loading
loading
Static Code Analysis
A source code scanner that reviews Ruby code for security issues.
overview
dawnscanner reads Ruby source and reports security problems before the code ships. It works on plain Ruby scripts and unlocks its full check set on web applications, where it understands the major MVC frameworks such as Rails, Sinatra, and Padrino. Pointed at a project directory, it walks the code and matches it against its rule set.
Its checks span several angles. It maps findings to the OWASP Top 10, cross-references known CVEs against the gems in Gemfile.lock, and applies code-quality and code-style rules. Each category has its own toggle, so a run can focus on dependency CVEs alone or on OWASP risks without the style noise.
On Trickest, dawnscanner is a Static Code Analysis node that takes a target directory and writes a file and a folder of results. Run it in a pipeline that fetches a repository, so static findings land in the same triage path as your dynamic scanner output.
use cases
Point dawnscanner at a Rails or Sinatra project directory and it reviews the source against its security rule set for the major MVC frameworks.
Run the dependencies-only mode with -d so it cross-references Gemfile.lock against CVE bulletins and flags vulnerable gems.
Disable code-style and code-quality checks to keep a run on the OWASP and CVE findings that matter for a security review.
Route dawnscanner results into the same table and triage flow as scanner output for one view of risk across code and runtime.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target-dir | FOLDER | · | Target directory of Ruby source to scan. |
| dependencies | BOOLEAN | -d | Scan only for vulnerabilities affecting the gems pinned in Gemfile.lock. |
| disable-cve-bulletins | BOOLEAN | --disable-cve-bulletins | Disable all CVE security checks. |
| disable-owasp-top-10 | BOOLEAN | --disable-owasp-top-10 | Disable all OWASP Top 10 checks. |
| disable-owasp-ror-cheatsheet | BOOLEAN | --disable-owasp-ror-cheatsheet | Disable all OWASP Ruby on Rails cheatsheet checks. |
| disable-code-style | BOOLEAN | --disable-code-style | Disable all code style checks. |
Showing key inputs. dawnscanner exposes 7 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| target-dir | FOLDER | · | Target directory of Ruby source to scan. |
| dependencies | BOOLEAN | -d | Scan only for vulnerabilities affecting the gems pinned in Gemfile.lock. |
| disable-code-style | BOOLEAN | --disable-code-style | Disable all code style checks. |
| disable-owasp-top-10 | BOOLEAN | --disable-owasp-top-10 | Disable all OWASP Top 10 checks. |
| disable-cve-bulletins | BOOLEAN | --disable-cve-bulletins | Disable all CVE security checks. |
| disable-code-quality-checks | BOOLEAN | --disable-code-quality | Disable all code quality checks. |
| disable-owasp-ror-cheatsheet | BOOLEAN | --disable-owasp-ror-cheatsheet | Disable all OWASP Ruby on Rails cheatsheet checks. |
example
# review a Rails app for security, drop the style and quality noisedawn --disable-code-style --disable-code-quality ./example-rails-app[*] dawn v2.2.1 is starting up[$] dawn: scanning ./example-rails-app[$] dawn: rails mvc web framework detected[$] dawn: 246 security checks applied - 3 vulnerabilities found[!] dawn: CVE-2022-32224 possible RCE via serialized columns in Active Record (critical)[!] dawn: CVE-2023-22795 ReDoS based DoS in Action Dispatch routing (high)[!] dawn: CVE-2024-26143 XSS in Action Controller translation helpers (medium)[$] dawn: 3 findings mapped to OWASP Top 10 and CVE bulletins[$] dawn: scan completed in 1.87 secondsguidance
Use dawnscanner when the target is Ruby source, especially a Rails or Sinatra app, and you want security, CVE, and OWASP checks in one pass. For multi-language static analysis, semgrep covers more ground; dawnscanner is the Ruby-aware specialist.
Pattern-based static analysis across many languages. Broader than dawnscanner's Ruby focus.
Python security linter. The Python-side equivalent of dawnscanner's per-language depth.
Go security scanner. Another language-specific static analyzer for a polyglot pipeline.
faq
related
Find common security issues in Python code.
Analyze big volumes of data in search of hardcoded secrets like keys and passwords.
Git ripper that can rip repositories even when directory browsing is turned off.
Check whether a Git repository pulls in Log4J, and list the files that use it.
Detect hardcoded secrets like passwords, API keys, and tokens in git repos.
Inspect Go source code for security problems by scanning the Go AST.
Ruby source feeds dawnscanner, which reviews it against OWASP, CVE, and quality checks and writes the security findings as a queryable output.
Facts on this page come from the live Trickest tool library.