Skip to content

(Work in progress) Simple static analysis tool based on CodeQL, Semgrep

Notifications You must be signed in to change notification settings

fazledyn/sastquatch

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Sastquatch

Sastquatch is a powerful yet simple static analysis tool that combines the strengths of CodeQL and Semgrep with custom rules, all packaged in a Docker container for easy deployment and use.

Features

  • Utilizes CodeQL for deep, semantic code analysis
  • Incorporates Semgrep for fast, pattern-based scanning
  • Custom rules tailored for enhanced security checks (50+ custom rules)
  • Dockerized for consistent environments and easy setup
  • Lightweight and efficient compared to more complex toolsets

Getting Started

Installing Sastquatch Engine

  1. Clone this repository:

    git clone https://github.com/fazledyn/sastquatch
    cd sastquatch/engine
  2. Build the Docker image:

    docker build -f Dockerfile -t sastquatch:latest .
    

Usage

Run Sastquatch on your codebase:

docker run --rm \
    -v /path/to/source:/workspace/source \
    -v /path/to/result:/workspace/result \
    -t sastquatch:latest \
    --language LANGUAGE \
    --queries QUERIES

LANGUAGE can be any of the below:

  • python
  • javascript

QUERIES can be any of the below:

  • code-scanning
  • security-extended
  • security-and-quality

License

This tool uses CodeQL CLI including the CodeQL engine which is hosted in a different repository and is licensed separately. If you'd like to use the CodeQL CLI to analyze closed-source code, you will need a commercial license; please contact GitHub for further help. People are responsible for using it at their own.

Acknowledgments