### Install libsast and semgrep Source: https://github.com/ajinabraham/libsast/blob/master/README.md Installs the libsast package and a specific version of semgrep for enhanced security analysis. Ensure semgrep is installed for full functionality, especially for semantic analysis features. ```bash pip install semgrep==1.86.0 #For semgrep support pip install libsast ``` -------------------------------- ### Configure and Scan with SemanticGrep API Source: https://context7.com/ajinabraham/libsast/llms.txt This example shows how to set up and utilize the SemanticGrep class from libsast for syntax-aware code analysis. It details the configuration for semgrep rules, target file extensions, and progress display. The snippet then proceeds to scan specified paths and returns the results. ```python from libsast.core_sgrep.semantic_sgrep import SemanticGrep from pathlib import Path # Configure semantic grep options = { 'sgrep_rules': './semgrep_rules/', # Directory with semgrep YAML files 'sgrep_extensions': ['.py', '.js', '.java', '.go', '.c'], 'show_progress': True } # Scan paths paths = [Path('./src/main.py'), Path('./src/utils')] # Initialize and scan sgrep = SemanticGrep(options) results = sgrep.scan(paths) ``` -------------------------------- ### libsast CLI: Check Version Source: https://context7.com/ajinabraham/libsast/llms.txt Displays the currently installed version of the libsast tool. Essential for verifying installation and compatibility. ```bash # Check version libsast --version ``` -------------------------------- ### Python Semantic Grep Rule Example Source: https://github.com/ajinabraham/libsast/blob/master/README.md This YAML snippet defines a semantic grep rule to identify instances where a boto3 client is configured using an IP address instead of a hostname. It specifies the pattern to search for within the code and includes metadata for categorization and severity. ```yaml rules: - id: boto-client-ip patterns: - pattern-inside: boto3.client(host="...") - pattern-regex: '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' message: "boto client using IP address" languages: [python] severity: ERROR metadata: owasp-web: a2 owasp-mobile: m7 cwe: cwe-1048 foo: Some extra metadata ``` -------------------------------- ### Initialize and Run Scanner with Options Source: https://context7.com/ajinabraham/libsast/llms.txt This snippet demonstrates how to initialize and run the main Scanner class from libsast. It shows the configuration of various options for both pattern matching and semantic grep, including rule paths, file extensions, ignored files/paths, progress display, CPU core usage, and multiprocessing strategy. The results are then processed for both matching engines. ```python from libsast import Scanner from pathlib import Path # Configure scanner options options = { 'match_rules': './rules/pattern_matcher', # Pattern matcher YAML rules 'sgrep_rules': './rules/semantic_grep', # Semgrep YAML rules 'sgrep_extensions': {'.js', '.py', '.go'}, # File extensions for semgrep 'match_extensions': {'.json', '.xml', '.yaml', '.sh'}, # Extensions for pattern matcher 'ignore_filenames': {'bootstrap.min.js', 'jquery.min.js'}, 'ignore_extensions': {'.zip', '.exe', '.jpg'}, 'ignore_paths': {'node_modules', 'test', '__pycache__'}, 'show_progress': True, # Display progress bar 'cpu_core': 4, # Number of CPU cores to use 'multiprocessing': 'default' } # Paths to scan (files or directories) paths = ['./src', './lib', './config/settings.py'] # Initialize and run scanner scanner = Scanner(options, paths) results = scanner.scan() # Process results if 'pattern_matcher' in results: for rule_id, finding in results['pattern_matcher'].items(): print(f"Rule: {rule_id}") print(f"Severity: {finding['metadata']['severity']}") for match in finding['files']: print(f" File: {match['file_path']}") print(f" Lines: {match['match_lines']}") print(f" Code: {match['match_string']}") if 'semantic_grep' in results: for rule_id, finding in results['semantic_grep']['matches'].items(): print(f"Rule: {rule_id}") print(f"Description: {finding['metadata']['description']}") for match in finding['files']: print(f" File: {match['file_path']}") print(f" Match: {match['match_string']}") # Handle errors for error in results['semantic_grep']['errors']: print(f"Error in {error['path']}: {error['message']}") ``` -------------------------------- ### libsast Command Line Options Source: https://github.com/ajinabraham/libsast/blob/master/README.md Demonstrates the available command-line arguments for the libsast tool. These options allow users to specify scan paths, output formats, pattern files, and ignore rules for targeted security analysis. ```bash $ libsast usage: libsast [-h] [-o OUTPUT] [-p PATTERN_FILE] [-s SGREP_PATTERN_FILE] [--sgrep-file-extensions SGREP_FILE_EXTENSIONS [SGREP_FILE_EXTENSIONS ...]] [--file-extensions FILE_EXTENSIONS [FILE_EXTENSIONS ...]] [--ignore-filenames IGNORE_FILENAMES [IGNORE_FILENAMES ...]] [--ignore-extensions IGNORE_EXTENSIONS [IGNORE_EXTENSIONS ...]] [--ignore-paths IGNORE_PATHS [IGNORE_PATHS ...]] [--show-progress] [--cpu-core CPU_CORE] [-v] [path ...] positional arguments: path Path can be file(s) or directories options: -h, --help show this help message and exit -o OUTPUT, --output OUTPUT Output filename to save JSON report. -p PATTERN_FILE, --pattern-file PATTERN_FILE YAML pattern file, directory or url -s SGREP_PATTERN_FILE, --sgrep-pattern-file SGREP_PATTERN_FILE sgrep rules directory --sgrep-file-extensions SGREP_FILE_EXTENSIONS [SGREP_FILE_EXTENSIONS ...] File extensions that should be scanned with semantic grep --file-extensions FILE_EXTENSIONS [FILE_EXTENSIONS ...] File extensions that should be scanned with pattern matcher --ignore-filenames IGNORE_FILENAMES [IGNORE_FILENAMES ...] File name(s) to ignore --ignore-extensions IGNORE_EXTENSIONS [IGNORE_EXTENSIONS ...] File extension(s) to ignore in lower case --ignore-paths IGNORE_PATHS [IGNORE_PATHS ...] Path(s) to ignore --show-progress Show scan progress --cpu-core CPU_CORE No of CPU cores to use. Use all cores by default -v, --version Show libsast version ``` -------------------------------- ### Python Scanner Initialization and Scan Source: https://github.com/ajinabraham/libsast/blob/master/README.md Demonstrates how to initialize the Scanner class with various configuration options and then perform a scan on specified paths. The output is a dictionary detailing detected vulnerabilities, including file paths, match strings, positions, and metadata like CWE and OWASP categories. ```python from libsast import Scanner options = {'match_rules': '/Users/ajinabraham/Code/njsscan/njsscan/rules/pattern_matcher', 'sgrep_rules': '/Users/ajinabraham/Code/njsscan/njsscan/rules/semantic_grep', 'sgrep_extensions': {'', '.js'}, 'match_extensions': {'.hbs', '.sh', '.ejs', '.toml', '.mustache', '.tmpl', '.jade', '.json', '.ect', '.vue', '.yml', '.hdbs', '.tl', '.html', '.haml', '.dust', '.pug', '.tpl'}, 'ignore_filenames': {'bootstrap.min.js', '.DS_Store', 'bootstrap-tour.js', 'd3.min.js', 'tinymce.js', 'codemirror.js', 'tinymce.min.js', 'react-dom.production.min.js', 'react.js', 'jquery.min.js', 'react.production.min.js', 'codemirror-compressed.js', 'axios.min.js', 'angular.min.js', 'raphael-min.js', 'vue.min.js'}, 'ignore_extensions': {'.7z', '.exe', '.rar', '.zip', '.a', '.o', '.tz'}, 'ignore_paths': {'__MACOSX', 'jquery', 'fixtures', 'node_modules', 'bower_components', 'example', 'spec'}, 'show_progress': False} paths = ['../njsscan/tests/assets/dot_njsscan/'] scanner = Scanner(options, paths) scanner.scan() ``` -------------------------------- ### Initialize and Use ChoiceMatcher API in Python Source: https://context7.com/ajinabraham/libsast/llms.txt This Python code snippet demonstrates how to configure, initialize, and use the ChoiceMatcher API from the libsast library. It sets up options for rule files, code extensions, and multiprocessing, then scans specified paths. The results are then iterated to print rule IDs, descriptions, selections, and associated metadata. ```python from