Skip to content



Scan (skæn) is a free open-source security audit tool for modern DevOps teams. With an integrated multi-scanner based design, Scan can detect various kinds of security flaws in your application and infrastructure code in a single fast scan without the need for any remote server. The kind of flaws detected are:

  • Credentials Scanning to detect accidental secret leaks
  • Static Analysis Security Testing (SAST) for a range of languages and frameworks
  • Open-source dependencies audit for known CVEs
    • Many languages and package formats supported
    • OSS Risk Audit for npm
    • Dependency confusion checks for npm
  • Licence violation checks


Scan is purpose built for DevSecOps workflow integrations with nifty features such as automatic build breaker, Pull Request summary comments, GitHub Code scanning and Bitbucket Code Insights support and so on.

Sample invocation

Easy one-liner command below (Assuming this is fine for you):

sh <(curl

The above command simply invokes the below docker run command.

docker run --rm -e "WORKSPACE=${PWD}" -v $PWD:/app shiftleft/sast-scan scan --build

Java Scan

Scan is also available as an AppImage. Please download the latest version from GitHub releases or use the one-liner command below.

sh <(curl

Expanded version of the one-liner command.

chmod +x scan
./scan -t nodejs

Supported Languages & Frameworks

Full list of supported languages is as follows:

Language Scan Type (--type) Credential Scan SAST Dependency Scan License Audit Build Breaker
Salesforce Apex apex
Ansible ansible 🚧
AWS CloudFormation / CDK aws
Azure Resource Manager Templates arm
Bash bash
Go go
Java java
Kotlin kotlin
Scala scala
Groovy groovy
JSP jsp
Node.js nodejs 🚧
PL/SQL plsql
Php php
Python python
Ruby ruby ✓ (1)
Rust rust
Kubernetes kubernetes
Serverless serverless
Terraform terraform
Salesforce Visual Force vf
Apache Velocity vm
Yaml yaml 🚧

🚧 - Work-in-progress feature


(1) - For Ruby, brakeman is the only supported tool and is currently not bundled with the scan image. Once you have a suitable license for brakeman (Not free for commercial use), run the below commands before invoking scan.

sudo gem install brakeman
brakeman -q --no-exit-on-warn --no-exit-on-error -o reports/source-ruby-report.json

Scan would then take the json report source-ruby-report.json produced and use it for SARIF conversion and build breaker logic. The file should be produced in the reports directory before the invocation.

To scan AWS CDK codebase, export to cloudformation and then scan using aws type.

Start with your use case

  • Read more about secure development and best practices with scan for a range of languages
  • Configure scan and customize the default build breaker logic


Developers behind scan are available on a dedicated discord channel for questions and support. For defects, raising an issue on GitHub is best.

Last update: February 26, 2021