Skip to content



Scan (skæn) is a free open-source security audit tool for modern DevOps teams. With an integrated multi-scanner based design, Scan can detect various kinds of security flaws in your application and infrastructure code in a single fast scan without the need for any remote server. The kind of flaws detected are:

  • Credentials Scanning to detect accidental secret leaks
  • Static Analysis Security Testing (SAST) for a range of languages and frameworks
  • Open-source dependencies audit
  • Licence violation checks


Scan is purpose built for DevSecOps workflow integrations with nifty features such as automatic build breaker, Pull Request summary comments, GitHub Code scanning and Bitbucket Code Insights support and so on.

Sample invocation

Easy one-liner command below (Assuming this is fine for you):

sh <(curl

The above command simply invokes the below docker run command.

docker run --rm -e "WORKSPACE=${PWD}" -v $PWD:/app shiftleft/sast-scan scan --build

Java Scan

Scan is also available as an AppImage. Please download the latest version from GitHub releases or use the one-liner command below.

sh <(curl

Expanded version of the one-liner command.

chmod +x scan
./scan -t nodejs

Supported Languages & Frameworks

Full list of supported languages is as follows:

Language Scan Type (--type) Credential Scan SAST Dependency Scan License Audit Build Breaker
Salesforce Apex apex
Ansible ansible 🚧
AWS CloudFormation / CDK aws
Azure Resource Manager Templates arm
Bash bash
Go go
Java java
Kotlin kotlin
Scala scala
Groovy groovy
JSP jsp
Node.js nodejs 🚧
PL/SQL plsql
Php php
Python python
Ruby ruby
Rust rust
Kubernetes kubernetes
Serverless serverless
Terraform terraform
Salesforce Visual Force vf
Apache Velocity vm
Yaml yaml 🚧

🚧 - Work-in-progress feature

To scan AWS CDK codebase, export to cloudformation and then scan using aws type.

Start with your use case

  • Read more about secure development and best practices with scan for a range of languages
  • Configure scan and customize the default build breaker logic


Developers behind scan are available on a dedicated discord channel for questions and support. For defects, raising an issue on GitHub is best.

Last update: October 5, 2020