{"id":21350630,"url":"https://github.com/chebuya/sastsweep","last_synced_at":"2025-07-12T19:31:05.312Z","repository":{"id":260954639,"uuid":"882805165","full_name":"chebuya/sastsweep","owner":"chebuya","description":" Automatically detect potential vulnerabilities and analyze repository metrics to prioritize open source security research targets ","archived":false,"fork":false,"pushed_at":"2024-11-16T23:03:10.000Z","size":9436,"stargazers_count":177,"open_issues_count":1,"forks_count":18,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-11-17T00:23:53.696Z","etag":null,"topics":["cli","owasp","sast","security-audit","security-research","security-scanner","semgrep","static-code-analysis","vulnerability-research","vulnerability-scanners"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chebuya.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-11-03T19:59:25.000Z","updated_at":"2024-11-16T23:03:14.000Z","dependencies_parsed_at":"2024-11-03T21:36:15.873Z","dependency_job_id":null,"html_url":"https://github.com/chebuya/sastsweep","commit_stats":null,"previous_names":["chebuya/sastsweep"],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chebuya%2Fsastsweep","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chebuya%2Fsastsweep/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chebuya%2Fsastsweep/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chebuya%2Fsastsweep/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chebuya","download_url":"https://codeload.github.com/chebuya/sastsweep/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225834359,"owners_count":17531469,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","owasp","sast","security-audit","security-research","security-scanner","semgrep","static-code-analysis","vulnerability-research","vulnerability-scanners"],"created_at":"2024-11-22T03:00:58.100Z","updated_at":"2025-07-12T19:31:05.279Z","avatar_url":"https://github.com/chebuya.png","language":"Go","readme":"\n\n\u003cp align=\"center\"\u003e\n  sastsweep is a tool designed for identifying vulnerabilities in open source codebases at scale. It can gather and filter on key repository metrics such as popularity and project size, enabling targeted vulnerability research. It automatically detects potential vulnerabilities using semgrep and provides a streamlined HTML report, allowing researchers to quickly drill down to the affected portion of the codebase.\n  \u003cbr\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n\u003ca href=\"https://opensource.org/license/agpl-v3\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-GPLv3-blue\"\u003e\u003c/a\u003e\n\u003ca href=\"https://goreportcard.com/badge/github.com/chebuya/sastsweep?style=flat-square\"\u003e\u003cimg src=\"https://goreportcard.com/badge/github.com/chebuya/sastsweep?style=flat-square\"\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/chebuya/SASTsweep/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/release/chebuya/SASTsweep\"\u003e\u003c/a\u003e\n\u003ca href=\"https://x.com/_chebuya\"\u003e\u003cimg src=\"https://img.shields.io/twitter/follow/_chebuya.svg?logo=twitter\"\u003e\u003c/a\u003e\n\u003ca href=\"https://img.shields.io/github/stars/chebuya/SASTsweep\"\u003e\u003cimg src=\"https://img.shields.io/github/stars/chebuya/SASTsweep\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"#examples\"\u003eExamples\u003c/a\u003e •\n  \u003ca href=\"#installation\"\u003eInstallation\u003c/a\u003e •\n  \u003ca href=\"#usage\"\u003eUsage\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cvideo src=\"https://github.com/user-attachments/assets/bda95efd-07ee-46f3-82f0-b37e229ac352\" autoplay muted loop playsinline style=\"max-width: 100%;\"\u003e\u003c/video\u003e\n\n\n# Examples\n\nOneliner to scrape every HackerOne open source target and run semgrep on it\n```sh\nbbscope h1 -b -u '\u003cHACKERONE_USERNAME\u003e' -t '\u003cHACKERONE_TOKEN\u003e' -o tdu | grep -E 'https?://github.com/[A-Za-z0-9-]{1,}/[A-Za-z0-9-]{1,}' -o  | sastsweep -threads 10 -desc -stars -files\n```\n\nScrape flask applications from github search using [github-search.py](github-search.py) and filter on repositories with 500-3000 stars.  Display the number of stars, the repository description, and number of files.\n```sh\npython3 github-search.py --token '\u003cGITHUB TOKEN\u003e' --query '\"import Flask\" AND \".route(\"' | sastsweep -stars -desc -files -filter-stars 500-3000\n```\n\nScan a single repository, display the number of stars, number of security issues, and date of the last commit\n```sh\nsastsweep -repo https://github.com/chebuya/SASTsweep -stars -security-issues -last-commit\n```\n\nScan a list of targets, display the star count, language composition, number of forks and number of contributors.  Filter on repositories with a last commit date after 2024/01/01, less than 5000 stars, and 0 security issues\n```sh\nsastsweep -repos targets.txt -stars -lang -forks -contributors -filter-last-commit 2024/01/01- -filter-stars -5000 -filter-security-issues 0\n```\n\n\nRun with p/python config\n```\nsastsweep -config-path sastsweep.conf ...