{"id":20224796,"url":"https://github.com/htrgouvea/zarn","last_synced_at":"2025-10-14T14:37:51.056Z","repository":{"id":106780882,"uuid":"569731185","full_name":"htrgouvea/zarn","owner":"htrgouvea","description":"A lightweight static security analysis tool for modern Perl Apps","archived":false,"fork":false,"pushed_at":"2025-08-18T21:58:34.000Z","size":199,"stargazers_count":50,"open_issues_count":9,"forks_count":12,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-08-18T23:42:17.858Z","etag":null,"topics":["sast","security","static-analysis","static-code-analysis"],"latest_commit_sha":null,"homepage":"https://heitorgouvea.me/2023/03/19/static-security-analysis-tool-perl","language":"Perl","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/htrgouvea.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":["htrgouvea"]}},"created_at":"2022-11-23T13:42:38.000Z","updated_at":"2025-08-18T21:58:31.000Z","dependencies_parsed_at":"2024-01-19T13:26:55.524Z","dependency_job_id":"2790d6b2-0423-43f0-ac49-89855ce09566","html_url":"https://github.com/htrgouvea/zarn","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/htrgouvea/zarn","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/htrgouvea%2Fzarn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/htrgouvea%2Fzarn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/htrgouvea%2Fzarn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/htrgouvea%2Fzarn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/htrgouvea","download_url":"https://codeload.github.com/htrgouvea/zarn/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/htrgouvea%2Fzarn/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279019135,"owners_count":26086681,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-14T02:00:06.444Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["sast","security","static-analysis","static-code-analysis"],"created_at":"2024-11-14T07:09:08.095Z","updated_at":"2025-10-14T14:37:51.050Z","avatar_url":"https://github.com/htrgouvea.png","language":"Perl","funding_links":["https://github.com/sponsors/htrgouvea"],"categories":["Programming Languages"],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cp align=\"center\"\u003e\u003cb\u003eZARN\u003c/b\u003e\u003c/p\u003e\n  \u003cp align=\"center\"\u003eA lightweight static code security analysis for Modern Perl Applications\u003c/p\u003e\n  \u003cp align=\"center\"\u003e\n    \u003ca href=\"/LICENSE.md\"\u003e\n      \u003cimg src=\"https://img.shields.io/badge/license-MIT-blue.svg\"\u003e\n    \u003c/a\u003e\n     \u003ca href=\"https://github.com/htrgouvea/zarn/releases\"\u003e\n      \u003cimg src=\"https://img.shields.io/badge/version-0.1.1-blue.svg\"\u003e\n    \u003c/a\u003e\n    \u003cbr/\u003e\n    \u003cimg src=\"https://github.com/htrgouvea/zarn/actions/workflows/linter.yml/badge.svg\"\u003e\n    \u003cimg src=\"https://github.com/htrgouvea/zarn/actions/workflows/zarn.yml/badge.svg\"\u003e\n    \u003cimg src=\"https://github.com/htrgouvea/zarn/actions/workflows/security-gate.yml/badge.svg\"\u003e\n    \u003cimg src=\"https://github.com/htrgouvea/zarn/actions/workflows/test-on-ubuntu.yml/badge.svg\"\u003e\n  \u003c/p\u003e\n\u003c/p\u003e\n\n---\n\n### Summary\n\nPerforming [static analysis](https://en.wikipedia.org/wiki/Static_program_analysis), Zarn is able to identify possible vulnerabilities: for this purpose, each file is parsed using [AST analysis](https://en.wikipedia.org/wiki/Abstract_syntax_tree) to recognize tokens that present risks and subsequently runs the [taint tracking](https://en.wikipedia.org/wiki/Taint_checking) process to confirm that it is a whether exploitable or not, to validate whether a malicious agent is able to target the method in question.\n\nCurrently, Zarn do single file context analysis, which means that it is not able to identify vulnerabilities that are not directly related to the file being analyzed. But in the future, we plan to implement a [call graph](https://en.wikipedia.org/wiki/Call_graph) analysis to identify vulnerabilities that are not directly related to the file being analyzed.