libsast.core_matcher.choice_matcher import ChoiceMatcher from pathlib import Path # Configure choice matcher options = { 'choice_rules': './choice_rules.yaml', 'choice_extensions': ['.py', '.js'], 'alternative_path': './config', # Alternative scan path for non-code rules 'show_progress': False, 'cpu_core': 2, 'multiprocessing': 'default' } # Scan paths paths = [Path('./src'), Path('./lib')] # Initialize and scan choice_matcher = ChoiceMatcher(options) findings = choice_matcher.scan(paths) # Process results for rule_id, result in findings.items(): print(f"\nRule ID: {rule_id}") print(f"Description: {result['description']}") print(f"Selection: {result['choice']}") print(f"Metadata: {result.get('meta', 'N/A')}") ``` -------------------------------- ### libsast CLI: Show Progress and CPU Cores Source: https://context7.com/ajinabraham/libsast/llms.txt Enables progress visualization during the scan and allows specifying the number of CPU cores to use. This is helpful for large projects and performance tuning. ```bash # Show progress and use specific CPU cores libsast -p ./rules/patterns.yaml \ --show-progress \ --cpu-core 4 \ ./large-project/ ``` -------------------------------- ### Configure and Scan with PatternMatcher API Source: https://context7.com/ajinabraham/libsast/llms.txt This code initializes and uses the PatternMatcher from libsast for regex-based scanning. It showcases how to configure the matcher with rule paths, target file extensions, progress display, CPU core usage, and multiprocessing strategy. The findings are then iterated and detailed information about each rule and its matches is printed. ```python from libsast.core_matcher.pattern_matcher import PatternMatcher from pathlib import Path # Configure pattern matcher options = { 'match_rules': './security_rules.yaml', 'match_extensions': ['.java', '.kt', '.swift'], 'show_progress': False, 'cpu_core': 2, 'multiprocessing': 'default' # or 'thread' or 'billiard' } # Prepare paths paths = {Path('./app/src'), Path('./app/lib')} # Initialize and scan matcher = PatternMatcher(options) findings = matcher.scan(paths) # Process findings for rule_id, result in findings.items(): metadata = result['metadata'] print(f"\nRule ID: {rule_id}") print(f"Description: {metadata['description']}") print(f"Severity: {metadata['severity']}") print(f"CWE: {metadata.get('cwe', 'N/A')}") print(f"OWASP: {metadata.get('owasp-web', 'N/A')}") # Display matches for file_match in result['files']: print(f"\n File: {file_match['file_path']}") print(f" Line: {file_match['match_lines'][0]}-{file_match['match_lines'][1]}") print(f" Position: {file_match['match_position']}") print(f" Match: {file_match['match_string'][:100]}") ``` -------------------------------- ### Testing Pattern Matcher Rules with libsast CLI Source: https://github.com/ajinabraham/libsast/blob/master/README.md This command demonstrates how to test your custom Pattern Matcher rules. It uses the libsast command-line interface to apply a specified rule file against a directory containing target files. The output will indicate any violations found based on the defined patterns and severity levels. ```bash $ libsast -p tests/assets/rules/pattern_matcher/patterns.yaml tests/assets/files/ ``` -------------------------------- ### SemanticGrep API Source: https://context7.com/ajinabraham/libsast/llms.txt A syntax-aware semantic code analyzer that leverages semgrep for deep pattern matching based on code structure. ```APIDOC ## SemanticGrep API ### Description Syntax-aware semantic code analyzer using semgrep for deep pattern matching in code structure. ### Method Instantiation and method call ### Endpoint N/A (Class based API) ### Parameters #### Initialization Parameters - **options** (dict) - Required - Configuration options for SemanticGrep. - **sgrep_rules** (str) - Path to the directory containing semgrep YAML rule files. - **sgrep_extensions** (list) - List of file extensions to be analyzed by semgrep (e.g., ['.py', '.js']). - **show_progress** (bool) - Whether to display a progress