{"id":13601803,"url":"https://github.com/dpnishant/raptor","last_synced_at":"2025-04-06T16:12:20.860Z","repository":{"id":26084794,"uuid":"29528764","full_name":"dpnishant/raptor","owner":"dpnishant","description":"Web-based Source Code Vulnerability Scanner","archived":false,"fork":false,"pushed_at":"2017-10-08T19:17:50.000Z","size":7079,"stargazers_count":356,"open_issues_count":2,"forks_count":130,"subscribers_count":35,"default_branch":"master","last_synced_at":"2025-03-30T14:11:16.798Z","etag":null,"topics":["actionscript","android","code-review","ios","java","javascript","nodejs","php","ruby","scanner","security-audit","security-tools","source-code","vulnerability-scanners"],"latest_commit_sha":null,"homepage":"http://dpnishant.github.io/raptor","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dpnishant.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-01-20T12:29:23.000Z","updated_at":"2025-03-01T21:46:09.000Z","dependencies_parsed_at":"2022-08-07T11:16:23.427Z","dependency_job_id":null,"html_url":"https://github.com/dpnishant/raptor","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dpnishant%2Fraptor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dpnishant%2Fraptor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dpnishant%2Fraptor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dpnishant%2Fraptor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dpnishant","download_url":"https://codeload.github.com/dpnishant/raptor/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247509232,"owners_count":20950232,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actionscript","android","code-review","ios","java","javascript","nodejs","php","ruby","scanner","security-audit","security-tools","source-code","vulnerability-scanners"],"created_at":"2024-08-01T18:01:08.168Z","updated_at":"2025-04-06T16:12:20.836Z","avatar_url":"https://github.com/dpnishant.png","language":"JavaScript","funding_links":[],"categories":["JavaScript","android"],"sub_categories":[],"readme":"![Raptor](https://raw.githubusercontent.com/dpnishant/raptor/master/screenshots/raptor_logo.png?raw=true \"Raptor Logo\")\n \n \n Raptor is a web-based (web-serivce + UI) github centric source-vulnerability scanner i.e. it scans a repository with just the github repo url. You can setup webhooks to ensure automated scans every-time you commit or merge a pull request. The scan is done asynchonously and the results are available only to the user who initiated the scan.\n\nSome of the features of the Raptor:\n  - Plug-in architecture (plug and play external tools and generate unified reports)\n  - Web-service can be leveraged for custom automation (without the need of the UI) \n  - Easy to create/edit/delete signatures for new vulnerabilities and/or programming languages.\n\n\u003e This tool is an attempt to help the community and start-up companies to \n\u003e emphasize on secure-coding. This tool may or may not match the features/quality of commercial alternatives, nothing is guaranteed and you have been warned. This tool is targeted to be used by security code-reviewers and/or developers with secure-coding experience to find vulnerability entry-points during code-audits or peer reviews. Please DO NOT trust the tool's output blindly.\n\u003e This is best-used if you plug Raptor into your CI/CD pipeline.\n\n### Version\n0.1 beta\n\n### Tech\n\nIntegrated Plugins:\n\nNote: Most of the following tools/modules/libs have been modified heavily to be able to integrate well in the framework.\n\n* :zap: [Mozilla ScanJS](https://github.com/mozilla/scanjs) - for JavaScript (Client-Side, Node.JS etc. and upcomming support for Chrome Extensions \u0026 Firefox Plugins)\n* :zap: [Brakeman](http://brakemanscanner.org/) - for Ruby On Rails\n* :zap: [RIPS](http://rips-scanner.sourceforge.net/) - for PHP\n* :zap: [Manitree](https://github.com/antitree/manitree/) - for AndroidManifest.xml insecurities\n\nAvailable Rulepacks:\n* :zap: ActionScript - supports Flash/Flex (ActionScript 2.0 \u0026 3.0) source/sinks\n* :zap: [FindSecurityBugs](http://h3xstream.github.io/find-sec-bugs/)  (rules Only) - for Java (J2EE, JSP, Android, Scala, Groovy etc.)\n* :zap: [gitrob](https://github.com/michenriksen/gitrob) - for Sensitive Date Exposure (files containing credentials, configuration, backup, private settings etc.)