{"id":13533051,"url":"https://github.com/ajinabraham/libsast","last_synced_at":"2025-04-05T04:14:26.137Z","repository":{"id":45808426,"uuid":"254503250","full_name":"ajinabraham/libsast","owner":"ajinabraham","description":"Generic SAST Library","archived":false,"fork":false,"pushed_at":"2024-07-09T15:33:48.000Z","size":293,"stargazers_count":124,"open_issues_count":8,"forks_count":20,"subscribers_count":7,"default_branch":"master","last_synced_at":"2024-10-29T09:44:35.772Z","etag":null,"topics":["appsec","codeanalysis","genericsast","libsast","patternmatch","regex","sast","security","semanticgrep","semgrep","static-analyzer","staticanalysis"],"latest_commit_sha":null,"homepage":"https://opensecurity.in","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ajinabraham.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"ajinabraham","custom":["https://paypal.me/ajinabraham"]}},"created_at":"2020-04-09T23:56:22.000Z","updated_at":"2024-10-28T09:03:03.000Z","dependencies_parsed_at":"2024-06-18T16:58:07.040Z","dependency_job_id":"a5756aca-7f03-416f-a1a3-362187b0effa","html_url":"https://github.com/ajinabraham/libsast","commit_stats":{"total_commits":199,"total_committers":3,"mean_commits":66.33333333333333,"dds":"0.11557788944723613","last_synced_commit":"09165d63062312b6ecfef6fb96177851030c9d42"},"previous_names":[],"tags_count":23,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ajinabraham%2Flibsast","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ajinabraham%2Flibsast/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ajinabraham%2Flibsast/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ajinabraham%2Flibsast/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ajinabraham","download_url":"https://codeload.github.com/ajinabraham/libsast/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247284953,"owners_count":20913704,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["appsec","codeanalysis","genericsast","libsast","patternmatch","regex","sast","security","semanticgrep","semgrep","static-analyzer","staticanalysis"],"created_at":"2024-08-01T07:01:16.146Z","updated_at":"2025-04-05T04:14:26.115Z","avatar_url":"https://github.com/ajinabraham.png","language":"Python","funding_links":["https://github.com/sponsors/ajinabraham","https://paypal.me/ajinabraham"],"categories":["SAST"],"sub_categories":[],"readme":"# libsast\n\nGeneric SAST for Security Engineers. Powered by regex based pattern matcher and semantic aware [semgrep](https://github.com/returntocorp/semgrep).\n\nMade with ![Love](https://cloud.githubusercontent.com/assets/4301109/16754758/82e3a63c-4813-11e6-9430-6015d98aeaab.png) in India [![Tweet](https://img.shields.io/twitter/url?url=https://github.com/ajinabraham/libsast)](https://twitter.com/intent/tweet/?text=Generic%20SAST%20for%20Security%20Engineers.%20Powered%20by%20regex%20based%20pattern%20matcher%20and%20semantic%20aware%20semgrep%20by%20%40ajinabraham%20%40OpenSecurity_IN\u0026url=https://github.com/ajinabraham/libsast)\n\n[![PyPI version](https://badge.fury.io/py/libsast.svg)](https://badge.fury.io/py/libsast)\n[![platform](https://img.shields.io/badge/platform-windows%2Fosx%2Flinux-green.svg)](https://github.com/ajinabraham/libsast)\n[![License](https://img.shields.io/:license-lgpl3+-blue.svg)](https://www.gnu.org/licenses/lgpl-3.0.en.html)\n[![python](https://img.shields.io/badge/python-3.8+-blue.svg)](https://www.python.org/downloads/)\n[![Build](https://github.com/ajinabraham/libsast/workflows/Build/badge.svg)](https://github.com/ajinabraham/libsast/actions?query=workflow%3ABuild)\n\n### Support