bar. #### Scan Method Parameters - **paths** (list) - Required - A list of Path objects representing files or directories to scan. ### Request Example ```python from libsast.core_sgrep.semantic_sgrep import SemanticGrep from pathlib import Path options = { 'sgrep_rules': './semgrep_rules/', 'sgrep_extensions': ['.py', '.js', '.java', '.go', '.c'], 'show_progress': True } paths = [Path('./src/main.py'), Path('./src/utils')] sgrep = SemanticGrep(options) results = sgrep.scan(paths) ``` ### Response #### Success Response (dict) - **matches** (dict) - A dictionary where keys are rule IDs and values contain match details. - **rule_id** (str) - The ID of the semgrep rule that matched. - **metadata** (dict) - Metadata associated with the rule, typically including a description. - **files** (list) - A list of file matches found for this rule. - **file_path** (str) - The path to the file where the match occurred. - **match_string** (str) - The code snippet that matched the semgrep rule. - **errors** (list) - A list of errors encountered during the semgrep scan. - **path** (str) - The path related to the error. - **message** (str) - A description of the error. #### Response Example ```json { "matches": { "SEMVER001": { "metadata": {"description": "Use of insecure version of library"}, "files": [ {"file_path": "./src/dependencies.yaml", "match_string": "library-x: 1.0.0"} ] } }, "errors": [ {"path": "./src/config.py", "message": "Syntax error: unexpected token"} ] } ``` ``` -------------------------------- ### libsast CLI: Basic Scan with Patterns Source: https://context7.com/ajinabraham/libsast/llms.txt Executes a basic scan using pattern matching rules defined in a YAML file. It targets files in the specified directory. ```bash # Basic scan with pattern matcher libsast -p ./rules/patterns.yaml ./src/ ``` -------------------------------- ### Running Semantic Grep Scan Source: https://github.com/ajinabraham/libsast/blob/master/README.md This command demonstrates how to execute a semantic grep scan using the libsast tool. It specifies the path to the rule file (sgrep.yaml) and the directory containing the code to be scanned. ```bash $ libsast -s tests/assets/rules/semantic_grep/sgrep.yaml tests/assets/files/ ``` -------------------------------- ### Define Semgrep Rules for AST-Aware Matching in YAML Source: https://context7.com/ajinabraham/libsast/llms.txt This YAML snippet defines Semgrep rules for syntax-aware pattern matching using Abstract Syntax Trees (AST). It showcases rules for detecting hardcoded IP addresses in Python, unsafe deserialization in JavaScript, and potential SQL injection risks in Python, utilizing AST context and regex patterns. ```yaml rules: # Pattern matching with AST awareness - id: hardcoded_ip_address patterns: - pattern-inside: boto3.client(host="...") - pattern-regex: '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' message: "Hardcoded IP address in boto3 client" languages: - python severity: ERROR metadata: cwe: cwe-1050 owasp-web: a8 description: IP addresses should use configuration # Context-aware pattern matching - id: unsafe_deserialization patterns: - pattern-inside: | require('node-serialize'); ... - pattern: | $X.unserialize(...) message: >- User controlled data in unserialize() can result in Object Injection or Remote Code Injection languages: - javascript severity: ERROR metadata: cwe: cwe-502 owasp-web: a8 # Multiple pattern conditions - id: sql_injection_risk patterns: - pattern: $CURSOR.execute($QUERY) - pattern-not: $CURSOR.execute("...") - pattern-not-inside: | $QUERY = "..." ... message: "Possible SQL injection vulnerability" languages: - python severity: ERROR metadata: cwe: cwe-89 owasp-web: a1 ``` -------------------------------- ### Python API: Scanner with Standard Mappings Source: https://context7.com/ajinabraham/libsast/llms.txt Demonstrates how to use the libsast Python Scanner API to perform scans with rules that include standard security metadata mappings (OWASP, CWE, MASVS). The rules are written to a file and