDEs zugänglich. SpotBugs kann in Build-Pipelines integriert werden, um Qualitäts-Gates durchzusetzen und Analyseberichte in HTML- oder XML-Formaten zu generieren.
Functions as a security scanner that identifies vulnerabilities like SQL injection and XSS through static analysis.
This project is a set of git pre-commit hooks designed to automate the formatting, linting, and validation of Terraform configurations. It functions as an infrastructure as code linter, security scanner, cost estimator, and documentation generator to ensure code quality before commits are finalized. The tool distinguishes itself by providing specialized capabilities for infrastructure workflows, such as scanning templates for security vulnerabilities and hardcoded secrets, calculating projected cloud spending against budgets, and automatically extracting module definitions to populate readme
Analyzes infrastructure configuration files without executing them to detect security vulnerabilities and syntax errors.
Remix is a comprehensive blockchain development environment and Ethereum smart contract IDE. It provides a complete workspace for writing, compiling, deploying, and debugging smart contracts across simulated and public blockchain networks. The project distinguishes itself as a specialized toolchain for EVM debugging and analysis, offering opcode-level transaction stepping and state memory analysis. It also includes a dedicated zero-knowledge proof toolchain for compiling ZK circuits and generating cryptographic proofs, alongside an AI-powered coding assistant for code generation and explanati
Performs static analysis on source code to detect security vulnerabilities and deviations from best practices.
WordPress Coding Standards is a collection of rules for the PHP CodeSniffer engine designed to enforce consistent coding conventions and best practices within PHP projects. It functions as a specialized static analysis tool that scans source code to identify style violations, security vulnerabilities, and potential bugs before execution. By integrating into development workflows, it ensures that code adheres to official project conventions, maintaining readability and consistency across large-scale plugin and theme development. The project distinguishes itself through deep domain-specific val
Identifies potential vulnerabilities by validating input sanitization and output escaping patterns against established security best practices.
Bearer is a static analysis security testing tool and privacy compliance auditor. It identifies security vulnerabilities, hard-coded secrets, and privacy risks in source code through static analysis and data flow tracing. The tool distinguishes itself by tracking the movement of sensitive data through code to identify leaks and by mapping personal and health-related information flows to generate evidence for privacy impact assessments. It also provides differential scanning for pull requests and uses fingerprint-based suppression to exclude known false positives from reports. The platform co
Provides a static analysis security testing tool to identify injection flaws and common vulnerabilities based on OWASP and CWE.
nodejsscan is a static analysis security tool and vulnerability detection engine designed to scan Node.js source code for security flaws and common coding vulnerabilities. It functions as a static application security testing tool that analyzes code without executing the program. The tool operates as a security linter that can be integrated into continuous integration pipelines to block insecure code from merging into main branches. It automates the auditing process through rule-based detection and pattern-based static analysis. The project provides capabilities for vulnerability alert autom
Provides a security engine that analyzes source code without execution to detect potential breaches.
Der automatisierte Security-Helper ist ein CLI-Tool, das darauf ausgelegt ist, mehrere Sicherheitsanalyse-Tools in einem einheitlichen, konfigurationsgesteuerten Workflow zu orchestrieren. Er fungiert als zentrale Engine, die statische Anwendungssicherheits-Tests (SAST) und Infrastruktur-Scans ausführt und die diversen Ergebnisse in einem standardisierten, maschinenlesbaren Format aggregiert, um eine konsistente Schwachstellenerkennung über den gesamten Entwicklungszyklus hinweg zu gewährleisten. Das Tool zeichnet sich durch eine modulare Plugin-Architektur aus, die die Integration eigener oder proprietärer Scanner ermöglicht, sowie durch eine externe Intelligence-Schicht, die Ergebnisse zur automatisierten Remediation-Analyse an KI-Dienste überträgt. Durch die Unterstützung standardisierter Reporting-Formate wie SARIF ermöglicht es eine konsistente Überprüfung und Nachverfolgung von Sicherheitsbefunden über verschiedene Reporting-Plattformen und Monitoring-Systeme hinweg. Über die Kern-Orchestrierung hinaus erleichtert das Framework die automatisierte Compliance-Prüfung und die Durchsetzung von Sicherheitsrichtlinien. Es lässt sich direkt in lokale Entwicklungsumgebungen und CI/CD-Pipelines integrieren, sodass Teams spezifische Scan-Parameter, Schweregrad-Schwellenwerte und Dateiausschlüsse definieren können, um die Sicherheitsanalyse präzise auf die Projektanforderungen zuzuschneiden.
Identifies potential vulnerabilities within source code and infrastructure configurations using automated static analysis.