Skip to content

Introduction

scan-logo

Warning

Scan is now in maintenance mode. If you've just come across this project, then probably best to look at any alternatives. Read more here.

Scan (skæn) is an open-source security audit tool for modern DevOps teams. With an integrated multi-scanner based design, Scan can detect various kinds of security flaws in your application and infrastructure code in a single fast scan without the need for any remote server. The kind of flaws detected are:

  • Credentials Scanning to detect accidental secret leaks
  • Static Analysis Security Testing (SAST) for a range of languages and frameworks
  • Open-source dependencies audit for known CVEs
    • Many languages and package formats supported
    • OSS Risk Audit for npm
    • Dependency confusion checks for npm
  • Licence violation checks
  • Container image scanning for application CVEs (New)

Workflow

Scan is purpose built for DevSecOps workflow integrations with nifty features such as automatic build breaker, Pull Request summary comments, GitHub Code scanning and Bitbucket Code Insights support and so on.

Sample invocation

Easy one-liner command below for some casual testing (Assuming this is fine for you):

sh <(curl https://slscan.sh)

The above command simply invokes the below docker run command.

docker run --rm -e "WORKSPACE=${PWD}" -v $PWD:/app shiftleft/sast-scan scan --build

MD5 hashes for the scripts

MD5 Script URL
ad68b19ab0f01175df90b145451b1a1d slscan.sh https://slscan.sh
3e90e3250f4e8a15c2b808fb00171cab install https://slscan.sh/install
9a10d9115d7b096db7921231f9fedc47 credscan https://slscan.sh/credscan

For arm64 based CPU such as Apple M1 use the :arm tag.

docker run --rm -e "WORKSPACE=${PWD}" -v $PWD:/app shiftleft/sast-scan:arm scan --build

Java Scan

Scan is also available as an AppImage. Please download the latest version from GitHub releases or use the one-liner command below.

sh <(curl https://slscan.sh/install)

Expanded version of the one-liner command.

wget https://github.com/ShiftLeftSecurity/sast-scan/releases/download/v1.9.27/scan
chmod +x scan
./scan -t nodejs

Supported Languages & Frameworks

Full list of supported languages is as follows:

Language Scan Type (--type) Credential Scan SAST Dependency Scan License Audit Build Breaker
Salesforce Apex apex
Ansible ansible 🚧
AWS CloudFormation / CDK aws
Azure Resource Manager Templates arm
Bash bash
Dockerfile dockerfile
Go go
Java java
Kotlin kotlin
Scala scala
Groovy groovy
JSP jsp
Node.js nodejs 🚧
PL/SQL plsql
Php php
Python python
Ruby ruby ✓ (1)
Rust rust
Helm Charts yaml
Kubernetes kubernetes
Serverless serverless
Terraform terraform
Salesforce Visual Force vf
Apache Velocity vm
Yaml yaml 🚧
Container Image docker 🚧

🚧 - Work-in-progress feature

Note

(1) - For Ruby, brakeman is the only supported tool and is currently not bundled with the scan image. Once you have a suitable license for brakeman (Not free for commercial use), run the below commands before invoking scan.

sudo gem install brakeman
brakeman -q --no-exit-on-warn --no-exit-on-error -o reports/source-ruby-report.json

Scan would then take the json report source-ruby-report.json produced and use it for SARIF conversion and build breaker logic. The file should be produced in the reports directory before the invocation.

To scan AWS CDK codebase, export to cloudformation and then scan using aws type.

Start with your use case

  • Read more about secure development and best practices with scan for a range of languages
  • Configure scan and customize the default build breaker logic

Support

Developers behind scan are available on a dedicated discord channel for questions and support. For defects, raising an issue on GitHub is best.


Last update: October 26, 2021