\n\n### Installation (Tested on a Ubuntu 14.04 x64 LAMP instance)\n\nInstallation Video: [YouTube Install](https://www.youtube.com/v/0KneQwJiUFk?start=0\u0026end=537)\n\n```sh\n$ wget https://github.com/dpnishant/raptor/archive/master.zip -O raptor.zip\n```\n\n```sh\n$ unzip raptor.zip\n$ cd raptor-master\n$ sudo sh install.sh\n```\n\n### Usage\n##### Scanner\nInstallation Video: [YouTube Usage](https://www.youtube.com/v/0KneQwJiUFk?start=550)\n```sh\ncd raptor-master\nsudo sh start.sh #starts the backend web-service\n```\nNow point your browser to [Raptor Home (http://localhost/raptor/)](http://localhost/raptor/)\n\n###### Login\nLogin with the username as registered on the corresponding github server you are connected to and *any* password (but remember the username to view scan history)\n\nFor example: \n\nIf you are registered as `foobar` on https://github.com, then use the same username when scanning repos on https://github.com. However if are registered as `foobar_corp` on your personal/corporate github (say https://github.corp.company.com) then use the same username if you intend to scan repos on https://github.corp.company.com\n\nHowever, as of now password can be anything, since we have *NOT* implemented a database in the development version.\n\n##### Rules Editor\nYou can use the bundled light-weight, GUI client-side rules editor for adding any new/custom rule(s) for your specific requirements(s) or any other plain-text editor as the rulepack files are just simple JSON structures. Use your browser to open rules located in 'backend/rules'. When you are done, save your new/modified rules file in same directory i.e. 'backend/rules'. All you need to do now is a minor edit, here: [Init Script](https://github.com/dpnishant/raptor/blob/master/backend/raptor/init.py#L12). Append your new rulepack filename to this array without the '.rulepack' extension and restart the backend server. You are all set! :thumbsup:\n\nYou can access it here: [Rules Editor (http://localhost/raptor/editrules.php)](http://localhost/raptor/editrules.php)\n\n\n### Adding Rules\n#### ignore_list.rulepack\nAdd a filename or directory name pattern to exclude from getting scanned. This is useful to ignore any known files like ```jquery.min.js``` etc. or say the entire ```/test/``` directory. For example in the sample content below, jquery means *jquery* and is case-sensitive, hence be careful. In the ```plugins``` section, ```name``` of the plugin is the name of the rulepack file without the \".rulepack\" extension as available under the [rules/](https://github.com/dpnishant/raptor/tree/master/backend/rules) directory. The ```issue``` field is the ID of the issue mentioned in each rule of the rulepack files: [Example #1](https://github.com/dpnishant/raptor/blob/master/backend/rules/common.rulepack#L17), [Example #2](https://github.com/dpnishant/raptor/blob/master/backend/rules/fsb_injection.rulepack#L9). The ```match_type``` field value can be either ```regex``` or ```start``` or ```end```. The ```value``` field is the exact string to be matched in case the ```match_type``` is ```start``` or ```end```. In case the ```match_type``` field is  ```regex``` the ```value``` should contain the raw RegEx pattern which needs to be Base64 encoded to avoid any JSON syntax escaping related issues. ```regex``` is a Regular Expression based matching, ```start``` will match the at the beginning of the snippet and ```end``` will match at the end of the snippet.\n\nThe way it works is when the scanner has finished scanning for issues, it will iterate through all the issues found and remove those that match the patterns (based on the type of match) of each plugin mentioned in the ```ignore_list.rulepack``` file.\n\n(sample contents below)\n```\n{\n  \"files\": [\n    \"/.\",\n    \"bootstrap\",\n    \"jquery\",\n    \"uglify\",\n    \"knockout\",\n    \"angular\",\n    \"backbone\",\n    \"ember\",\n    \"yui\",\n    \"mocha\",\n    \"express\",\n    \"yql\",\n    \"dataTables\"\n  ],\n  \"directories\": [\n    \"/node_modules/\",\n    \"/test/\"\n  ],\n  \"plugins\": [\n    {\n      \"name\": \"common\",                \u003c----- Name of the Plugin\n      \"issue\": \"HARD_CRED1\",           \u003c----- ID of the issue\n      \"patterns\": [\n        {\n          \"match_type\": \"start\",       \u003c----- Match type can be either \"regex\", \"start\" or \"end\"\n          \"value\": \"foreach\"           \u003c----- The actual string to match. Base64 Encode this pattern if match_type is \"regex\"\n        },\n        {\n          \"match_type\": \"start\",\n          \"value\": \"for\"       \n        },\n        {\n          \"match_type\": \"start\",\n          \"value\": \"elseif\"\n        }\n      ]\n    }\n  ]\n}\n``` \n#### your_rule_name.rulepack\nYou may either create an entirely new rulepack and add it to the scanner or you may write your own scanner plugin and add it to the framework.\nA sample rulepack file is a very simple JSON structure.\n``` \n{\n  \"plugin_type\": \"plugin_name\",   \u003c-- Give it a name (any string)\n  \"file_types\": [\n    \".java\",                      \u003c-- Add as many file extensions, you would want the scanner to pick while scanning\n    \".js\"\n  ],\n  \"rules\": [\n    {\n      \"id\": \"HARD_CRED1\",        \u003c-- A unique IssueID, be creative.