SCodeScanner stands for Source Code scanner where the user can scans the source code for finding the Critical Vulnerabilities. The main objective for this scanner is to find the vulnerabilities inside the source code before code gets published in Prod.
Website for newreleases, new announcements - https://scodescanner.info/
- Supported PHP Language
- Supported YAML Language
- Pass results to bug tracking services like Jira also Slack (Sending files to group to multiple people at once).
- Gives results in JSON format, which can easily be used to any other program.
- Works with Rules. We only need to create some rules which the target rule is not present in php/yaml directory.
- Rules that can scan advance patterns
- Download the repository -
- Run
pip3 install -r requirements.txt - And run
python3 scscanner.py --help - Run with supported lang like
python3 scscanner.py php --help
SCodeScanner is a fully open source, command line-based Python tool for identifying vulnerabilities in code. It is designed to be easy to use and provides a number of features that set it apart from other tools, including:
-
Fewer false positives: SCodeScanner includes flags that help to eliminate false positives and only report on vulnerabilities that are confirmed to exist.
-
Custom semgrep rules: SCodeScanner works with semgrep but creates its own rules, which helps to avoid false positives and time-consuming scans.
-
Command line Python based tool: SCodeScanner is a command-line based Python tool that is easy to use for people of all technical backgrounds. While many open source tools for identifying vulnerabilities are GUI-based, SCodeScanner's command-line interface makes it simple to run from the terminal
-
Fast scanning: SCodeScanner's rules are designed to check for multiple vulnerabilities at once, which results in fewer files for the rules to process and a faster scanning process overall.
-
Visibility - SCodesScanner supported JIRA, SLACK integrations which gives the visibility on the results identified by sending the file to Slack groups or by making the jira Issue.
-
Ability to track user input variables: SCodeScanner can identify instances where user input variables are defined in one file but used insecurely in another file.
-
Easy-to-read JSON output: SCodeScanner provides results in a JSON format that is easy to read and can be used for further analysis.
SCodeScanner received 5 CVEs for finding vulnerabilities in multiple CMS plugins.
- CVE-2022-1465
- CVE-2022-1474
- CVE-2022-1527
- CVE-2022-1532
- CVE-2022-1604
-
--folder: The flag takes the folder where the actual code resides. This is a required flag. -
--file: If we want to scan a file, the flag is required. -
--check: This flag will run the false remove after identifying the vulnerabilities. This basically checks whether the user input is real or not. The flag also creates a new modified JSON file after removing all the false positives. But the note point is, the tool will keep both original and modified versions of files. -
--json: Responsible for making the json files as output -
-o: This flag will create a text file with the output findings. The purpose of this flag is to make a human readable file that is easy to read. The flag is optional. -
--jira: Responsible for sending output files to the JIRA instance. (Need to add configurations inside the config.json file.). The flag is optional. -
--slack: Responsible for sending output files to SLACK instances. (Need to add configurations inside config.json file). The flag is optional.
- https://smart7.in/2022/07/30/Secure-SDLC-Implementation.html
- https://www.kitploit.com/2022/09/scodescanner-stands-for-source-code.html
- https://securityonline.info/scodescanner-scan-the-source-code-for-finding-the-critical-vulnerabilities/
- https://www.sifatnotes.com/2022/09/scodescanner-scodescanner-stands-for.html
- https://www.cyberhacks200.org/post/source-code-scanner-for-finding-critical-vulnerabilities
- https://smart7.in/2022/06/15/How-I-found-5-CVEs.html
- https://haxf4rall.com/2022/08/11/scodescanner-scan-the-source-code-for-finding-the-critical-vulnerabilities/
Some cool features are coming.
I would love to hear your feedback on this tool. Open issues if you found any. And open PR request if you have something.