We have collection of more than 1 Million open source products ranging from Enterprise product to small libraries in all platforms. We aggregate information from all open source repositories. Search and find the best for your needs. Check out projects section.
gosec - Golang security checker
- 767
Inspects source code for security problems by scanning the Go AST. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License here.
https://github.com/securego/gosec| Tags | security security-tools security-automation static-analysis static-code-analysis |
| Implementation | Go |
| License | Apache |
| Platform | Windows MacOS Linux |
Related Projects
gokart - A static analysis tool for securing Go code
GoKart is a static analysis tool for Go that finds vulnerabilities using the SSA (single static assignment) form of Go source code. It is capable of tracing the source of variables and function arguments to determine whether input sources are safe, which reduces the number of false positives compared to other Go security scanners. For instance, a SQL query that is concatenated with a variable might traditionally be flagged as SQL injection; however, GoKart can figure out if the variable is actually a constant or constant equivalent, in which case there is no vulnerability. Static analysis is a powerful technique for finding vulnerabilities in source code. However, the approach has suffered from being noisy - that is, many static analysis tools find quite a few "vulnerabilities" that are not actually real. This has led to developer friction as users get tired of the tools "crying wolf" one time too many.
security static-code-analysis static-analysis security-toolsApplicationInspector - A source code analyzer built for surfacing features of interest and other characteristics to answer the question 'What's in the code?' quickly using static analysis with a json based rules engine
Microsoft Application Inspector is a software source code characterization tool that helps identify coding features of first or third party software components based on well-known library/API calls and is helpful in security and non-security use cases. It uses hundreds of rules and regex patterns to surface interesting characteristics of source code to aid in determining what the software is or what it does from what file operations it uses, encryption, shell operations, cloud API's, frameworks and more and has received industry attention as a new and valuable contribution to OSS on ZDNet, SecurityWeek, CSOOnline, Linux.com/news, HelpNetSecurity, Twitter and more and was first featured on Microsoft.com. Application Inspector is different from traditional static analysis tools in that it doesn't attempt to identify "good" or "bad" patterns; it simply reports what it finds against a set of over 400 rule patterns for feature detection including features that impact security such as the use of cryptography and more. This can be extremely helpful in reducing the time needed to determine what Open Source or other components do by examining the source directly rather than trusting to limited documentation or recommendations.
detection static-analysis security-scanner security-tools software-characterization application-inspectorMobile-Security-Framework-MobSF - Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware analysis. It can be used for effective and fast security analysis of Android, iOS and Windows mobile applications and support both binaries (APK, IPA & APPX ) and zipped source code. MobSF can do dynamic application testing at runtime for Android apps and has Web API fuzzing capabilities powered by CapFuzz, a Web API specific security scanner. MobSF is designed to make your CI/CD or DevSecOps pipeline integration seamless. Your generous donations will keep us motivated.
static-analysis dynamic-analysis mobsf android-security mobile-security windows-mobile-security ios-security mobile-security-framework api-testing web-security malware-analysis runtime-security ci-cd devsecops apk ipajsprime - a javascript static security analysis tool
Today, more and more developers are switching to JavaScript as their first choice of language. The reason is simple JavaScript has now been started to be accepted as the mainstream programming for applications, be it on the web or on the mobile; be it on client-side, be it on the server side. JavaScript flexibility and its loose typing is friendly to developers to create rich applications at an unbelievable speed. Major advancements in the performance of JavaScript interpreters, in recent days, have almost eliminated the question of scalability and throughput from many organizations. So the point is JavaScript is now a really important and powerful language we have today and it's usage growing everyday. From client-side code in web applications it grew to server-side through Node.JS and it's now supported as proper language to write applications on major mobile operating system platforms like Windows 8 apps and the upcoming Firefox OS apps. But the problem is, many developers practice insecure coding which leads to many client side attacks, out of which DOM XSS is the most infamous. We tried to understand the root cause of this problem and figured out is that there are not enough practically usable tools that can solve real-world problems. Hence as our first attempt towards solving this problem, we want to talk about JSPrime: A JavaScript static analysis tool for the rest of us. It's a very light-weight and very easy to use point-and-click tool! The static analysis tool is based on the very popular Esprima ECMAScript parser by Aria Hidayat.
