{"id":13531803,"url":"https://github.com/thesp0nge/dawnscanner","last_synced_at":"2025-05-15T00:06:42.374Z","repository":{"id":7846603,"uuid":"9218376","full_name":"thesp0nge/dawnscanner","owner":"thesp0nge","description":"Dawn is a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.","archived":false,"fork":false,"pushed_at":"2024-03-02T19:07:31.000Z","size":1958,"stargazers_count":741,"open_issues_count":24,"forks_count":86,"subscribers_count":31,"default_branch":"main","last_synced_at":"2025-04-21T09:51:18.390Z","etag":null,"topics":["codereview","cybersecurity","hanami","padrino","rails","ruby","security","security-audit","sinatra","vulnerabilities"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/thesp0nge.png","metadata":{"files":{"readme":"README.md","changelog":"Changelog.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":"code_of_conduct.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2013-04-04T13:06:48.000Z","updated_at":"2025-03-25T04:47:05.000Z","dependencies_parsed_at":"2023-07-12T16:25:52.362Z","dependency_job_id":"eff84c52-2711-4025-ad78-e6332cfe5b70","html_url":"https://github.com/thesp0nge/dawnscanner","commit_stats":{"total_commits":908,"total_committers":22,"mean_commits":41.27272727272727,"dds":0.08700440528634357,"last_synced_commit":"d6150bea36a5636937a56fadb57cb8bc13d4e56d"},"previous_names":["codesake/codesake-dawn"],"tags_count":53,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thesp0nge%2Fdawnscanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thesp0nge%2Fdawnscanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thesp0nge%2Fdawnscanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thesp0nge%2Fdawnscanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/thesp0nge","download_url":"https://codeload.github.com/thesp0nge/dawnscanner/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254249198,"owners_count":22039029,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["codereview","cybersecurity","hanami","padrino","rails","ruby","security","security-audit","sinatra","vulnerabilities"],"created_at":"2024-08-01T07:01:05.865Z","updated_at":"2025-05-15T00:06:42.295Z","avatar_url":"https://github.com/thesp0nge.png","language":"Ruby","funding_links":[],"categories":["\u003ca id=\"8f92ead9997a4b68d06a9acf9b01ef63\"\u003e\u003c/a\u003e扫描器\u0026\u0026安全扫描\u0026\u0026App扫描\u0026\u0026漏洞扫描","Tools","Ruby (88)","Ruby","\u003ca id=\"132036452bfacf61471e3ea0b7bf7a55\"\u003e\u003c/a\u003e工具","cybersecurity","Programming Languages","Static Code Analysis","Gems"],"sub_categories":["\u003ca id=\"de63a029bda6a7e429af272f291bb769\"\u003e\u003c/a\u003e未分类-Scanner","Static Analysis","Static Code Analysis"],"readme":"# Dawnscanner - The raising security scanner for ruby web applications\n\ndawn is a source code scanner designed to review your web applications for\nsecurity issues.\n\nThe tool is able to scan web applications written in Ruby and it supports all\nmajor MVC (Model View Controller) frameworks, out of the box:\n\n* [Ruby on Rails](http://rubyonrails.org)\n* [Sinatra](http://www.sinatrarb.com)\n* [Padrino](http://www.padrinorb.com)\n\n---\n\n[![Gem Version](https://badge.fury.io/rb/dawnscanner.png)](http://badge.fury.io/rb/dawnscanner)\n[![Build Status](https://travis-ci.org/thesp0nge/dawnscanner.png?branch=master)](https://travis-ci.org/thesp0nge/dawnscanner)\n[![Coverage Status](https://coveralls.io/repos/thesp0nge/dawnscanner/badge.png)](https://coveralls.io/r/thesp0nge/dawnscanner)\n[![Code Triagers Badge](https://www.codetriage.com/thesp0nge/dawnscanner/badges/users.svg)](https://www.codetriage.com/thesp0nge/dawnscanner)\n[![Inline docs](http://inch-ci.org/github/thesp0nge/dawnscanner.png?branch=master)](http://inch-ci.org/github/thesp0nge/dawnscanner)\n[![Gitter](https://badges.gitter.im/thesp0nge/dawnscanner.svg)](https://gitter.im/thesp0nge/dawnscanner?utm_source=badge\u0026utm_medium=badge\u0026utm_campaign=pr-badge)\n\n---\n\ndawn version 2.0 has 680+ security checks loaded in its knowledge base\nwhich is weekly updated from the [National Vulnerability\nDatabase](https://nvd.nist.gov/) by NIST.\n\n## A brief \"how it works\"\n\nWhen you run dawn on your code it parses your project Gemfile.lock\nlooking for the gems used and it tries to detect the ruby interpreter version\nyou are using or you declared in your ruby version management tool you like\nmost (RVM, rbenv, ...).\n\nThen the tool tries to detect the MVC framework your web application uses and\nit applies the security check accordingly. There checks designed to match rails\napplication or checks that are appliable to any ruby code.\n\ndawn can also understand the code in your views and to backtrack\nsinks to spot cross site scripting and sql injections introduced by the code\nyou actually wrote **(in the project roadmap this is the code most of the future\ndevelopment effort will be focused on).