- Static Code Analyzer, analyzes your code, to find anomalies. Currently only limited to "Insecure Functions" in your code!
- It doesn't stop there - as a precautionary measure, it provides you with safer function as an alternative - like instead of using
strcpy()which is vulnerable to Buffer Overflow, it provides you with safer function as an alternative likelstrcy(), which is not vulnerable to Buffer Overflow, that you can implement on your code, to make it secure
- Secode is powered by a stringent and comprehensive ruleset, that can detect vulnerabilities pretty easily, which will be updated regularly, as more vulnerabilities and exploits emerge
- Secode enforces the concept of "Secure Coding" and "Secure Software Development Life Cycle (Secure SDLC)" which is now gaining much needed traction during the development process of any software
Your Code Report provides you information about -
- Hit count of vulnerable functions (total count)
- Vulnerability at hand
- CWE Number associated with it
- A brief description about the vulnerability
- Risk level of your code (graded from 1 - 5, on the severity basis)
- Secure alternative(s) that you must use which are totally safe from exploits
Refer to the installation file for an in-depth walkthrough on how to install the tool, on your Linux distribution
- More technically, Secode uses lexical scanning/analysis to find tokens (such as function names) that suggest likely vulnerabilities, estimates their level of risk (e.g., by the text of function calls), and reports the results
- Secode does not use or have access to information about control flow, data flow, or data types
- Thus, secode will necessarily produce many false positives for vulnerabilities and fail to report many vulnerabilities
- On the other hand, secode can find vulnerabilities in programs that cannot be built or cannot be linked
- Secode also doesn't get as confused by macro definitions and other oddities that more sophisticated tools have trouble with.
- Dockerize it to provide support across all platforms
- Extending Scanning functionalities within the tool to:
- Web Technologies like HTML, CSS, Js and PHP
- App Development languages like Java and Kotlin
- GitHub Actions workflows Integration.
We love contributions! For more information on contributing, please see the file here.
Secode is released under the GNU GPL license version 2 or later (GPL-2.0+). Please see this file for license information.