loading
loading
Static Code Analysis
Check whether a Git repository pulls in Log4J, and list the files that use it.
overview
git-log4j inspects a GitHub repository or an entire organization and reports whether the code uses Log4J. Instead of probing a running service, it reads source straight from the repo, so it answers the exposure question at the code level: which projects declare Log4J and which files reference it.
Point it at a single repo with an owner and repo name, or hand it an organization to sweep every repository the token can read. It walks the tracked files, flags Log4J usage, and prints the matching paths so reviewers jump straight to the code that needs attention. Pair it with a GitHub token to raise rate limits and reach private repositories.
Wire git-log4j as a Static Code Analysis node that takes an organization or repository and writes a folder and a file of results. Run it across your org to triage Log4Shell exposure, then route the flagged repositories to a deeper review or a remediation tracker.
source github.com/trickest
use cases
Pass an org name and a token to scan every repository at once, then collect the list of projects that pull in Log4J for triage.
git-log4j prints the matching file paths, so reviewers go straight to the code that references the library instead of grepping repos by hand.
Point it at one owner/repo pair to confirm whether a specific project ships Log4J, gating a release or vendor assessment on the result.
Supply a GitHub token to reach private repositories, then feed the flagged set into a remediation workflow or ticketing step downstream.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| org-name | STRING | -org | Organization name to scan every repository it owns. |
| repo-name | STRING | -r | Repository name in owner/repo form to scan a single project. |
| github-token | STRING | -token | GitHub token to raise rate limits and reach private repositories. |
| repo-owner-name | STRING | -o | Owner of the repository in owner/repo form. |
Showing key inputs. git-log4j exposes 4 inputs in total.
example
# scan one public repo for Log4J usagegit-log4j -o example -r api-gateway -token "$GITHUB_TOKEN"[+] Checking github.com/example/api-gateway[+] Log4J usage found src/main/java/com/example/App.java src/main/resources/log4j2.xml[+] Checking github.com/example/billing[+] Log4J usage found lib/logger/LogConfig.java[+] Checking github.com/example/docs-site[-] No Log4J usage detectedguidance
Reach for git-log4j when you want to know which repositories use Log4J at the source level, before anything is deployed. It reads code, not a running service, so use log4j-scan or a Nuclei template to test live hosts for exploitable Log4Shell. Use git-log4j to find the codebases that need patching in the first place.
Tests a live host for exploitable Log4Shell over HTTP. git-log4j finds the source usage instead of probing a running service.
Broader Git repository scanner. git-log4j is narrowly focused on Log4J presence and the files that import it.
General pattern-based SAST across many rules. git-log4j answers one question fast: does this repo use Log4J.
faq
related
Find common security issues in Python code.
A source code scanner that reviews Ruby code for security issues.
Analyze big volumes of data in search of hardcoded secrets like keys and passwords.
Git ripper that can rip repositories even when directory browsing is turned off.
Detect hardcoded secrets like passwords, API keys, and tokens in git repos.
Inspect Go source code for security problems by scanning the Go AST.
A GitHub organization feeds git-log4j, which scans every repository and writes the projects and files that use Log4J as a queryable output.
Facts on this page come from the live Trickest tool library.