then used by the Scanner. ```python from libsast import Scanner # Rules with standard mappings rules_yaml = """ - id: xss_vulnerability message: Cross-site scripting vulnerability pattern: innerHTML\s*=\s* severity: error type: Regex metadata: owasp-web: a1 # Expands to "A1: Injection" owasp-mobile: m1 # Expands to "M1: Improper Platform Usage" cwe: cwe-79 # Expands to "CWE-79: Cross-site Scripting" masvs: storage-3 # Expands to "MSTG-STORAGE-3" """ # Write rules to file with open('xss_rules.yaml', 'w') as f: f.write(rules_yaml) # Scan with auto-expanded mappings options = {'match_rules': 'xss_rules.yaml', 'match_extensions': ['.js', '.html']} scanner = Scanner(options, ['./web/']) results = scanner.scan() # Access expanded metadata for rule_id, finding in results['pattern_matcher'].items(): meta = finding['metadata'] print(f"OWASP Web: {meta.get('owasp-web')}") # "A1: Injection" print(f"OWASP Mobile: {meta.get('owasp-mobile')}") # "M1: Improper Platform Usage" print(f"CWE: {meta.get('cwe')}") # Full CWE description print(f"MASVS: {meta.get('masvs')}") # MSTG mapping ``` -------------------------------- ### libsast CLI: Combined Scan Source: https://context7.com/ajinabraham/libsast/llms.txt Combines both pattern matching and semantic grep engines for a comprehensive scan. It analyzes files in the given directory using rules from both specified paths. ```bash # Combined scan with both engines libsast -p ./rules/patterns.yaml -s ./rules/semgrep/ ./src/ ``` -------------------------------- ### libsast CLI: Save Results to File Source: https://context7.com/ajinabraham/libsast/llms.txt Runs a pattern-based scan and saves the results directly to a JSON file. This is useful for automated reporting and analysis. ```bash # Save results to file libsast -p ./rules/patterns.yaml -o report.json ./src/ ``` -------------------------------- ### libsast CLI: Multiprocessing Strategy Source: https://context7.com/ajinabraham/libsast/llms.txt Allows selection of the multiprocessing strategy ('thread' or 'process') for the scan. This can impact performance depending on the system and project structure. ```bash # Use different multiprocessing strategy libsast -p ./rules/patterns.yaml \ --multiprocessing thread \ ./src/ ``` -------------------------------- ### libsast CLI: Filter by File Extensions Source: https://context7.com/ajinabraham/libsast/llms.txt Scans a project while filtering which file extensions to include and ignore. This helps in focusing the scan on specific parts of a codebase. ```bash # Filter by file extensions libsast -p ./rules/patterns.yaml \ --file-extensions .java .kt \ --ignore-extensions .jar .class \ ./android-app/ ``` -------------------------------- ### Scanner API Source: https://context7.com/ajinabraham/libsast/llms.txt The main Scanner class orchestrates both pattern matching and semantic grep scanning across specified files and directories. ```APIDOC ## Scanner API ### Description Main scanner class that orchestrates pattern matching and semantic grep scanning across multiple files and directories. ### Method Instantiation and method call ### Endpoint N/A (Class based API) ### Parameters #### Initialization Parameters - **options** (dict) - Required - Configuration options for the scanner. - **match_rules** (str) - Path to pattern matcher YAML rules. - **sgrep_rules** (str) - Path to semgrep YAML rules. - **sgrep_extensions** (set) - File extensions to be analyzed by semgrep. - **match_extensions** (set) - File extensions to be analyzed by the pattern matcher. - **ignore_filenames** (set) - Specific filenames to ignore. - **ignore_extensions** (set) - File extensions to ignore. - **ignore_paths** (set) - Directory paths to exclude from scanning. - **show_progress** (bool) - Whether to display a progress bar. - **cpu_core** (int) - Number of CPU cores to utilize. - **multiprocessing** (str) - Strategy for multiprocessing ('default', 'thread', 'billiard'). - **paths** (list) - Required - List of file or directory paths to scan. #### Scan Method Parameters - None ### Request Example ```python from libsast import Scanner from pathlib import Path options = { 'match_rules': './rules/pattern_matcher', 'sgrep_rules': './rules/semantic_grep', 'sgrep_extensions': {'.js', '.py', '.go'}, 'match_extensions': {'.json', '.xml', '.yaml', '.sh'}, 'ignore_filenames': {'bootstrap.min.js', 'jquery.min.js'}, 'ignore_extensions': {'.zip', '.exe', '.jpg'}, 'ignore_paths': {'node_modules', 'test', '__pycache__'}, 'show_progress': True, 'cpu_core': 4, 'multiprocessing': 'default' } paths = ['./src', './lib', './config/settings.py'] scanner = Scanner(options, paths) results = scanner.scan() ``` ### Response #### Success Response (dict) - **pattern_matcher** (dict) - Results from the pattern matcher. - **rule_id** (str) - ID of the matched rule. - **metadata** (dict) - Metadata about the rule (e.g., severity). - **files** (list) - List of files where the rule matched. - **file_path** (str) - Path to the file. - **match_lines** (list) - Lines where the match occurred. - **match_string** (str) - The matched code snippet. - **semantic_grep** (dict) - Results from semantic grep. - **matches** (dict) - Dictionary of matches found by semgrep rules. - **rule_id** (str) - ID of the semgrep rule. - **metadata** (dict) - Metadata about the rule (e.g., description). - **files** (list) - List of files where the rule matched. - **file_path** (str) - Path to the file. - **match_string** (str) - The matched code snippet. - **errors** (list) - List of errors encountered during semantic grep scanning. - **path** (str) - Path where the error occurred. - **message** (str) - Error message. #### Response Example ```json { "pattern_matcher": { "RULE001": { "metadata": {"severity": "high"}, "files": [ {"file_path": "./src/main.py", "match_lines": [10, 11], "match_string": "..." } ] } }, "semantic_grep": { "matches": { "SEMGREP001": { "metadata": {"description": "Insecure deserialization"}, "files": [ {"file_path": "./src/utils.py", "match_string": "pickle.load(f)"} ] } }, "errors": [ {"path": "./src/malformed.js", "message": "Parse error"} ] } } ``` ``` -------------------------------- ### PatternMatcher API Source: https://context7.com/ajinabraham/libsast/llms.txt A regex-based pattern matcher designed for flexible security rule definition and scanning across various file types. ```APIDOC ## PatternMatcher API ### Description Regex-based pattern matcher that supports multiple matching strategies for flexible security rule definition. ### Method Instantiation and method call ### Endpoint N/A (Class based API) ### Parameters #### Initialization Parameters - **options** (dict) - Required - Configuration options for the pattern matcher. - **match_rules** (str) - Path to the YAML file containing pattern matching rules. - **match_extensions** (list) - List of file extensions to scan (e.g., ['.java', '.kt']). - **show_progress** (bool) - Whether to display a progress bar. - **cpu_core** (int) - Number of CPU cores to utilize. - **multiprocessing** (str) - Multiprocessing strategy ('default', 'thread', 'billiard'). #### Scan Method Parameters - **paths** (set) - Required - A set of Path objects representing files or directories to scan. ### Request Example ```python from libsast.core_matcher.pattern_matcher import PatternMatcher from pathlib import Path options = { 'match_rules': './security_rules.yaml', 'match_extensions': ['.java', '.kt', '.swift'], 'show_progress': False, 'cpu_core': 2, 'multiprocessing': 'default' } paths = {Path('./app/src'), Path('./app/lib')} matcher = PatternMatcher(options) findings = matcher.scan(paths) ``` ### Response #### Success Response (dict) - **rule_id** (str) - The ID of the matched rule. - **metadata** (dict) - Metadata associated with the rule (e.g., description, severity). - **files** (list) - A list of file matches found for this rule. - **file_path** (str) - The path to the file where the match occurred. - **match_lines** (list) - A list containing the start and end line numbers of the match. - **match_position** (list) - The start