libsast\n\n* **Donate via Paypal:** [![Donate via Paypal](https://user-images.githubusercontent.com/4301109/76471686-c43b0500-63c9-11ea-8225-2a305efb3d87.gif)](https://paypal.me/ajinabraham)\n* **Sponsor the Project:** [![Github Sponsors](https://user-images.githubusercontent.com/4301109/95517226-9e410780-098e-11eb-9ef5-7b8c7561d725.png)](https://github.com/sponsors/ajinabraham)\n\n## Install\n\n```bash\npip install semgrep==1.86.0 #For semgrep support\npip install libsast\n```\n\nPattern Matcher is cross-platform, but Semgrep supports only Mac and Linux.\n\n## Command Line Options\n\n```bash\n$ libsast\nusage: libsast [-h] [-o OUTPUT] [-p PATTERN_FILE] [-s SGREP_PATTERN_FILE]\n [--sgrep-file-extensions SGREP_FILE_EXTENSIONS [SGREP_FILE_EXTENSIONS ...]]\n [--file-extensions FILE_EXTENSIONS [FILE_EXTENSIONS ...]]\n [--ignore-filenames IGNORE_FILENAMES [IGNORE_FILENAMES ...]]\n [--ignore-extensions IGNORE_EXTENSIONS [IGNORE_EXTENSIONS ...]]\n [--ignore-paths IGNORE_PATHS [IGNORE_PATHS ...]]\n [--show-progress] [--cpu-core CPU_CORE] [-v]\n [path ...]\n\npositional arguments:\n path Path can be file(s) or directories\n\noptions:\n -h, --help show this help message and exit\n -o OUTPUT, --output OUTPUT\n Output filename to save JSON report.\n -p PATTERN_FILE, --pattern-file PATTERN_FILE\n YAML pattern file, directory or url\n -s SGREP_PATTERN_FILE, --sgrep-pattern-file SGREP_PATTERN_FILE\n sgrep rules directory\n --sgrep-file-extensions SGREP_FILE_EXTENSIONS [SGREP_FILE_EXTENSIONS ...]\n File extensions that should be scanned with semantic\n grep\n --file-extensions FILE_EXTENSIONS [FILE_EXTENSIONS ...]\n File extensions that should be scanned with pattern\n matcher\n --ignore-filenames IGNORE_FILENAMES [IGNORE_FILENAMES ...]\n File name(s) to ignore\n --ignore-extensions IGNORE_EXTENSIONS [IGNORE_EXTENSIONS ...]\n File extension(s) to ignore in lower case\n --ignore-paths IGNORE_PATHS [IGNORE_PATHS ...]\n Path(s) to ignore\n --show-progress Show scan progress\n --cpu-core CPU_CORE No of CPU cores to use. Use all cores by default\n -v, --version Show libsast version\n```\n\n\n## Example Usage\n\n```json\n$ libsast -s tests/assets/rules/semantic_grep/ -p tests/assets/rules/pattern_matcher/ tests/assets/files/\n{\n \"pattern_matcher\": {\n \"test_regex\": {\n \"files\": [\n {\n \"file_path\": \"tests/assets/files/test_matcher.test\",\n \"match_lines\": [\n 28,\n 28\n ],\n \"match_position\": [\n 1141,\n 1149\n ],\n \"match_string\": \".close()\"\n }\n ],\n \"metadata\": {}\n },\n \"test_regex_and\": {\n \"files\": [\n {\n \"file_path\": \"tests/assets/files/test_matcher.test\",\n \"match_lines\": [\n 3,\n 3\n ],\n \"match_position\": [\n 52,\n 66\n ],\n \"match_string\": \"webkit.WebView\"\n },\n {\n \"file_path\": \"tests/assets/files/test_matcher.test\",\n \"match_lines\": [\n 7,\n 7\n ],\n \"match_position\": [\n 194,\n 254\n ],\n \"match_string\": \".loadUrl(\\\"file:/\\\" + Environment.getExternalStorageDirectory(\"\n }\n ],\n \"metadata\": {}\n },\n \"test_regex_and_not\": {\n \"files\": [\n {\n \"file_path\": \"tests/assets/files/test_matcher.test\",\n \"match_lines\": [\n 42,\n 42\n ],\n \"match_position\": [\n 1415,\n 1424\n ],\n \"match_string\": \"WKWebView\"\n },\n {\n \"file_path\": \"tests/assets/files/test_matcher.test\",\n \"match_lines\": [\n 40,\n 40\n ],\n \"match_position\": [\n 1363,\n 1372\n ],\n \"match_string\": \"WKWebView\"\n }\n ],\n \"metadata\": {}\n },\n \"test_regex_and_or\": {\n \"files\": [\n {\n \"file_path\": \"tests/assets/files/test_matcher.test\",\n \"match_lines\": [\n 50,\n 50\n ],\n \"match_position\": [\n 1551,\n 1571\n ],\n \"match_string\": \"telephony.SmsManager\"\n },\n {\n \"file_path\": \"tests/assets/files/test_matcher.test\",\n \"match_lines\": [\n 58,\n 58\n ],\n \"match_position\": [\n 1973,\n 1988\n ],\n \"match_string\": \"sendTextMessage\"\n }\n ],\n \"metadata\": {}\n },\n \"test_regex_multiline_and_metadata\": {\n \"files\": [\n {\n \"file_path\": \"tests/assets/files/test_matcher.test\",\n \"match_lines\": [\n 52,\n 52\n ],\n \"match_position\": [\n 1586,\n 1684\n ],\n \"match_string\": \"public void onRequestPermissionsResult(int requestCode,String permissions[], int[] grantResults) {\"\n },\n {\n \"file_path\": \"tests/assets/files/test_matcher.test\",\n \"match_lines\": [\n 10,\n 11\n ],\n \"match_position\": [\n 297,\n 368\n ],\n \"match_string\": \"public static ForgeAccount add(Context context, ForgeAccount account) {\"\n }\n ],\n \"metadata\": {\n \"cwe\": \"CWE-1051 Initialization with Hard-Coded Network Resource Configuration Data\",\n \"description\": \"This is a rule to test regex\",\n \"foo\": \"bar\",\n \"masvs\": \"MSTG-STORAGE-3\",\n \"owasp-mobile\": \"M1: Improper Platform Usage\",\n \"owasp-web\": \"A10: Insufficient Logging \u0026 Monitoring\",\n \"severity\": \"info\"\n }\n },\n \"test_regex_or\": {\n \"files\": [\n {\n \"file_path\": \"tests/assets/files/test_matcher.test\",\n \"match_lines\": [\n 26,\n 26\n ],\n \"match_position\": [\n 1040,\n 1067\n ],\n \"match_string\": \"Context.MODE_WORLD_READABLE\"\n }\n ],\n \"metadata\": {}\n }\n },\n \"semantic_grep\": {\n \"errors\": [\n {\n \"code\": 3,\n \"level\": \"warn\",\n \"message\": \"Semgrep Core WARN - Lexical error in file tests/assets/files/test_matcher.test:40\\n\\tunrecognized symbols: !\",\n \"path\": \"tests/assets/files/test_matcher.test\",\n \"type\": \"Lexical error\"\n },\n ],\n \"matches\": {\n \"boto-client-ip\": {\n \"files\": [\n {\n \"file_path\": \"tests/assets/files/example_file.py\",\n \"match_lines\": [\n 4,\n 4\n ],\n \"match_position\": [\n 24,\n 31\n ],\n \"match_string\": \"c = boto3.client(host='8.8.8.8')\"\n }\n ],\n \"metadata\": {\n \"cwe\": \"CWE-1050 Excessive Platform Resource Consumption within a Loop\",\n \"description\": \"boto client using IP address\",\n \"owasp-web\": \"A8: Insecure Deserialization\",\n \"severity\": \"ERROR\"\n }\n }\n }\n }\n}\n```\n\n## Python API\n\n```python\n\u003e\u003e\u003e from libsast import Scanner\n\u003e\u003e\u003e options = {'match_rules': '/Users/ajinabraham/Code/njsscan/njsscan/rules/pattern_matcher', 'sgrep_rules': '/Users/ajinabraham/Code/njsscan/njsscan/rules/semantic_grep', 'sgrep_extensions': {'', '.js'}, 'match_extensions': {'.hbs', '.sh', '.ejs', '.toml', '.mustache', '.tmpl', '.jade', '.json', '.ect', '.vue', '.yml', '.hdbs', '.tl', '.html', '.haml', '.dust', '.pug', '.tpl'}, 'ignore_filenames': {'bootstrap.min.js', '.DS_Store', 'bootstrap-tour.js', 'd3.min.js', 'tinymce.js', 'codemirror.js', 'tinymce.min.js', 'react-dom.production.min.js', 'react.js', 'jquery.min.js', 'react.production.min.js', 'codemirror-compressed.js', 'axios.min.js', 'angular.min.js', 'raphael-min.js', 'vue.min.js'}, 'ignore_extensions': {'.7z', '.exe', '.rar', '.zip', '.a', '.o', '.tz'}, 'ignore_paths': {'__MACOSX', 'jquery', 'fixtures', 'node_modules', 'bower_components', 'example', 'spec'}, 'show_progress': False}\n\u003e\u003e\u003e paths = ['../njsscan/tests/assets/dot_njsscan/']\n\u003e\u003e\u003e scanner = Scanner(options, paths)\n\u003e\u003e\u003e scanner.scan()\n{'pattern_matcher': {'handlebar_mustache_template': {'files': [{'file_path': '../njsscan/tests/assets/dot_njsscan/ignore_ext.hbs', 'match_string': '{{{html}}}', 'match_position': (52, 62), 'match_lines': (1, 1)}], 'metadata': {'id': 'handlebar_mustache_template', 'description': 'The Handlebar.js/Mustache.js template has an unescaped variable. Untrusted user input passed to this variable results in Cross Site Scripting (XSS).', 'type': 'Regex', 'pattern': '{{{.