\n      \"severity\": \"High\",        \u003c-- This can be High, Medium or Low. This would accordingly show up in the graphs in UI.\n      \"title\": \"Title of the Issue\",   \u003c-- The title of the issue.\n      \"description\": \"This text here shall be reflected in the UI as description of the issue.\",        \u003c-- The description of the issue, this is optional.\n      \"remediation\": \"The text here shall be reflected in the UI as the steps to remediate the issue\",  \u003c-- The remediation of the issue, this is optional.\n      \"link\": \"Any URL that has more resources about the issue.\",  \u003c-- URL of the issue. This is optional\n      \"example_insecure\": \"Put the insecure version of the code snippet for learning purpose.\",   \u003c-- This is optional\n      \"example_secure\": \"Put the secure version of the code snippet for learning purpose.\",       \u003c-- This is optional\n      \"platform_version\": \"all\",    \u003c-- Leave it like that\n      \"enabled\": \"true\",            \u003c-- This value enables or disables the rule during the scan. It can be either \"true\" or \"false\".\n      \"logic\": \"Explain the logic behind this rule for future updation or customization\",     \u003c-- This is optional\n      \"signature\": \"base64encode(regexp)\"    \u003c-- Write the Regular Expression of your pattern and then base64encode it to put it here.\n    }\n  ]\n}\n```\n\nIf you want more control or add more intelligence to your scanner rather than a simple RegExp search, you may write a quick scanner plugin like [this one](https://github.com/dpnishant/raptor/blob/master/backend/raptor/gitrob.py) and integrate the script [here](https://github.com/dpnishant/raptor/blob/master/backend/raptor/init.py#L52-L62) and append the script name [here](https://github.com/dpnishant/raptor/blob/master/backend/raptor/init.py#L13). That's it. That's pretty straight forward for anyone with basic Python scripting skills.\n\n##### Public/Private GitHub instance\nYou can use Raptor to scan your organization's private as well as public instances of GitHub by specifying the right server endpoints at [here](https://github.com/dpnishant/raptor/blob/master/start.sh#L9-L33) and [here](https://github.com/dpnishant/raptor/blob/master/frontend/session.php#L10-L11).\n\n### Screenshots\n#### Login\n![Login](https://raw.githubusercontent.com/dpnishant/raptor/master/screenshots/login.png?raw=true \"Raptor Login\")\n\n#### Github Scan \n![Github Scan](https://raw.githubusercontent.com/dpnishant/raptor/master/screenshots/scan.png?raw=true \"Raptor Github Scan\")\n\n#### Zip Scan\n![Zip Scan](https://raw.githubusercontent.com/dpnishant/raptor/master/screenshots/zipscan.png?raw=true \"Raptor Github Scan\")\n\n#### Scan Started\n![Scan Started](https://raw.githubusercontent.com/dpnishant/raptor/master/screenshots/scan_start.png?raw=true \"Raptor Scan Start\")\n\n#### Scan in progress\n![Scan in progress](https://raw.githubusercontent.com/dpnishant/raptor/master/screenshots/progress.png?raw=true \"Raptor Scan in Progress\")\n\n#### Report Statistics\n![Report Statistics](https://raw.githubusercontent.com/dpnishant/raptor/master/screenshots/stats.png?raw=true \"Raptor Github Scan Stats\")\n\n#### Issue Details\n![Login](https://raw.githubusercontent.com/dpnishant/raptor/master/screenshots/issues.png?raw=true \"Raptor Report Issues\")\n\n#### Export Report\n![Export Report](https://raw.githubusercontent.com/dpnishant/raptor/master/screenshots/export.png?raw=true \"Raptor Report Export\")\n\n#### Scan History\n![Scan History](https://raw.githubusercontent.com/dpnishant/raptor/master/screenshots/history.png?raw=true \"Raptor Github Scan\")\n\n#### Rules Editor\n![Rules Editor](https://raw.githubusercontent.com/dpnishant/raptor/master/screenshots/rules1.png?raw=true \"Raptor Rules Editor #1\")\n\n#### Server Error\n![Server Error](https://raw.githubusercontent.com/dpnishant/raptor/master/screenshots/error.png?raw=true \"Raptor Server Error\")\n\n### Development\n\nWant to contribute? Great! \nGet in touch with me if you have an idea or else feel free to fork and improve. :blush:\n\n### Contributors\n\n - [Anant Shrivastava](https://twitter.com/anantshri) ([Commits](https://github.com/dpnishant/raptor/commits?author=anantshri))\n\nLicense\n----\n\nGNU GPL v2.0\n\nKnown Bugs (\u0026 Workarounds)\n----\n\n\u003e[Ubuntu Kylin Installation](https://github.com/dpnishant/raptor/issues/6)\n\n**Free Software, Hell Yeah!**\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdpnishant%2Fraptor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdpnishant%2Fraptor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdpnishant%2Fraptor/lists"}