Share
## https://sploitus.com/exploit?id=ABE5DCD8-E050-5DBC-975A-BBB578EA2965
codescan


  Fast, configurable code security scanner written in Rust.
  Detects secrets, exploit patterns, weak crypto, and Unicode attacks across your entire codebase.



  δΈ­ζ–‡ Β·
  GitHub


---

## Features

- **Secret Detection** β€” hardcoded passwords, API keys, tokens, private keys, high-entropy strings (24+ rules)
- **Exploit Patterns** β€” SQL injection, XSS, command injection, path traversal, deserialization, prototype pollution, SSRF, and more (24 rules)
- **Cryptography Audits** β€” MD5, SHA1, DES, RC4, ECB mode, weak RSA, insecure random, missing TLS verification (11 rules)
- **Unicode Attacks** β€” Trojan Source (CVE-2021-42574) bidirectional control chars, zero-width chars, homoglyphs (3 rules)
- **Infrastructure** β€” hardcoded IPs, debug logging, plaintext HTTP URLs, security-relevant TODO comments (4 rules)
- **Custom Rules** β€” define your own rules in JSON using Rust `regex` syntax
- **Suppression** β€” inline comments (`codescan:ignore`) in any language, or config-file entries scoped by file/glob/line/rule/category/severity
- **Multiple Output Formats** β€” pretty (cargo-like), JSON (NDJSON), plain text
- **Parallel Scanning** β€” Rayon-powered parallel file processing, gitignore-aware traversal
- **Configurable** β€” TOML config file, severity overrides, rule disabling, size limits, and more

## Installation

```bash
git clone https://github.com/siiway/codescan
cd codescan
cargo install --path .
```

## Quick Start

```bash
# Scan current directory
codescan .

# Scan with exclusions
codescan --exclude "vendor/**" --exclude "node_modules/**" .

# Only report errors
codescan --severity error .

# Output as JSON
codescan --format json . > findings.jsonl

# List all rules
codescan --list-rules
```

## Example Output

```
error[SECRET001]: Hardcoded password
  --> src/db/connection.py:14:12
   |
14 |   password = "hunter2"
   |              ^^^^^^^^^
   = help: Use environment variables or a secrets manager instead

warning[CRYPTO001]: Weak hashing algorithm
  --> src/auth/hash.py:8:5
   |
 8 |   hashlib.md5(data).hexdigest()
   |   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   = help: Use SHA-256 or better

found 1 error, 1 warning, 0 notes
```

## Configuration

Create `codescan.toml` in your project root:

```toml
[rules]
disabled = ["INFRA004"]

[rules.severity_overrides]
CRYPTO001 = "error"

[scanner]
max_file_size = 524288

[exclude]
paths = ["vendor/**", "node_modules/**", "dist/**"]
extensions = ["lock", "snap"]

[[suppress]]
file = "src/tests/fixtures/secrets.py"
rules = ["SECRET001", "SECRET002"]
reason = "Test fixture"
```

See the [full documentation](https://github.com/siiway/codescan) for all options.

## Suppression

Inline suppression works in any language:

```python
# codescan:ignore-next-line SECRET001
password = "test_only"
```

```javascript
const url = "http://internal.corp";  // codescan:ignore:INFRA004
```

```sql
-- codescan:ignore-next-line:INFRA001
INSERT INTO config VALUES ('host', '192.168.1.10');
```

Block suppression:

```python
# codescan:ignore-start SECRET001,SECRET002
TEST_PASSWORD = "test123"
TEST_API_KEY  = "sk-test-abc123"
# codescan:ignore-end
```

## Custom Rules

```json
[
  {
    "id": "ORG001",
    "category": "SECRET",
    "severity": "error",
    "pattern": "ACME_[A-Z0-9_]{16,}",
    "message": "ACME internal token pattern detected",
    "help": "Rotate and store in the secrets vault"
  }
]
```

```bash
codescan --rules-file ./rules/org-rules.json .
```

## CI Integration

```yaml
# GitHub Actions
- name: Security scan
  run: codescan --format text --fail-on error src/
```

Exit codes:
- `0` β€” no findings at or above `--fail-on` threshold
- `1` β€” one or more active (non-suppressed) findings meet the threshold

## CLI Reference

```
Usage: codescan [OPTIONS] [PATH]...

Arguments:
  [PATH]...  Paths to scan (default: .)

Options:
  -i, --input          Additional input paths
  -o, --output         Write output to file
  -e, --exclude        Exclude glob patterns
  -c, --config         Config file [default: codescan.toml]
  -f, --format       Output format: pretty|json|text [default: auto]
      --interactive    Force interactive (color) mode
      --severity      Minimum severity: error|warning|info [default: info]
      --only-rules      Comma-separated rule IDs to check
      --skip-rules      Comma-separated rule IDs to skip
  -j, --threads           Parallel threads [default: CPU count]
      --no-gitignore         Disable .gitignore support
      --hidden               Scan hidden files
      --max-filesize  Max file size [default: 1048576]
  -q, --quiet                Suppress summary line
      --fail-on       Exit 1 threshold [default: error]
      --rules-file     Custom rules JSON file(s)
      --show-suppressed      Show suppressed findings
      --list-rules           List all rules and exit
  -h, --help                 Print help
  -V, --version              Print version
```

## License

codescan is licensed under the [GNU General Public License v3.0](LICENSE).

Third-party Rust crate licenses are listed in [THIRD_PARTY_LICENSES/RUST_CRATES.md](THIRD_PARTY_LICENSES/RUST_CRATES.md).

Icon is from [microsoft/fluentui-system-icons](https://github.com/microsoft/fluentui-system-icons), licensed under MIT.