and end column position of the match within the line. - **match_string** (str) - The actual code snippet that matched the rule. #### Response Example ```json { "RULE001": { "metadata": { "description": "Potential SQL injection vulnerability", "severity": "high", "cwe": "CWE-89", "owasp-web": "A03: Injection" }, "files": [ { "file_path": "./app/src/database.java", "match_lines": [42, 45], "match_position": [10, 50], "match_string": "String query = \"SELECT * FROM users WHERE id = \" + userId;" } ] } } ``` ``` -------------------------------- ### libsast CLI: Scan with Semantic Grep Source: https://context7.com/ajinabraham/libsast/llms.txt Performs a scan using semantic grep, focusing on specific file extensions. This allows for more precise code analysis. ```bash # Scan with semantic grep libsast -s ./rules/semgrep/ --sgrep-file-extensions .py .js ./src/ ``` -------------------------------- ### Python Security Scan Pipeline with libsast Source: https://context7.com/ajinabraham/libsast/llms.txt This Python script integrates the libsast library to perform a security scan on a given target path. It configures scan options, initializes the scanner, runs the analysis, processes and summarizes the results, and optionally saves a detailed report. The script exits with an error code if security errors are detected. ```python #!/usr/bin/env python3 import json import sys from pathlib import Path from libsast import Scanner def run_security_scan(target_path, output_file=None): """Run comprehensive security scan on target path.""" # Configuration options = { 'match_rules': './rules/pattern_matcher/', 'sgrep_rules': './rules/semantic_grep/', 'sgrep_extensions': ['.py', '.js', '.java', '.go', '.c'], 'match_extensions': ['.xml', '.json', '.yaml', '.sh', '.properties'], 'ignore_filenames': [ 'jquery.min.js', 'bootstrap.min.js', 'react.production.min.js', 'vue.min.js' ], 'ignore_extensions': ['.jpg', '.png', '.gif', '.zip', '.jar'], 'ignore_paths': [ 'node_modules', 'bower_components', '__pycache__', 'test', 'tests', 'spec', '.git', 'build', 'dist' ], 'show_progress': True, 'cpu_core': 4, 'multiprocessing': 'default' } # Initialize scanner scanner = Scanner(options, [target_path]) # Run scan print(f"Scanning {target_path}...") results = scanner.scan() # Process and report results total_issues = 0 severity_counts = {'error': 0, 'warning': 0, 'info': 0} # Pattern matcher results if 'pattern_matcher' in results: for rule_id, finding in results['pattern_matcher'].items(): severity = finding['metadata']['severity'].lower() severity_counts[severity] = severity_counts.get(severity, 0) + len(finding['files']) total_issues += len(finding['files']) # Semantic grep results if 'semantic_grep' in results: for rule_id, finding in results['semantic_grep']['matches'].items(): severity = finding['metadata']['severity'].lower() severity_counts[severity] = severity_counts.get(severity, 0) + len(finding['files']) total_issues += len(finding['files']) # Print summary print("\n" + "="*50) print(f"Security Scan Results") print("="*50) print(f"Total Issues: {total_issues}") print(f"Errors: {severity_counts.get('error', 0)}") print(f"Warnings: {severity_counts.get('warning', 0)}") print(f"Info: {severity_counts.get('info', 0)}") # Save to file if output_file: with open(output_file, 'w') as f: json.dump(results, f, indent=2, sort_keys=True) print(f"\nFull report saved to: {output_file}") # Exit with error code if critical issues found if severity_counts.get('error', 0) > 0: print("\n⚠️ Critical security issues found!") return 1 return 0 if __name__ == '__main__': if len(sys.argv) < 2: print("Usage: python security_scan.py [output.json]") sys.exit(1) target = sys.argv[1] output = sys.argv[2] if len(sys.argv) > 2 else None exit_code = run_security_scan(target, output) sys.exit(exit_code) ``` -------------------------------- ### Define Regex Pattern Matching Rules in YAML Source: https://context7.com/ajinabraham/libsast/llms.txt This YAML snippet demonstrates various regex-based pattern matching strategies for