+}}}|{{[ ]*\u0026[\\\\w]+.*}}', 'severity': 'ERROR', 'input_case': 'exact', 'cwe': \"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\", 'owasp': 'A1: Injection'}}}, 'semantic_grep': {'matches': {'node_aes_ecb': {'files': [{'file_path': '../njsscan/tests/assets/dot_njsscan/lorem_scan.js', 'match_position': (16, 87), 'match_lines': (14, 14), 'match_string': \"let decipher = crypto.createDecipheriv('aes-128-ecb', Buffer.from(ENCRYPTION_KEY), iv);\"}], 'metadata': {'owasp': 'A9: Using Components with Known Vulnerabilities', 'cwe': 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm', 'description': 'AES with ECB mode is deterministic in nature and not suitable for encrypting large amount of repetitive data.', 'severity': 'ERROR'}}, 'node_tls_reject': {'files': [{'file_path': '../njsscan/tests/assets/dot_njsscan/skip_dir/skip_me.js', 'match_position': (9, 58), 'match_lines': (9, 9), 'match_string': \" process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = '0';\"}, {'file_path': '../njsscan/tests/assets/dot_njsscan/skip_dir/skip_me.js', 'match_position': (9, 55), 'match_lines': (18, 18), 'match_string': ' process.env.NODE_TLS_REJECT_UNAUTHORIZED = \"0\";'}], 'metadata': {'owasp': 'A6: Security Misconfiguration', 'cwe': 'CWE-295: Improper Certificate Validation', 'description': \"Setting 'NODE_TLS_REJECT_UNAUTHORIZED' to 0 will allow node server to accept self signed certificates and is not a secure behaviour.\", 'severity': 'ERROR'}}, 'node_curl_ssl_verify_disable': {'files': [{'file_path': '../njsscan/tests/assets/dot_njsscan/skip_dir/skip_me.js', 'match_position': (5, 11), 'match_lines': (45, 51), 'match_string': ' curl(url,\\n\\n {\\n\\n SSL_VERIFYPEER: 0\\n\\n },\\n\\n function (err) {\\n\\n response.end(this.body);\\n\\n })'}], 'metadata': {'owasp': 'A6: Security Misconfiguration', 'cwe': 'CWE-599: Missing Validation of OpenSSL Certificate', 'description': 'SSL Certificate verification for node-curl is disabled.', 'severity': 'ERROR'}}, 'regex_injection_dos': {'files': [{'file_path': '../njsscan/tests/assets/dot_njsscan/lorem_scan.js', 'match_position': (5, 37), 'match_lines': (25, 27), 'match_string': ' var key = req.param(\"key\");\\n\\n // Regex created from user input\\n\\n var re = new RegExp(\"\\\\\\\\b\" + key);'}], 'metadata': {'owasp': 'A1: Injection', 'cwe': 'CWE-400: Uncontrolled Resource Consumption', 'description': 'User controlled data in RegExp() can make the application vulnerable to layer 7 DoS.', 'severity': 'ERROR'}}, 'express_xss': {'files': [{'file_path': '../njsscan/tests/assets/dot_njsscan/skip.js', 'match_position': (9, 55), 'match_lines': (7, 10), 'match_string': ' var str = new Buffer(req.cookies.profile, \\'base64\\').toString();\\n\\n var obj = serialize.unserialize(str);\\n\\n if (obj.username) {\\n\\n res.send(\"Hello \" + escape(obj.username));'}], 'metadata': {'owasp': 'A1: Injection', 'cwe': \"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\", 'description': 'Untrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability.', 'severity': 'ERROR'}}, 