https://github.com/Chanzi-keji/chanzi

“铲子”是一款简单易用的JAVA SAST工具，旨在为安全工程师提供一款简单、好用、价格厚道的代码安全扫描产品，支持语言: java（Servlet、spring、dubbo、thirft、mybatis、jsp） ，采用轻量级污点分析，铲子会将java、xml（mybatis、dubbo）等统一构建数据流图，然后进行污点分析，无需编译，也可以反编译扫描jar或class，内置了 sql 注入、命令注入、文件上传、ssrf 等常见漏洞规则，用户可以自定义规则。
https://github.com/Chanzi-keji/chanzi

sast

Last synced: about 2 months ago
JSON representation

“铲子”是一款简单易用的JAVA SAST工具，旨在为安全工程师提供一款简单、好用、价格厚道的代码安全扫描产品，支持语言: java（Servlet、spring、dubbo、thirft、mybatis、jsp） ，采用轻量级污点分析，铲子会将java、xml（mybatis、dubbo）等统一构建数据流图，然后进行污点分析，无需编译，也可以反编译扫描jar或class，内置了 sql 注入、命令注入、文件上传、ssrf 等常见漏洞规则，用户可以自定义规则。

• Host: GitHub
• URL: https://github.com/Chanzi-keji/chanzi
• Owner: Chanzi-keji
• Created: 2024-06-10T04:17:58.000Z (11 months ago)
• Default Branch: main
• Last Pushed: 2024-10-30T02:10:29.000Z (6 months ago)
• Last Synced: 2024-10-30T04:58:23.972Z (6 months ago)
• Topics: sast
• Homepage: https://www.chanzikeji.com
• Size: 31.3 KB
• Stars: 219
• Watchers: 2
• Forks: 6
• Open Issues: 4
• Metadata Files:
  • Readme: README-EN.md

Awesome Lists containing this project

• awesome-java - ChanZi

README

        
# Introduction to the "chanzi" SAST Tool

### I. Product Positioning

* The "chanzi" is a simple and easy-to-use JAVA SAST (Static Application Security Testing) tool, aiming to provide security engineers with a code security scanning product that is **simple, user-friendly, and reasonably priced**.

* Official Website: [www.chanzikeji.com](https://www.chanzikeji.com)

### II. Feature Introduction

* Supported Languages: java (Servlet&filter, spring, jfinal, netty, dubbo, thirft, mybatis, dropwizard, JDK built-in httpserver, jsp, xml, yaml, properties, etc.)

* Employed Technology: Taint analysis. The "chanzi" will uniformly construct data flow diagrams for java, xml (mybatis, dubbo), etc. without the need for compilation, and then conduct taint analysis. The vulnerability results can be conveniently read in the data flow window.

* Supported Vulnerabilities: It has built-in common CWE vulnerability rules such as SQL injection, command injection, file upload, SSRF, as well as component vulnerability rules for log4j, shiro, xstream, actuator, etc.

* Exporting Reports: Users can mark the vulnerabilities and export simple vulnerability reports, including the type of vulnerability, hazard level, location, and repair suggestions, helping developers quickly locate and solve problems.

* Decompilation: It supports decompilation scanning. You can select the jar or class files that need to be decompiled when creating a new task, or you can decompile and read the code of a single class or jar file during the auditing process.

* Editor: A multi-functional code editor. To make it more convenient to read the code and reduce the frequent switching between the SAST tool and the IDE by users, the editor has built-in jump and usage search functions for types, variables, and methods, enables quick search of the entire repository, and provides the code outline of files.

* Custom Rules: The custom rules adopt the Cypher query language, with a low learning threshold for users. Students who are familiar with graph databases can quickly get started.

* Note: The scanning process will not upload any form of code data to the server. Please use it with confidence.

### III. Installation and Use of the Tool

* Download and Installation: Visit the official website of the "chanzi", and select the appropriate installation package according to your operating system for downloading and installation.

* Environment Configuration: It has a built-in Java running environment and can be installed with one click without the need for configuration.

* Starting the Scan: After starting the program, click "New Task".

* Viewing the Results: You can view them in the vulnerability window, and sort, filter, mark, etc. the vulnerabilities as needed.

* Viewing the Reports: Right-click in the **Task** bar to export the report.

### IV. Requirements, Bugs, and Discussions

* Requirements/Bugs: Please submit them in the [issues](https://github.com/Chanzi-keji/chanzi/issues) section of this repository.

* Technical Exchanges: Please participate in or initiate discussions in the [dissussions](https://github.com/Chanzi-keji/chanzi/discussions) section of this repository.

* Product Documentation: Detailed documentation is provided on GitHub and can be read in the [wiki](https://github.com/Chanzi-keji/chanzi/wiki) section.

* Official Website: [www.chanzikeji.com](https://www.chanzikeji.com)

* Download Address: [GitHub Download](https://github.com/Chanzi-keji/chanzi/releases)

* Alternative Address: [Cloud Disk Download](https://share.weiyun.com/7n4mAIlW)