defining security rules. It includes simple Regex, compound strategies like RegexAnd, RegexOr, RegexAndNot, and RegexAndOr, each with specific matching requirements. These rules are typically used for static analysis to detect code patterns. ```yaml # Regex: Simple pattern matching - id: hardcoded_password message: Hardcoded password detected input_case: exact # Options: exact, lower, upper pattern: password\s*=\s*["'][^"']{8,}["'] severity: error # Options: error, warning, info type: Regex metadata: cwe: cwe-798 owasp-web: a2 custom_field: custom_value # RegexAnd: All patterns must match - id: webview_external_storage message: WebView loading from external storage input_case: exact pattern: - webkit\.WebView - \.loadUrl\(.*getExternalStorageDirectory(\) severity: error type: RegexAnd # RegexOr: Any pattern can match - id: insecure_file_mode message: Insecure file mode detected input_case: exact pattern: - MODE_WORLD_READABLE|Context\.MODE_WORLD_READABLE - openFileOutput\(\s*".+"\s*,\s*1\s*\) severity: error type: RegexOr # RegexAndNot: First pattern present, second pattern absent - id: webview_without_security message: WebView without JavaScript disabled input_case: exact pattern: - WKWebView # Must be present - \.javaScriptEnabled=false # Must NOT be present severity: warning type: RegexAndNot # RegexAndOr: First pattern AND (any of second patterns) - id: sms_api_usage message: SMS sending functionality detected input_case: exact pattern: - telephony.SmsManager - - sendMultipartTextMessage - sendTextMessage - vnd.android-dir/mms-sms severity: warning type: RegexAndOr ``` -------------------------------- ### libsast CLI: Ignore Files and Paths Source: https://context7.com/ajinabraham/libsast/llms.txt Configures the scan to ignore specific filenames and entire directory paths. This is crucial for excluding test files, build artifacts, or dependency directories. ```bash # Ignore specific files and paths libsast -p ./rules/patterns.yaml \ --ignore-filenames test.js spec.js \ --ignore-paths node_modules test build \ ./project/ ``` -------------------------------- ### Process Scan Results with Python Source: https://context7.com/ajinabraham/libsast/llms.txt This Python code snippet iterates through scan results, printing details for each rule, finding, and match. It handles both successful matches and Semgrep errors, displaying file paths, line/column information, and extracted code snippets. It's designed to parse the 'results' dictionary generated by a scanning tool. ```python for rule_id, finding in results['matches'].items(): metadata = finding['metadata'] print(f"\nRule: {rule_id}") print(f"Description: {metadata['description']}") print(f"Severity: {metadata['severity']}") for match in finding['files']: print(f" File: {match['file_path']}") print(f" Lines: {match['match_lines'][0]}-{match['match_lines'][1]}") print(f" Columns: {match['match_position'][0]}-{match['match_position'][1]}") print(f" Code:\n{match['match_string']}") # Handle semgrep errors if results['errors']: print("\nSemgrep Errors:") for error in results['errors']: print(f" Type: {error['type']}") print(f" File: {error.get('path', 'N/A')}") print(f" Message: {error.get('message', error.get('long_msg', 'Unknown error'))}") ``` -------------------------------- ### Pattern Matcher Rule Definition in YAML Source: https://github.com/ajinabraham/libsast/blob/master/README.md This YAML structure defines a rule for the libsast Pattern Matcher. It includes an ID, message, input case sensitivity, pattern to match, severity level, rule type, and optional metadata for enhanced analysis and reporting. The 'type' field dictates how the 'pattern' list is evaluated against the input. ```yaml - id: test_regex_or message: This is a rule to test regex_or input_case: exact pattern: - MODE_WORLD_READABLE|Context.MODE_WORLD_READABLE - openFileOutput(\s*".+"\s*,\s*1\s*) severity: error type: RegexOr metadata: owasp-web: a1 reference: http://foo.bar foo: Some extra metadata ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.