**\n\ndawn security scan result is a list of vulnerabilities with some\nmitigation actions you want to follow in order to build a stronger web\napplication.\n\n## Installation\n\nYou can install latest dawn version, fetching it from\n[Rubygems](https://rubygems.org) by typing:\n\n```\n$ gem install dawnscanner\n```\n\nAfter that, you need to download the [knowledge\nbase](https://github.com/thesp0nge/dawnscanner_knowledge_base/releases) from\nGithub and unpack the archive to ```$HOME/dawnscanner/kb``` directory.\n\nA typical kb directory layout is similar to this:\n\n```\n$ ll ~/dawnscanner/kb\ntotal 56K\ndrwxr-xr-x 2 thesp0nge users  28K 29 mar 18.27 bulletin\ndrwxr-xr-x 2 thesp0nge users   72  7 lug  2021 generic_check\n-rw-r--r-- 1 thesp0nge users   65 29 mar 17.06 kb.yaml\n-rw-r--r-- 1 thesp0nge users   74 29 mar 17.06 kb.yaml.sig\ndrwxr-xr-x 2 thesp0nge users 4,0K  7 lug  2021 owasp_ror_cheatsheet\n```\n\nThe knowledge base is structured this way:\n* bulletin is the folder where all CVE downloaded from NIST are stored.\n* generic_check is the folder with all custom checks for your code\n* owasp_ror_cheatsheet is for the Owasp Ruby on Rails cheatsheet\n  recomendations\n\n## Usage\n\nStarting from version 2.0, the tool uses subcommands to start specific tasks,\neach of them with specific help messages.\n\n### Scanning a project\n\nThe scan subcommand tells dawn to scan the specified target for security\nissues.\n\n```\n$ dawn scan target\n```\n\nAt the moment results are available in text format only and they are stored in\na directory named with the scan timestamp, under\n$HOME/dawnscanner/results/target, where target is the name of the application\nbeing analyzed.\n\n### Querying the knowledge base\n\nIs it possible, with the kb subcommand, to query the knowledge base.\n\n```\ndawn kb find                        # Searches the knowledge base for a given vulnerability\ndawn kb help [COMMAND]              # Describe subcommands or one specific subcommand\ndawn kb lint                        # Checks knowledge base content for correcteness\ndawn kb list gem_name[gem_version]  # List all security issues affecting a gem passed as argument (the version string is optional).\ndawn kb status                      # Checks the status of the knowledge base\ndawn kb unpack                      # Unpacks security checks in KB library path\n```\n\n## Useful links\n\nTwitter profile:  [@dawnscanner](https://twitter.com/dawnscanner)\nGithub repository:   [https://github.com/thesp0nge/dawnscanner](https://github.com/thesp0nge/dawnscanner)\n\n\n## Support us\n\nFeedbacks are great and we really love to hear your voice.\n\nIf you're a proud dawn user, if you find it useful, if you integrated\nit in your release process and if you want to openly support the project you\ncan put your reference here. Just open an\n[issue](https://github.com/thesp0nge/dawnscanner/issues/new) with a statement saying\nhow do you feel the tool and your company logo if any.\n\nThank you.\n\n## Thanks to\n\n[saten](https://github.com/saten): first issue posted about a typo in the README\n\n[presidentbeef](https://github.com/presidentbeef): for his outstanding work that inspired me creating dawn and for double check comparison matrix. Issue #2 is yours :)\n\n[marinerJB](https://github.com/marinerJB): for misc bug reports and further ideas\n\n[Matteo](https://github.com/matteocollina): for ideas on API and their usage with [github.com](https://github.com) hooks\n\n\n## LICENSE\n\nCopyright (c) 2013-2023 Paolo Perego \u003cpaolo@armoredcode.com\u003e\n\nMIT License\n\nPermission is hereby granted, free of charge, to any person obtaining\na copy of this software and associated documentation files (the\n\"Software\"), to deal in the Software without restriction, including\nwithout limitation the rights to use, copy, modify, merge, publish,\ndistribute, sublicense, and/or sell copies of the Software, and to\npermit persons to whom the Software is furnished to do so, subject to\nthe following conditions:\n\nThe above copyright notice and this permission notice shall be\nincluded in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND,\nEXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF\nMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND\nNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE\nLIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION\nOF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION\nWITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthesp0nge%2Fdawnscanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthesp0nge%2Fdawnscanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthesp0nge%2Fdawnscanner/lists"}