ndaal-binsec 3.2.3

Binary (in)security scanner for ELF/PE/Mach-O with native, strictly-validated SARIF 2.1.0 and Markdown output (ndaal fork of binsec)
Documentation

binsec

🇬🇧 English · 🇩🇪 Deutsch · 🇫🇷 Français

Binary (In)security tool — a minimal static-analysis utility that detects the security mitigations an ELF / PE / Mach-O executable was built with.

This is the ndaal fork (v3.2.3) of ex0dus-0x/binsec: cleaned, de-yanked (goblin 0.10.7), and extended with native, strictly validated SARIF 2.1.0 output and Markdown reports.

Features

  • Cross-format: ELF, PE/EXE, Mach-O (parsing via goblin).
  • Reports four sections: basic metadata, compilation features, exploit mitigations, and dynamic instrumentation.
  • Output formats: human tables, JSON, SARIF 2.1.0 (validated with SarifValidator::strict()), and GitHub-Flavored Markdown.
  • Auto-generates report.sarif + report.md per run (--no-report, --output-dir).
  • Pure-Rust dependency tree; no C libraries, no bindgen, no YARA.

Install

cargo binstall ndaal-binsec   # prebuilt binary (macOS/Linux, x86_64/aarch64)
# or, from source:
cargo install --path .        # requires Rust >= 1.95
binsec --version              # binsec 3.2.3

Usage

binsec /usr/bin/ssh                       # human tables (default)
binsec --format sarif /usr/bin/ssh        # SARIF 2.1.0 to stdout
binsec --format markdown /usr/bin/ssh     # Markdown to stdout
binsec --json - /usr/bin/ssh | jq .       # JSON to stdout
binsec --output-dir ./reports /usr/bin/ssh   # report.sarif + report.md
binsec --no-report /usr/bin/ssh           # stdout only, no files

See binsec --help for the full flag list.

Documentation

License

MIT — see LICENSE.md. Original work © ex0dus-0x; fork and SARIF/Markdown additions © ndaal.