Static Code Analysis Tools
Explore a collection of powerful and efficient tools in the Static Code Analysis category to enhance your productivity and security.
bandit
Bandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report.Bandit was originally developed within the OpenStack Security Project and later rehomed to PyCQA.
dawnscanner
Dawnscanner is a source code scanner designed to review your ruby code for security issues.Dawnscanner is able to scan plain ruby scripts (e.g. command line applications) but all its features are unleashed when dealing with web applications source code. dawnscanner is able to scan major MVC (Model View Controller) frameworks.
dumpsterdiver
DumpsterDiver is a tool, which can analyze big volumes of data in search of hardcoded secrets like keys (e.g. AWS Access Key, Azure Share Key or SSH keys) or passwords. Additionally, it allows creating a simple search rules with basic conditions (e.g. report only csv files including at least 10 email addresses). The main idea of this tool is to detect any potential secret leaks.
dvcsripper-git
Git ripper. It can rip repositories even when directory browsing is turned off.
gitleaks
Gitleaks is a SAST tool for detecting hard coded secrets like passwords, API keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for finding secrets, past or present, in your code. Set leaks-exit-code to 0 for outputs to be saved.
git-log4j
Git-LOG4J is checking if the git repo is using Log4J. Also, prints files that use LOG4J
gosec
Inspecting source code for security problems by scanning the Go AST. Rules can be found on the tool's Github page. Unfortunately, the recursive scan is not yet available on this platform, but it's going to be implemented in the future.
javascript-deobfuscator
General purpose JavaScript deobfuscator
leakos
Search leaks in a github org or in the responses of urls
noseyparker
Nosey Parker is a command-line program that finds secrets and sensitive information in textual data and Git history.
reposcanner
Reposcanner is a python script to search through the commit history of Git repositories looking for interesting strings such as API keys.
retire-js
There is a plethora of JavaScript libraries for use on the Web and in Node.JS apps out there. This greatly simplifies development,but we need to stay up-to-date on security fixes. Using Components with Known Vulnerabilities is now a part of the OWASP Top 10 list of security risks and insecure libraries can pose a huge risk to your Web app. The goal of Retire.js is to help you detect the use of JS-library versions with known vulnerabilities.
rex
regexFinder gives the matches with a directory (or github repository) of the regexes, and saves the matches of found secrets in a json format.
secretfinder
SecretFinder is a python script based on LinkFinder (version for burpsuite here), written to discover sensitive data like apikeys, accesstoken, authorizations, jwt,..etc in JavaScript files. It does so by using jsbeautifier for python in combination with a fairly large regular expression.
semgrep-scan
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.
trufflehog
Find credentials all over the place