\n\nYou can read the full publication about Zarn at: [a lightweight static security analysis tool for modern Perl Apps.](https://heitorgouvea.me/2023/03/19/static-security-analysis-tool-perl)\n\n---\n\n### Download and install\n\n```bash\n# Download\n$ git clone https://github.com/htrgouvea/zarn \u0026\u0026 cd zarn\n    \n# Install libs dependencies\n$ sudo cpanm --installdeps .\n```\n---\n\n### Example of use\n\n```bash\n$ perl zarn.pl --rules rules/quick-wins.yml --source ../nozaki --sarif report.sarif\n\n[warn] - FILE:../nozaki/lib/Functions/Helper.pm          Potential: Timing Attack.\n[vuln] - FILE:../nozaki/lib/Engine/Orchestrator.pm       Potential: Path Traversal.\n[vuln] - FILE:../nozaki/lib/Engine/Orchestrator.pm       Potential: Path Traversal.\n[warn] - FILE:../nozaki/lib/Engine/FuzzerThread.pm       Potential: Timing Attack.\n```\n---\n\n### Rules example\n\n```yaml\nrules:\n  - id: '0001'\n    type: presence\n    category: info\n    name: Debug module enabled\n    message: Debug modules can expose sensitive information and potentially create security vulnerabilities.\n    sample:\n      - Dumper\n  - id: '0002'\n    type: presence\n    category: vuln\n    name: Code Injection\n    message: Occur when untrusted data is executed as code, allowing attackers to run arbitrary commands on the server.\n    sample:\n      - system\n      - eval\n      - exec\n      - qx\n  - id: '0003'\n    type: presence\n    category: vuln\n    name: Path Traversal\n    message: Occur when user input is not properly sanitized, allowing attackers to access files and directories outside of the intended directory structure.\n    sample:\n      - open\n  - id: '0004'\n    type: presence\n    category: vuln\n    name: Weak Criptography Algorithm\n    message: Weak algorithms like MD5 are susceptible to various attacks and should be avoided in favor of stronger alternatives to ensure the security of sensitive data.\n    sample:\n      - md5\n  - id: '0005'\n    type: presence\n    category: vuln\n    name: Weak Random Value Generator\n    message: Weak random value generators can lead to predictable values, which can be exploited by attackers to bypass security controls.\n    sample:\n      - rand\n  - id: '0006'\n    type: absence\n    category: warning\n    name: Error Suppression\n    message: Suppressing errors can make it difficult to identify and troubleshoot issues, potentially leading to security vulnerabilities.\n    sample:\n      - strict\n      - warnings\n```\n\n---\n\n### Github Actions\n\n```yaml\nname: ZARN SAST\n\non:\n  push:\n    branches: [ \"main\" ]\n  pull_request:\n    branches: [ \"main\" ]\n  schedule:\n    - cron: \"28 23 * * 1\"\n\njobs:\n  zarn:\n    name: Security Static Analysis with ZARN\n    runs-on: ubuntu-20.04\n    steps:\n    - name: Checkout code\n      uses: actions/checkout@v4\n      \n    - name: Perform Static Analysis\n      uses: htrgouvea/zarn@0.0.9\n\n    - name: Send result to Github Security\n      uses: github/codeql-action/upload-sarif@v3\n      with:\n        sarif_file: result.sarif\n```\n\n---\n\n### Contribution\n\nYour contributions and suggestions are heartily ♥ welcome. [See here the contribution guidelines.](/.github/CONTRIBUTING.md) Please, report bugs via [issues page](https://github.com/htrgouvea/zarn/issues) and for security issues, see here the [security policy.](/SECURITY.md) (✿ ◕‿◕) This project follows this [style guide: (https://github.com/htrgouvea/perl-style-guide)](https://github.com/htrgouvea/perl-style-guide).\n\n---\n\n### License\n\nThis work is licensed under [MIT License.](/LICENSE.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhtrgouvea%2Fzarn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhtrgouvea%2Fzarn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhtrgouvea%2Fzarn/lists"}