Show HN: Sighthound - 开源源代码漏洞扫描器
Show HN: Sighthound - open-source vulnerability scanner for source code

原始链接: https://github.com/Corgea/Sighthound

Sighthound 是一款具备 AST 感知能力的安全性扫描工具,旨在通过模式匹配和污点分析来识别源代码中的漏洞。它支持多种主流编程语言,包括 Python、JavaScript、TypeScript、Java、PHP、C#、Go、Ruby 以及各种基于 HTML 的模板,并提供文本、JSON 和 CSV 等灵活的输出格式。 主要功能包括: * **多模式分析:** 同时支持广泛的模式搜索和精确的从源到汇(source-to-sink)的污点追踪。 * **高性能:** 针对多文件项目进行了优化,具备并行执行能力。 * **可扩展性:** 利用内置规则包,并支持通过 RON 文件定义自定义规则。 * **集成性:** 使用 Rust 构建,具备容器兼容性,并包含一套用于 CI/CD 流水线的稳健开发命令。 虽然 Sighthound 在静态分析方面表现出色,但可能会遗漏特定于运行时的漏洞。用户需注意,尽管支持多文件污点分析,但该功能目前仍在持续强化中。关于安装,用户可以通过 Cargo 从源码构建,或利用 Docker 导出本地二进制文件。详细用法可通过 `sighthound --help` 命令查看。

抱歉。
相关文章

原文
  • Scans source code for security issues using AST-aware rules.
  • Supports pattern mode and taint mode (source to sink tracking).
  • Handles multi-file projects and parallel execution.
  • Outputs findings as text, JSON, or CSV.
  • Loads embedded rule packs by file extension, with optional file-based custom rules.
Language Extensions Parser Bundled Rules
Python .py, .pyw, .pyi, .pyx Yes Yes
JavaScript .js, .mjs, .cjs, .jsx, .vue, .svelte Yes Yes
TypeScript / TSX .ts, .tsx, .mts, .cts Yes Yes (JS rules)
Java .java Yes Yes
PHP .php, .phtml Yes Yes
C# .cs, .csx Yes Yes
Go .go Yes Yes
Ruby .rb Yes Yes
HTML .html, .htm, .twig, .ejs, .hbs, ... Yes Yes
Django templates .html (Django syntax) Yes Yes (HTML rules)

Not currently supported: Razor (.cshtml), C/C++ (.c, .h).

Prerequisites:

Build from source:

git clone https://github.com/Corgea/Sighthound.git
cd Sighthound
cargo build --release

Binary path: target/release/sighthound

Linux-container-compatible release export:

DOCKER_BUILDKIT=1 docker build \
  --target export \
  --output type=local,dest=./sighthound_release \
  .

Or run ./build_all_platforms.sh.

# Auto-detect languages and run embedded rules
cargo run --bin sighthound -- /path/to/project

# Explicit language + custom rules path
cargo run --bin sighthound -- /path/to/project python rules/python

# Taint-only scan and JSON output
cargo run --bin sighthound -- --taint-analysis --output-format json /path/to/project > findings.json

CLI shape:

sighthound [OPTIONS] <ROOT_DIR> [LANGUAGE] [RULES_PATH]

Run sighthound --help for the full option list.

Rules are written in RON and support both:

  • mode: "search" for pattern matching
  • mode: "taint" for source/sink/sanitizer analysis

Start here:

Core commands:

make check        # fix + format + lint + test + suppression report
make pre-commit   # staged Rust files (hook)
make pre-push     # push gate checks
make ci           # strict CI pipeline

Additional quality gates:

make complexity
make audit
make acceptance
cargo harness coverage --min=0
cargo harness crap --max=30
  • Runtime-only vulnerabilities in dynamic code paths may be missed.
  • Very large files can increase scan time.
  • Multi-file taint is supported but still an area to harden further.
联系我们 contact @ memedata.com