\n```\n\nsastsweep.conf\n```\nFLAGS=--config p/python\n```\n\n# Installation\nLinux is currently the only supported and tested platform \u003cbr\u003e\n`sastsweep` requires go \u003e= 1.23 to install successfully. Run the following command to install `sastsweep`\n```sh\ngo install github.com/chebuya/sastsweep/cmd/sastsweep@latest\n```\n\n# Usage\n\n```sh\nsastsweep -h\n```\n\nThis will display help for the tool. Here are all the switches it supports.\n\n```console\nUsage of ./sastsweep:\n  -branch\n    \tDisplay the default branch of a repository\n  -commits\n    \tDisplay the number of commits to the repository\n  -config-path string\n    \tPath to semgrep.conf file\n  -contributors\n    \tDisplay the number of contributors in a repository\n  -debug\n    \tEnable debug messages\n  -desc\n    \tDisplay repo description\n  -files\n    \tDisplay number of files in repo\n  -filter-commits string\n    \tFilter the number of commits to the repository (500-700, -300, 500-, 3000)\n  -filter-contributors string\n    \tFilter the number of contributors in a repository (500-700, -300, 500-, 3000)\n  -filter-files string\n    \tFilter number of files in repo (500-700, -300, 500-, 3000)\n  -filter-first-commit string\n    \tFilter the date of the first commit to the repository (yyyy/mm/dd-yyyy/mm/dd, -yyyy/mm/dd, yyyy/mm/dd-, yyyy/mm/dd)\n  -filter-forks string\n    \tFilter the number of forks of repository (500-700, -300, 500-, 3000)\n  -filter-issues string\n    \tFilter the number of issues in a repository (500-700, -300, 500-, 3000)\n  -filter-last-commit string\n    \tFilter the date of the last commit to the repository (yyyy/mm/dd-yyyy/mm/dd, -yyyy/mm/dd, yyyy/mm/dd-, yyyy/mm/dd)\n  -filter-last-release string\n    \tFilter the date of the latest release (yyyy/mm/dd-yyyy/mm/dd, -yyyy/mm/dd, yyyy/mm/dd-, yyyy/mm/dd)\n  -filter-pull-requests string\n    \tFilter the number of pull requests in a repository (500-700, -300, 500-, 3000)\n  -filter-security-issues string\n    \tFilter the number of security issues in the repository (500-700, -300, 500-, 3000)\n  -filter-stars string\n    \tFilter repos stars in output (500-700, -300, 500-, 3000)\n  -filter-watchers string\n    \tFilter the number of watchers in a repository (500-700, -300, 500-, 3000)\n  -fireprox string\n    \tUse fireprox for reasons... relates to rate limiting on a certain platform (ex: https://abcdefghi.execute-api.us-east-1.amazonaws.com/fireprox/)\n  -first-commit\n    \tDisplay the date of the first commit to the repository\n  -forks\n    \tDisplay the number of forks of repository\n  -full-desc\n    \tDisplay the full repo description\n  -github1s\n    \tGenerate links for the web-based vscode browser at github1s.com rather than github.com\n  -issues\n    \tDisplay the number of issues in a repository\n  -lang\n    \tDisplay GitHub repo language\n  -last-commit\n    \tDisplay the date of the last commit to the repository\n  -last-release\n    \tDisplay the date of the latest release\n  -no-emoji\n    \tDisable this if you are a boring person (or use a weird terminal)\n  -no-semgrep\n    \tDo not perform a semgrep scan on the repos\n  -out-dir string\n    \tDirectory to clone repositories to\n  -pull-requests\n    \tDisplay the number of pull requests in a repository\n  -raw-links\n    \tPrint raw links for semgrep report rather than hyperlink with name, good if you want to save output\n  -repo string\n    \tGitHub repository to scan\n  -repo-link\n    \tDisplay the link associated with the repository\n  -repos string\n    \tFile of GitHub repositories to scan\n  -save-repo\n    \tSave the cloned repository\n  -security-issues\n    \tDisplay the number of security issues in the repository\n  -semgrep-path string\n    \tCustom path to the semgrep binary\n  -stars\n    \tDisplay repos stars in output\n  -threads int\n    \tNumber of threads to start (default 3)\n  -topics\n    \tDisplay GitHub repo topics\n  -watchers\n    \tDisplay the number of watchers in a repository\n```\n\n# Roadmap\n- Write more docs\n- Cross-platform support\n- More matchers/filters\n- More testing\n- Write to output/database\n- CodeQL, trufflehog support\n\n\n# Acknowledgements\nThanks to everyone \u003ca href=\"https://github.com/semgrep/semgrep\"\u003e@semgrep/semgrep\u003c/a\u003e, this tool would be impossible without it \u003cbr\u003e\nInspired by \u003ca href=\"https://github.com/projectdiscovery/httpx\"\u003e@projectdiscovery/httpx\u003c/a\u003e 🩷 \u003cbr\u003e\n\n--------\n\n\u003cdiv align=\"center\"\u003e\n  \n`sastsweep` is made with 💙 by [@_chebuya](https://x.com/_chebuya) and distributed under the [GPL-3.0 license](LICENSE.md).\n\n\u003c/div\u003e\n","funding_links":[],"categories":["Go"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchebuya%2Fsastsweep","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchebuya%2Fsastsweep","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchebuya%2Fsastsweep/lists"}