Releases: OmarRao/secure-scope
Release list
v8.0.0 — Slack/Teams, GitHub Issues, DAST, Scorecard, License, Supply Chain, PR Diff, Trend, False Positive Suppression
What's New in v8.0.0
Notification Integrations
- Slack — post scan summaries to channels via incoming webhooks (--slack-webhook)
- Microsoft Teams — adaptive card summaries (--teams-webhook)
- GitHub Issues — auto-create labelled, deduplicated issues for ERROR findings (--create-issues)
Advanced Scanning
- OpenSSF Scorecard — repo security scorecard via CLI or public REST API (--scorecard)
- DAST — Nuclei + OWASP ZAP baseline scanning against live URLs (--dast-url)
- License Compliance — classify dependency licenses by copyleft risk (--license-scan)
- Supply Chain — dependency confusion + typosquatting detection (--supply-chain)
- PR Diff Mode — scan only changed files vs base branch, ideal for CI (--pr-diff)
Workflow and Reporting
- Trend Tracking — SVG sparkline of findings over time appended to trend.jsonl
- False Positive Suppression — accept-risk workflow with .secscope-suppressions.json
- GitHub Actions CI — .github/workflows/secscope.yml self-scans on push and uploads SARIF
- UI — new /api/trend and /api/suppress REST endpoints; all new options in the scan wizard
v7.0.0 - SARIF, Trivy, SBOM, Compliance, Multi-Repo, Webhook
What's New in v7.0.0
SARIF 2.1.0 Export (--sarif)
Produces a SARIF file compatible with the GitHub Code Scanning API and GitHub Security tab.
Trivy Container Scanning (--image
)
Runs Trivy against a Docker image and Dockerfiles in the repo.
CycloneDX SBOM (--sbom)
Generates a CycloneDX 1.4 JSON SBOM from dependency scan results.
Compliance Posture Report (--compliance)
Maps each CWE finding to PCI DSS v4.0, NIST SP 800-53 Rev 5, OWASP Top 10, and SANS/CWE Top 25.
Multi-Repo Scanning
Scan multiple repos with --repos or --repos-file.
GitHub Webhook Trigger
Run as a persistent server: python main.py --webhook --port 8080
v6.2.0 - Complete Security Report
What's New
Report Completeness
SecureScope now renders all four scan results in the generated HTML report:
- Secrets Detection - full findings table with severity, category, description, blast radius, file, and line number. Click any row to expand blast radius detail.
- Dependency Vulnerabilities - CVE table with severity, ecosystem, package name, vulnerability ID/summary, installed version, and fixed version. Click to expand CVSS score and aliases.
- IaC Misconfigurations - previously added in v6.1.0, now properly linked from the nav sidebar.
Navigation Sidebar
Added nav items with live finding counts for Secrets, Dep. Vulns, and IaC Misconfigs - badges turn red when critical findings are present.
Bug Fixes
- Removed broken docs/screenshots/07_secrets_scanner.png reference from README
Full Changelog
- ui/templates/report.html - Secrets and Deps sections, nav sidebar fix
- README.md - version bump, releases table updated, broken image removed
v6.1.0 - IaC Scanner: Helm support, false positive fixes, report integration
v6.1.0 - IaC Scanner: Helm support, false positive fixes, report integration
Patch release resolving all known gaps identified after v6.0.0.
Bug fixes
| Issue | Fix |
|---|---|
| Helm charts silently skipped | Added _check_helm() - scans Chart.yaml (deprecated apiVersion, missing appVersion) and values.yaml (hardcoded secrets, privileged: true, :latest image tag) |
Terraform false positives on password = |
Pattern now excludes var.*, data.*, local.*, module.* references - only flags literal hardcoded strings |
Checkov framework field showed raw extension (tf, yml) |
Mapped check_type strings to proper framework names (terraform, kubernetes, etc.) |
| Duplicate findings for repeated patterns in same file | Added deduplication by (check_id, file_path, line) |
New checks
| ID | Framework | Severity | What's detected |
|---|---|---|---|
| TF015 | Terraform | CRITICAL | secret_key hardcoded (not via var.*) |
| TF016 | Terraform | MEDIUM | S3 bucket versioning disabled - ransomware risk |
| TF017 | Terraform | CRITICAL | SSH (22) or RDP (3389) open to 0.0.0.0/0 |
| TF018 | Terraform | HIGH | CloudTrail logging disabled |
| TF019 | Terraform | HIGH | MFA delete disabled on S3 bucket |
| K8S014 | Kubernetes | MEDIUM | Missing NetworkPolicy - default allow-all pod traffic |
| K8S015 | Kubernetes | HIGH | hostPath volume mount - container can read host filesystem |
| HELM001 | Helm | LOW | Chart.yaml missing appVersion |
| HELM002 | Helm | LOW | Deprecated Helm API version v1 |
| HELM003 | Helm | CRITICAL | Hardcoded secret in values.yaml |
| HELM004 | Helm | CRITICAL | privileged: true in Helm values |
| HELM005 | Helm | MEDIUM | Image tag :latest in Helm values |
Report integration
- IaC section added to
report.html- renders in every scan report - 6-KPI strip: Files Scanned, Frameworks, Critical, High, Medium, Engine
- Collapsible findings table - click any row to expand fix details and resource name
- Handles empty (no findings) and unavailable (scan not run) states
v6.0.0 - IaC Misconfiguration Scanner
v6.0.0 - IaC Misconfiguration Scanner
Detect cloud and container misconfigurations before they reach production. Scans Terraform, Kubernetes, Dockerfiles, GitHub Actions workflows, CloudFormation templates, and Ansible playbooks - integrated into every repo scan and available as a standalone dashboard panel.
