{"id":44841602,"url":"https://github.com/turenlabs/batou","last_synced_at":"2026-02-23T18:13:20.928Z","repository":{"id":338883878,"uuid":"1159542762","full_name":"turenlabs/batou","owner":"turenlabs","description":"Runtime SAST For Claude Code","archived":false,"fork":false,"pushed_at":"2026-02-17T02:49:05.000Z","size":2989,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-17T05:01:17.796Z","etag":null,"topics":["claude-code","hooks","sast","security-tools"],"latest_commit_sha":null,"homepage":"https://turen.io","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/turenlabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":"audit_report.md","citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-16T21:18:20.000Z","updated_at":"2026-02-17T02:48:25.000Z","dependencies_parsed_at":null,"dependency_job_id":"0bd68bd0-51f4-43ff-b50e-6a4774a9b643","html_url":"https://github.com/turenlabs/batou","commit_stats":null,"previous_names":["turenlabs/batou"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/turenlabs/batou","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/turenlabs%2Fbatou","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/turenlabs%2Fbatou/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/turenlabs%2Fbatou/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/turenlabs%2Fbatou/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/turenlabs","download_url":"https://codeload.github.com/turenlabs/batou/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/turenlabs%2Fbatou/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29750145,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-23T07:44:07.782Z","status":"ssl_error","status_checked_at":"2026-02-23T07:44:07.432Z","response_time":90,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["claude-code","hooks","sast","security-tools"],"created_at":"2026-02-17T03:43:28.795Z","updated_at":"2026-02-23T18:13:20.922Z","avatar_url":"https://github.com/turenlabs.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Batou - Runtime SAST For Claude Code\n\n\u003cimg width=\"512\" height=\"512\" alt=\"logo_2\" src=\"https://github.com/user-attachments/assets/a3157fb7-68cb-40af-878f-02dc54f62df9\" /\u003e\n\nA security scanner that catches vulnerabilities in real-time as AI writes code. Built as a [Claude Code hook](https://docs.anthropic.com/en/docs/claude-code/hooks), Batou analyzes every file write across 17 languages using regex, AST, taint analysis, and interprocedural call graph tracking.\n\nHigh-confidence findings (confirmed by multiple layers) block the write. Lower-confidence findings produce hints — Claude sees the advice without being interrupted by false positives.\n\n## How It Works\n\n```\nClaude writes code → Batou intercepts → 4-layer scan → Confidence scoring → Block / Hint\n```\n\n| Layer | What | How |\n|-------|------|-----|\n| 1. Regex | 684 pattern rules across 45 categories | Fast pattern matching for known vulnerability signatures |\n| 2. AST | Tree-sitter parsing for 15 languages | Suppresses false positives in comments, structural analysis |\n| 3. Taint | Source-to-sink dataflow (1,123 catalog entries) | Tracks user input through variables to dangerous functions |\n| 4. Call Graph | Interprocedural analysis across files | Persistent cross-function taint tracking within a session |\n\nParsed trees and taint flows are shared across layers — each file is parsed once.\n\n**Blocking threshold:** `Severity \u003e= Critical AND ConfidenceScore \u003e= 0.7`\n\n| Scenario | Score | Result |\n|----------|-------|--------|\n| Regex-only Critical | 0.3–0.5 | Hint only |\n| AST-confirmed | 0.7 | Blocked |\n| Taint-confirmed | ~0.85–0.95 | Blocked |\n| Multiple layers agree | up to 1.0 | Blocked |\n\n## Installation\n\n```bash\n# Quick install\ncurl -fsSL https://raw.githubusercontent.com/turenlabs/batou/main/install.sh | bash\n\n# Install + configure hooks for a project\ncurl -fsSL https://raw.githubusercontent.com/turenlabs/batou/main/install.sh | bash -s -- --setup /path/to/project\n\n# Or install globally\ncurl -fsSL https://raw.githubusercontent.com/turenlabs/batou/main/install.sh | bash -s -- --global\n\n# Build from source (requires Go 1.21+, CGo, gcc/clang)\ngit clone https://github.com/turenlabs/batou.git \u0026\u0026 cd batou \u0026\u0026 make build \u0026\u0026 make install\n```\n\n## What It Detects\n\n**684 rules, 45 categories, 17 languages**\n\nInjection, XSS, path traversal, crypto weaknesses, hardcoded secrets, SSRF, auth issues, XXE, deserialization, CORS, SSTI, JWT flaws, session issues, file upload, race conditions, log injection, input validation, memory safety, and framework-specific misconfigs (Spring, Express, Django, Flask, Rails, Laravel, React, Tauri).\n\n**Languages:** Go, Python, JavaScript/TypeScript, Java, PHP, Ruby, C, C++, Kotlin, Swift, Rust, C#, Perl, Lua, Groovy, Zig\n\n## False Positive Suppression\n\nSuppress findings with inline directives when you know the code is safe:\n\n```go\n// batou:ignore BATOU-INJ-001 -- query uses parameterized input\ndb.Query(\"SELECT * FROM users WHERE id = \" + id)\n```\n\n```python\n# batou:ignore secrets -- test fixture, not a real credential\npassword = \"test-password-for-ci\"\n```\n\nBlock suppression for multiple lines:\n\n```go\n// batou:ignore-start injection\nrows := db.Query(dynamicSQL)\nprocess(rows)\n// batou:ignore-end\n```\n\n**Targets:** specific rule ID (`BATOU-INJ-001`), category (`injection`), or `all`. Always include a reason after `--`.\n\n## Adding Batou to Your Project's CLAUDE.md\n\nCopy the snippet from [`docs/claude-md-snippet.md`](docs/claude-md-snippet.md) into your project's `CLAUDE.md` so Claude understands how Batou works and can respond to its findings correctly.\n\n## Testing\n\n```bash\nmake test          # Run all tests with race detector\nmake test-cover    # Run with coverage\n```\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fturenlabs%2Fbatou","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fturenlabs%2Fbatou","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fturenlabs%2Fbatou/lists"}