'generic_path_traversal': {'files': [{'file_path': '../njsscan/tests/assets/dot_njsscan/lorem_scan.js', 'match_position': (5, 35), 'match_lines': (36, 37), 'match_string': \" var filePath = path.join(__dirname, '/' + req.query.load);\\n\\n fileSystem.readFile(filePath); // ignore: generic_path_traversal\"}, {'file_path': '../njsscan/tests/assets/dot_njsscan/lorem_scan.js', 'match_position': (5, 35), 'match_lines': (42, 43), 'match_string': \" var filePath = path.join(__dirname, '/' + req.query.load);\\n\\n fileSystem.readFile(filePath); // detect this\"}], 'metadata': {'owasp': 'A5: Broken Access Control', 'cwe': 'CWE-23: Relative Path Traversal', 'description': 'Untrusted user input in readFile()/readFileSync() can endup in Directory Traversal Attacks.', 'severity': 'ERROR'}}, 'express_open_redirect': {'files': [{'file_path': '../njsscan/tests/assets/dot_njsscan/lorem_scan.js', 'match_position': (5, 26), 'match_lines': (49, 51), 'match_string': ' var target = req.param(\"target\");\\n\\n // BAD: sanitization doesn\\'t apply here\\n\\n res.redirect(target); //ignore: express_open_redirect'}], 'metadata': {'owasp': 'A1: Injection', 'cwe': \"CWE-601: URL Redirection to Untrusted Site ('Open Redirect')\", 'description': 'Untrusted user input in redirect() can result in Open Redirect vulnerability.', 'severity': 'ERROR'}}, 'node_deserialize': {'files': [{'file_path': '../njsscan/tests/assets/dot_njsscan/skip.js', 'match_position': (19, 45), 'match_lines': (8, 8), 'match_string': ' var obj = serialize.unserialize(str);'}], 'metadata': {'owasp': 'A8: Insecure Deserialization', 'cwe': 'CWE-502: Deserialization of Untrusted Data', 'description': \"User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.\", 'severity': 'ERROR'}}}, 'errors': [{'type': 'SourceParseError', 'code': 3, 'short_msg': 'parse error', 'long_msg': 'Could not parse .njsscan as javascript', 'level': 'warn', 'spans': [{'start': {'line': 2, 'col': 20}, 'end': {'line': 2, 'col': 21}, 'source_hash': 'c60298be568bfb1325d92cbb3c0bc1450a25b85bb2e4000bdc3267c05f1c8c73', 'file': '.njsscan', 'context_start': None, 'context_end': None}], 'help': 'If the code appears to be valid, this may be a semgrep bug.'}, {'type': 'SourceParseError', 'code': 3, 'short_msg': 'parse error', 'long_msg': 'Could not parse no_ext_scan as javascript', 'level': 'warn', 'spans': [{'start': {'line': 1, 'col': 3}, 'end': {'line': 1, 'col': 5}, 'source_hash': 'f002e2a715be216987dd1b134e7b9fa6eef28e3caa82dead0109c4cdc489e089', 'file': 'no_ext_scan', 'context_start': None, 'context_end': None}], 'help': 'If the code appears to be valid, this may be a semgrep bug.'}]}}\n```\n\n## Write you own Static Analysis tool\n\nWith libsast, you can write your own static analysis tools. libsast provides two matching engines:\n\n1. **Pattern Matcher**\n2. **Semantic Grep**\n\n### Pattern Matcher\n\nCurrently Pattern Matcher supports any language.\n\nUse [Regex 101](https://regex101.com/r/nGbAay/1) to write simple Python Regex rule patterns.\n\nA sample rule looks like\n\n```yaml\n- id: test_regex_or\n message: This is a rule to test regex_or\n input_case: exact\n pattern:\n - MODE_WORLD_READABLE|Context\\.MODE_WORLD_READABLE\n - openFileOutput\\(\\s*\".+\"\\s*,\\s*1\\s*\\)\n severity: error\n type: RegexOr\n metadata:\n owasp-web: a1\n reference: http://foo.bar\n foo: Some extra metadata\n```\nA rule consist of \n\n* `id` : A unique id for the rule.\n* `message`: A description for the rule.\n* `input_case`: It can be `exact`, `upper` or `lower`. Data will be converted to lower case/upper case/as it is before comparing with the regex.