https://github.com/insidersec/insider

Static Application Security Testing (SAST) engine focused on covering the OWASP Top 10, to make source code analysis to find vulnerabilities right in the source code, focused on a agile and easy to implement software inside your DevOps pipeline. Support the following technologies: Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).
https://github.com/insidersec/insider

android android-security cli csharp dotnet insider ios ios-security javascript kotlin maven nodejs owasp sast security-automation security-scanner security-tools static-analysis static-analyzer swift

Last synced: 3 months ago
JSON representation

Static Application Security Testing (SAST) engine focused on covering the OWASP Top 10, to make source code analysis to find vulnerabilities right in the source code, focused on a agile and easy to implement software inside your DevOps pipeline. Support the following technologies: Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).

• Host: GitHub
• URL: https://github.com/insidersec/insider
• Owner: insidersec
• License: mit
• Created: 2019-11-12T20:07:31.000Z (over 4 years ago)
• Default Branch: master
• Last Pushed: 2022-04-10T21:40:27.000Z (about 2 years ago)
• Last Synced: 2024-03-14T05:14:44.824Z (4 months ago)
• Topics: android, android-security, cli, csharp, dotnet, insider, ios, ios-security, javascript, kotlin, maven, nodejs, owasp, sast, security-automation, security-scanner, security-tools, static-analysis, static-analyzer, swift
• Language: Go
• Homepage: https://insidersec.io
• Size: 4.39 MB
• Stars: 480
• Watchers: 17
• Forks: 80
• Open Issues: 20
• Metadata Files:
  • Readme: README.md
  • Contributing: .github/CONTRIBUTING.md
  • License: LICENSE
  • Code of conduct: .github/CODE_OF_CONDUCT.md
  • Security: .github/SECURITY.md

Lists

• awesome-hacking-lists - insider - Static Application Security Testing (SAST) engine focused on covering the OWASP Top 10, to make source code analysis to find vulnerabilities right in the source code, focused on a agile and easy to implement software inside your DevOps pipeline. Support the following technologies: Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js). (Go (531))
• awesome-devsecops - Insider CLI
• awesome-security - Insider CLI - A open source Static Application Security Testing tool (SAST) written in GoLang for Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C# and Javascript (Node.js). (Web / Development)
• awesome-software-supply-chain-security - insider -  - SAST Engine focused on covering the OWASP Top 10, support Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Ful... (Static Application Security Testing)
• awesome-hacking-lists - insidersec/insider - Static Application Security Testing (SAST) engine focused on covering the OWASP Top 10, to make source code analysis to find vulnerabilities right in the source code, focused on a agile and easy to im (Go)
• awesome-hacking-lists - insider - Static Application Security Testing (SAST) engine focused on covering the OWASP Top 10, to make source code analysis to find vulnerabilities right in the source code, focused on a agile and easy to implement software inside your DevOps pipeline. Support the following technologies: Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js). (Go)

README

        


  

  


    

      

    

    

      

    

    

      

    

  


This document is also available in [`Portuguese`](https://github.com/insidersec/insider/blob/master/README_pt-br.md).

Insider is the [OSS](https://opensource.org/) CLI project from the [Insider Application Security](https://insidersec.io) Team for the community.

Insider is focused on covering the [OWASP Top 10](https://owasp.org/www-project-top-ten/), to make source code analysis to find vulnerabilities right in the source code, focused on a agile and easy to implement software inside your DevOps pipeline.

We currently support the following technologies: Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).

There is a Github Action that permits you protect your repository with Insider, free, easy to integrate and frictionless. It is the most easy way to protect your code directly on your repository. [Take a look - Insider-Action](https://github.com/insidersec/insider-action)

---

### Installation

You can install Insider using precompiled binaries or from source.

#### Precompiled binaries

We have precompiled binaries for Linux, Windows and macOS operational systems that you can find [here.](https://github.com/insidersec/insider/releases)

Have fun! :rocket:

---

### Usage

```

insider is the CLI project from the Insider Application Security Team for the community

Usage:

  -exclude value

        Patterns to exclude directory or files to analyze. Can be used multiple times

  -jobs int

        Number of analysis to execute in parallel (default 4)

  -no-html

        Skips the report generation in the HTML format

  -no-json

        Skips the report generation in the JSON format

  -quiet

        No output logs of execution

  -security float

        Set the Security level, values between 0 and 100 (default 0)

  -target string

        Specify where to look for files to run the specific ruleset

  -tech string

        Specify which technology ruleset to load

  -v    Enable verbose output

  -version

        Show version and quit with exit code 0

Supported technologies:

        android

        java

        ios

        javascript

        csharp

Example of use:

        # Run JavaScript analysis on specific directoty

        insider -tech javascript -target 

        # Run Android analysis on specific directoty and ignore html and json report

        insider -tech android -target  -no-html -no-json

        # Run Java analysis on specific directoty with a base security value to fail

        insider -tech java -target  -security 20

        # Run JavaScript analysis on specific directoty and exclude node_modules and test files

        insider -tech javascript -target  -exclude tests/* -exclude node_modules/*

```

---

### Example

```bash

# Check the correct release for your environment

$ wget https://github.com/insidersec/insider/releases/download/2.1.0/insider_2.1.0_linux_x86_64.tar.gz

$ tar -xf insider_2.1.0_linux_x86_64.tar.gz 

$ chmod +x insider

$ ./insider --tech javascript  --target 

```

---

### Docker

You can also run `insider` in a container. You only need to mount the target into a volume:

```bash

$ docker run --rm -v $(pwd):/target-project insidersec/insider -tech  -target /target-project

```

---

### Demo

![Gif](demo.gif)

---

### Contribution

- Your contributions and suggestions are heartily ♥ welcome. [See here the contribution guidelines.](/.github/CONTRIBUTING.md) Please, report bugs via [issues page.](https://github.com/insidersec/insider/issues) See here the [security policy](/.github/SECURITY.md) for report security issues. (✿ ◕‿◕)

---

#### Building from source

To build Insider from source you'll need at least [Go version 1.13](https://golang.org/dl/) working.

```bash

$ go get github.com/insidersec/insider/cmd/insider

```

---

### License

- This work is licensed under [MIT](/LICENSE).