01 Oct 2022
ScodeScanner is an automated tool, created in purpose of finding the vulnerabilities inside the source code before commiting it into the production. This will help the developers to quickly identify the vulnerabilities and patch those vulnerabilities at Dev Time.
In Support Language
SCode Scanner now also supports YAML for kubernetes security misconfiguration. Upon finding any vulnerability, the SCodeScanner will generate results in JSON output file. SCodeScanner can scan complex RBAC Policies to find misconfigurations.
New Improved Features?
1) Supported PHP Language
2) Supported YAML Language
3) Pass results to bug tracking services like Jira also Slack (Sending files to group to multiple people at once).
4) Gives results in JSON format, which can easily be used to any other program.
5) Works with Rules. We only need to create some rules which the target rule is not present in php/yaml directory.
6) Rules that can scan advance patterns
How to run?
1) Download the repository
2) run pip install -r requirements.txt
3) python scscanner.py yaml –help
-
--folder
: The flag takes the folder where the actual code resides. This is a required flag.
-
--file
: If we want to scan a file, the flag is required.
-
--check
: This flag will run the false remove after identifying the vulnerabilities. This basically checks whether the user input is real or not. The flag also creates a new modified JSON file after removing all the false positives. But the note point is, the tool will keep both original and modified versions of files.
-
--json
: Responsible for making the json files as output
-
-o
: This flag will create a text file with the output findings. The purpose of this flag is to make a human readable file that is easy to read. The flag is optional.
-
--jira
: Responsible for sending output files to the JIRA instance. (Need to add configurations inside the config.json file.). The flag is optional.
-
--slack
: Responsible for sending output files to SLACK instances. (Need to add configurations inside config.json file). The flag is optional.
Download
SCodeScanner hosted with GitHub. Head to the GitHub repository for downloads, bug reports, and features requests.
Contribution
Would love your thoughts on this, and would be great to work with community.
Thanks!
20 Apr 2022
ScodeScanner is an automated tool, created in purpose of finding the vulnerabilities inside the source code before commiting it into the production. This will help the developers to quickly identify the vulnerabilities and patch those vulnerabilities at Dev Time.
In Support Language
ScodeScanner only supports PHP for now, but soon it will start supporting other languages too.
Whats new?
1) Added advance rules - It will detect if the variable is using user input validated function, and find the match accordingly.
$var1 = $_GET['a'];
$var2 = $_GET['b'];
echo htmlspecialchars($var1 ); This will Ignore
echo $var1; This will match
$encryptedvalue = htmlspecialchars($var2);
echo $encryptedvalue; this will ignore
echo $var2; this will match
2) Added Jira Integration - Where you can directly send the file to Jira Instance
3) Added Slack Integration - Where you can send file to slack channel
4) Added –check flag - Which will double check the results
Note: This flag might miss the match where if one file imported variables from other file. So use accordingly.
5) Resolved Bugs
6) Edited Rules
Download
SCodeScanner hosted with GitHub. Head to the GitHub repository for downloads, bug reports, and features requests.
Contribution
Would love your thoughts on this, and would be great to work with community.
Thanks!
21 May 2021
ScodeScanner is an automated tool, created in purpose of finding the vulnerabilities inside the source code before commiting it into the production. This will help the developers to quickly identify the vulnerabilities and patch those vulnerabilities at Dev Time.
In Support Language
ScodeScanner only supports PHP for now, but soon it will start supporting other languages too.
SCodeScanner features
Features are:-
- Support for scanning the folder which contains multiple PHP files.
- This will not only notify at which file but also notify you at which line the vulnerable code exists for quickly identifying the vulnerability.
- This scans not only the PRE-Defined PHP variables but also scans the custom variables. Like a
$test1 = $_GET["aaa"].
then it scans for both $test1 and the GET variables inside the source code.
- It scans functions with a function that contains our variable. Like
include(htmlentities($test))
so it will parse this and give the results like the $test variable found inside the include function. Because there might be possiblity of using base64 function instead of htmlentities.
- Support of parsing the whitespacese
- Output results in PHP file which contains HTML anchor tags (for browsing smoothly).
- It runs on your localhost, where you will have to give the folder name for scans.
- You can add more functions which are dangerous if you found missing any inside the vulnerablefunctions python file.
Download
SCodeScanner hosted with GitHub. Head to the GitHub repository for downloads, bug reports, and features requests.
Contribution
Would love your thoughts on this, and would be great to work with community.
Thanks!
21 May 2021
[DEPRECATED] Sample Video of how this tool results the output and what? (If error comes, Please Click on “Open site in new window”)