\n* `pattern`: List of patterns depends on `type`.\n* `severity`: It can be `error`, `warning` or `info`.\n* `type`: Pattern Matcher supports `Regex`, `RegexAnd`, `RegexOr`, `RegexAndOr`, `RegexAndNot`.\n* `metadata` (optional): Define your own custom fields that you can use as metadata along with standard mappings. \n\n```bash\n1. Regex - if regex1 in input\n2. RegexAnd - if regex1 in input and regex2 in input\n3. RegexOr - if regex1 in input or regex2 in input\n4. RegexAndOr - if regex1 in input and (regex2 in input or regex3 in input)\n5. RegexAndNot - if regex1 in input and not regex2 in input\n```\nExample: [Pattern Matcher Rule](https://github.com/ajinabraham/libsast/blob/master/tests/assets/rules/pattern_matcher/patterns.yaml)\n\nTest your pattern matcher rules\n\n`$ libsast -p tests/assets/rules/pattern_matcher/patterns.yaml tests/assets/files/`\n\n#### Inbuilt Standard Mapping Support\n\nMetadata fields also support [libsast standard mapping](https://github.com/ajinabraham/libsast/tree/master/libsast/standards).\n\nFor example, the metadata field `owasp-web: a1` will get expanded at runtime as `owasp-web: 'A1: Injection'`. \n\n*Currently Supports*\n\n* [OWASP Web Top 10](https://github.com/ajinabraham/libsast/blob/master/libsast/standards/owasp_web_top10_2017.yaml)\n* [OWASP Mobile Top 10](https://github.com/ajinabraham/libsast/blob/master/libsast/standards/owasp_mobile_top10_2016.yaml)\n* [OWASP MASVS](https://github.com/ajinabraham/libsast/blob/master/libsast/standards/owasp_masvs.yaml)\n* [CWE](https://github.com/ajinabraham/libsast/blob/master/libsast/standards/cwe.yaml)\n\n### Semantic Grep\n\nSemantic Grep uses [semgrep](https://github.com/returntocorp/semgrep), a fast and syntax-aware semantic code pattern search for many languages: like grep but for code.\n\nCurrently it supports Python, Java, JavaScript, Go and C.\n\nUse [semgrep.dev](https://semgrep.dev/vAb) to write semantic grep rule patterns.\n\nA sample rule for Python code looks like\n\n```yaml\nrules:\n - id: boto-client-ip\n patterns:\n - pattern-inside: boto3.client(host=\"...\")\n - pattern-regex: '\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}'\n message: \"boto client using IP address\"\n languages: [python]\n severity: ERROR\n metadata:\n owasp-web: a2\n owasp-mobile: m7\n cwe: cwe-1048\n foo: Some extra metadata\n```\n\nSee semgrep documentation [here](https://semgrep.dev/docs/writing-rules/rule-syntax/).\n\nExample: [Semantic Grep Rule](https://github.com/ajinabraham/libsast/blob/master/tests/assets/rules/semantic_grep/sgrep.yaml)\n\nTest your semgrep rules\n\n`$ libsast -s tests/assets/rules/semantic_grep/sgrep.yaml tests/assets/files/`\n\n## Realworld Implementations\n\n* [njsscan](https://github.com/ajinabraham/njsscan) SAST is built with libsast pattern matcher and semantic grep.\n* [nodejsscan](https://github.com/ajinabraham/nodejsscan) nodejsscan is a static security code scanner for Node.js applications.\n* [MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) Static Code Analyzer for Android and iOS mobile applications.\n* [mobsfscan](https://github.com/MobSF/mobsfscan) mobsfscan is a static security code scanner for Mobile applications built for Android (Java, Kotlin) \u0026 iOS (Swift, Objective C).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fajinabraham%2Flibsast","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fajinabraham%2Flibsast","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fajinabraham%2Flibsast/lists"}