Sastquatch is a powerful yet simple static analysis tool that combines the strengths of CodeQL and Semgrep with custom rules, all packaged in a Docker container for easy deployment and use.
- Utilizes CodeQL for deep, semantic code analysis
- Incorporates Semgrep for fast, pattern-based scanning
- Custom rules tailored for enhanced security checks (50+ custom rules)
- Dockerized for consistent environments and easy setup
- Lightweight and efficient compared to more complex toolsets
-
Clone this repository:
git clone https://github.com/fazledyn/sastquatch cd sastquatch/engine -
Build the Docker image:
docker build -f Dockerfile -t sastquatch:latest .
Run Sastquatch on your codebase:
docker run --rm \
-v /path/to/source:/workspace/source \
-v /path/to/result:/workspace/result \
-t sastquatch:latest \
--language LANGUAGE \
--queries QUERIESLANGUAGE can be any of the below:
pythonjavascript
QUERIES can be any of the below:
code-scanningsecurity-extendedsecurity-and-quality
This tool uses CodeQL CLI including the CodeQL engine which is hosted in a different repository and is licensed separately. If you'd like to use the CodeQL CLI to analyze closed-source code, you will need a commercial license; please contact GitHub for further help. People are responsible for using it at their own.
- Inspired by the OpenSSF Omega Analyzer
- Built with CodeQL and Semgrep