codescan-0.1.0 is not a library.
Features
- Secret Detection — hardcoded passwords, API keys, tokens, private keys, high-entropy strings (24+ rules)
- Exploit Patterns — SQL injection, XSS, command injection, path traversal, deserialization, prototype pollution, SSRF, and more (24 rules)
- Cryptography Audits — MD5, SHA1, DES, RC4, ECB mode, weak RSA, insecure random, missing TLS verification (11 rules)
- Unicode Attacks — Trojan Source (CVE-2021-42574) bidirectional control chars, zero-width chars, homoglyphs (3 rules)
- Infrastructure — hardcoded IPs, debug logging, plaintext HTTP URLs, security-relevant TODO comments (4 rules)
- Custom Rules — define your own rules in JSON using Rust
regexsyntax - Suppression — inline comments (
codescan:ignore) in any language, or config-file entries scoped by file/glob/line/rule/category/severity - Multiple Output Formats — pretty (cargo-like), JSON (NDJSON), plain text
- Parallel Scanning — Rayon-powered parallel file processing, gitignore-aware traversal
- Configurable — TOML config file, severity overrides, rule disabling, size limits, and more
Installation
Linux / macOS:
|
Windows (PowerShell):
iwr https://codescan.siiway.org/install.ps1 | iex
Via cargo (crates.io):
Pre-compiled binaries for Linux, macOS, and Windows are available on GitHub Releases. See the installation docs for full details.
Quick Start
# Scan current directory
# Scan with exclusions
# Only report errors
# Output as JSON
# List all rules
Example Output
error[SECRET001]: Hardcoded password
--> src/db/connection.py:14:12
|
14 | password = "hunter2"
| ^^^^^^^^^
= help: Use environment variables or a secrets manager instead
warning[CRYPTO001]: Weak hashing algorithm
--> src/auth/hash.py:8:5
|
8 | hashlib.md5(data).hexdigest()
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
= help: Use SHA-256 or better
found 1 error, 1 warning, 0 notes
Configuration
Create codescan.toml in your project root:
[]
= ["INFRA004"]
[]
= "error"
[]
= 524288
[]
= ["vendor/**", "node_modules/**", "dist/**"]
= ["lock", "snap"]
[[]]
= "src/tests/fixtures/secrets.py"
= ["SECRET001", "SECRET002"]
= "Test fixture"
See the full documentation for all options.
Suppression
Inline suppression works in any language:
# codescan:ignore-next-line SECRET001
=
const url = "http://internal.corp"; // codescan:ignore:INFRA004
-- codescan:ignore-next-line:INFRA001
INSERT INTO config VALUES ('host', '192.168.1.10');
Block suppression:
# codescan:ignore-start SECRET001,SECRET002
=
=
# codescan:ignore-end
Custom Rules
CI Integration
# GitHub Actions
- name: Security scan
run: codescan --format text --fail-on error src/
Exit codes:
0— no findings at or above--fail-onthreshold1— one or more active (non-suppressed) findings meet the threshold
CLI Reference
Usage: codescan [OPTIONS] [PATH]...
Arguments:
[PATH]... Paths to scan (default: .)
Options:
-i, --input <PATH> Additional input paths
-o, --output <FILE> Write output to file
-e, --exclude <GLOB> Exclude glob patterns
-c, --config <FILE> Config file [default: codescan.toml]
-f, --format <FORMAT> Output format: pretty|json|text [default: auto]
--interactive <BOOL> Force interactive (color) mode
--severity <LEVEL> Minimum severity: error|warning|info [default: info]
--only-rules <IDS> Comma-separated rule IDs to check
--skip-rules <IDS> Comma-separated rule IDs to skip
-j, --threads <N> Parallel threads [default: CPU count]
--no-gitignore Disable .gitignore support
--hidden Scan hidden files
--max-filesize <BYTES> Max file size [default: 1048576]
-q, --quiet Suppress summary line
--fail-on <LEVEL> Exit 1 threshold [default: error]
--rules-file <FILE> Custom rules JSON file(s)
--show-suppressed Show suppressed findings
--list-rules List all rules and exit
-h, --help Print help
-V, --version Print version
License
codescan is licensed under the GNU General Public License v3.0.
Third-party Rust crate licenses are listed in THIRD_PARTY_LICENSES/RUST_CRATES.md.
Icon is from microsoft/fluentui-system-icons, licensed under MIT.