static-analysis security-tools security-scannerhorusec - Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command
Horusec is an open source tool that performs a static code analysis to identify security flaws during the development process. Currently, the languages for analysis are C#, Java, Kotlin, Python, Ruby, Golang, Terraform, Javascript, Typescript, Kubernetes, PHP, C, HTML, JSON, Dart, Elixir, Shell, Nginx. The tool has options to search for key leaks and security flaws in all your project's files, as well as in Git history. Horusec can be used by the developer through the CLI and by the DevSecOps team on CI /CD mats. Check out our Documentation, you will see the complete list of tools and languages Horusec performs analysis.
kotlin cli security analysis ci cd terraform scanner static-analysis netcore vulnerabilities hacktoberfest sast security-flaws security-development sast-analysisStaCoAn - StaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications
StaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications*. This tool was created with a big focus on usability and graphical guidance in the user interface.
bugbounty security security-tools mobile-security static-code-analysisbrakeman - A static analysis security vulnerability scanner for Ruby on Rails applications
Brakeman is an open source static analysis tool which checks Ruby on Rails applications for security vulnerabilities. Check out Brakeman Pro if you are looking for a commercially-supported version with a GUI and advanced features.
rails security static-analysis vulnerabilities brakeman security-vulnerability security-tools security-auditScumblr - Web framework that allows performing periodic syncs of data sources and performing analysis on the identified results
We're starting to change directions with our security automation approach and are actively looking for a maintainer for the Scumblr project. We're going to leave Scumblr code online but are not planning on adding any new features or addressing open issues and pull requests. If you are interested in maintaining this project, please reach out to me (sbehrens@netflix.com). Scumblr is a web application that allows performing periodic syncs of data sources (such as Github repositories and URLs) and performing analysis (such as static analysis, dynamic checks, and metadata collection) on the identified results. Scumblr helps you streamline proactive security through an intelligent automation framework to help you identify, track, and resolve security issues faster.
securityNodeJsScan - NodeJsScan is a static security code scanner for Node.js applications.
Static security code scanner (SAST) for Node.js applications. The command line interface (CLI) allows you to integrate NodeJsScan with DevSecOps CI/CD pipelines. The results are in JSON format. When you use CLI the results are never stored with NodeJsScan backend.
nodejs static-analysis security security-scanner sast devsecops code-analysis code-review node node-securitycheckov - Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew
Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform, Terraform plan, Cloudformation, Kubernetes, Dockerfile, Serverless or ARM Templates and detects security and compliance misconfigurations using graph-based scanning.
kubernetes aws devops cloudformation azure terraform static-analysis gcp infrastructure-as-code scans compliance helm-charts aws-security devsecops azure-security policy-as-code gcp-security kubernetes-security terraform-securityHaboMalHunter - HaboMalHunter is a sub-project of Habo Malware Analysis System (https://habo
HaboMalHunter is a sub-project of Habo Malware Analysis System (https://habo.qq.com), which can be used for automated malware analysis and security assessment on the Linux system. The tool help security analyst extracting the static and dynamic features from malware effectively and efficiently. The generated report provides significant information about process, file I/O, network and system calls. The tool can be used for the static and dynamic analysis of ELF files on the Linux x86/x64 platform.
malware-analysis dynamic-analysis security static-analysis elfpyt - A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications
For a look at recent changes, please see the changelog. Soon you will find a README.rst in every directory in the pyt/ folder, start here.
pyt control-flow-graph static-analysis python3 security static-code-analysis program-analysis fixed-point fixed-point-analysis dataflow dataflow-analysis taint taint-analysis abstract-syntax-tree abstract-syntax flasksobelow - Security-focused static analysis for the Phoenix Framework
Sobelow is a security-focused static analysis tool for the Phoenix framework. For security researchers, it is a useful tool for getting a quick view of points-of-interest. For project maintainers, it can be used to prevent the introduction of a number of common vulnerabilities. Potential vulnerabilities are flagged in different colors according to confidence in their insecurity. High confidence is red, medium confidence is yellow, and low confidence is green.
static-analysis phoenix-framework security elixirdagda - a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities
Dagda is a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities. In order to fulfill its mission, first the known vulnerabilities as CVEs (Common Vulnerabilities and Exposures), BIDs (Bugtraq IDs), RHSAs (Red Hat Security Advisories) and RHBAs (Red Hat Bug Advisories), and the known exploits from Offensive Security database are imported into a MongoDB to facilitate the search of these vulnerabilities and exploits when your analysis are in progress.
docker security static-analysis vulnerabilities detecting-anomalous-activities malware-detectionbandit - Bandit is a tool designed to find common security issues in Python code.
Bandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report. Bandit was originally developed within the OpenStack Security Project and later rehomed to PyCQA.
linter bandit security-tools security-scanner security static-code-analysisfwanalyzer - a tool to analyze filesystem images for security
FwAnalyzer is a tool to analyze (ext2/3/4), FAT/VFat, SquashFS, UBIFS filesystem images, cpio archives, and directory content using a set of configurable rules. FwAnalyzer relies on e2tools for ext filesystems, mtools for FAT filesystems, squashfs-tools for SquashFS filesystems, and ubi_reader for UBIFS filesystems. cpio for cpio archives. SELinux/Capability support for ext2/3/4 images requires a patched version of e2tools. SELinux/Capability support for SquashFS images requires a patched version of squashfs-tools. The main idea of FwAnalyzer is to provide a tool for rapid analysis of filesystem images as part of a firmware security Q&A check suite. FwAnalyzer takes a configuration file that defines various rules for files and directories and runs the configured checks against a given filesystem image. The output of FwAnalyzer is a report, which contains the list of files that violate any of the rules specified in the configuration. The report further contains meta information about the filesystem image and, if configured, information extracted from files within the analyzed filesystem. The report is formatted using JSON so it can be easily integrated as a step in a larger analysis.
android security-audit filesystem embedded-linux security-automation security-tools firmware-tools liunx firmware-analysis filesystem-images filesystem-securitytfsec - 🔒🌍 Security scanner for your Terraform code
tfsec uses static analysis of your terraform templates to spot potential security issues. Now with terraform v0.12+ support. You can also grab the binary for your system from the releases page.
aws security ci azure terraform scanner static-analysis infrastructure-as-code compliance google-cloud-platform hacktoberfestbap - Binary Analysis Platform
The Carnegie Mellon University Binary Analysis Platform (CMU BAP) is a reverse engineering and program analysis platform that works with binary code and doesn't require the source code. BAP supports multiple architectures: ARM, x86, x86-64, PowerPC, and MIPS. BAP disassembles and lifts binary code into the RISC-like BAP Instruction Language (BIL). Program analysis is performed using the BIL representation and is architecture independent in a sense that it will work equally well for all supported architectures. The platform comes with a set of tools, libraries, and plugins. The documentation and tutorial are also available. The main purpose of BAP is to provide a toolkit for implementing automated program analysis. BAP is written in OCaml and it is the preferred language to write analysis, we have bindings to C, Python and Rust. The Primus Framework also provide a Lisp-like DSL for writing program analysis tools. BAP is developed in CMU, Cylab and is sponsored by various grants from the United States Department of Defense, Siemens AG, and the Korea government, see sponsors for more information.
binary-analysis reverse-engineering program-analysis static-analysis dynamic-analysis program-verification instruction-semantics taint-analysis disassembler lifter ocaml arm x86 security forensics emulator bap control-flow-analysis powerpc mipsSemgrep - Lightweight static analysis for many languages
Semgrep is a command-line tool for offline static analysis. Use pre-built or custom rules to enforce code and security standards in your codebase. Semgrep combines the convenient and iterative style of grep with the powerful features of an Abstract Syntax Tree (AST) matcher and limited dataflow. Easily find function calls, class or method definitions, and more without having to understand ASTs or wrestle with regexes.
static-analysis code-analysis static-code-analysis code-standardsEthlint - (Formerly Solium) Linter to identify and fix style & security issues in Solidity
Solium analyzes your Solidity code for style & security issues and fixes them. To know which lint rules Solium applies for you, see Style rules and Security rules.
ethereum solidity smart-contracts soliumplugin soliumconfig security lint static-analysis abstract-syntax-tree solium blockchain code-quality dapp developer-tools
We have large collection of open source products. Follow the tags from
Tag Cloud >>
Open source products are scattered around the web. Please provide information
about the open source projects you own / you use.
Add Projects.