What's scanned
| Framework | Key Checks |
|---|---|
| Terraform | Public S3 buckets, open security groups (0.0.0.0/0), publicly accessible RDS, wildcard IAM ("Action": "*"), disabled encryption, hardcoded credentials, no deletion protection |
| Kubernetes | Privileged containers, hostNetwork/PID/IPC, allowPrivilegeEscalation, root UID, wildcard RBAC verbs, :latest image tags, missing resource limits, auto-mounted service account tokens |
| Dockerfile | No USER (runs as root), ADD instead of COPY, :latest base image, hardcoded secrets in ENV/ARG, curl | bash in RUN, --privileged flag, missing HEALTHCHECK |
| GitHub Actions | write-all permissions, pull_request_target misuse, unpinned actions (@main/@master), curl | bash in run steps, script injection via ${{ github.event.* }}, hardcoded credentials |
| CloudFormation | Publicly accessible RDS, public S3 ACLs, wildcard IAM actions, missing DeletionPolicy, disabled storage encryption |
| Ansible | Privilege escalation (become: yes), no_log: false on secret tasks, hardcoded passwords, curl | bash in shell tasks, disabled TLS validation |
Checkov integration
When checkov is installed, the scanner uses it for deep analysis:
pip install checkovWithout checkov, 50+ built-in pattern checks run across all 6 frameworks - zero additional dependencies required.
Dashboard panel
- KPI strip: Frameworks detected, Files scanned, Critical / High / Medium counts, Engine used
- Framework breakdown cards - click any card to filter findings by that framework
- Severity filter buttons (All / Critical / High / Medium / Low)
- Findings table: Severity badge, Framework, Check ID, Resource, File, Line, Description, Fix
- 5-step IaC remediation workflow guide
Full release history
| Version | Highlights |
|---|---|
| v6.0.0 | IaC Misconfiguration Scanner - 6 frameworks, 50+ checks, checkov integration |
| v5.0.0 | Expanded YARA library - 11 rule sets, 50+ rules (Cl0p, Play, Akira, RansomHub, LotL, credential harvesting, supply chain) |
| v4.0.0 | Dependency Vulnerability Scanner - OSV.dev, 7 ecosystems, CVSS scoring |
| v3.0.0 | Secrets Detection Engine - 60+ patterns, git history scan, entropy, blast radius |
| v2.0.0 | Threat Intelligence Dashboard, YARA scanner, enterprise prevention guide |
| v1.0.0 | Initial release - Semgrep, Docker sandbox, multi-LLM advisor, ransomware engine |
v5.0.0 - Expanded YARA Threat Library
v5.0.0 - Expanded YARA Threat Library
5 new rule sets added. YARA coverage grows from 6 to 11 rule sets (23 ? 50+ rules).
New Rule Sets
| File | Threats Covered | Rules |
|---|---|---|
clop.yar |
Cl0p ransomware ransom notes, MOVEit exploitation (CVE-2023-34362), GoAnywhere exploitation (CVE-2023-0669), defence evasion | 4 |
emerging_ransomware.yar |
Play, Akira, RansomHub, Black Basta, Hunters International - all active 2024-2025 | 5 |
lotl_techniques.yar |
certutil download/encode, mshta remote HTA, regsvr32 Squiblydoo, wscript/cscript abuse, bitsadmin, PowerShell download cradles, rundll32 LOLBAS | 7 |
credential_harvesting.yar |
Browser credential DB theft (Chrome/Edge/Firefox), DPAPI master key extraction, SAM/NTDS dump, Kerberoasting + AS-REP Roasting, LSA secrets, cloud credential theft (AWS/Azure/GCP/K8s) | 6 |
supply_chain_attacks.yar |
Dependency confusion (PyPI/npm), CI/CD pipeline tampering (GitHub Actions/GitLab CI/Jenkins), malicious npm postinstall hooks, malicious PyPI setup.py, Git submodule tampering, poisoned Docker images | 6 |
Full YARA Rule Set Inventory (v5.0.0)
| File | Coverage |
|---|---|
ransomware_common.yar |
Generic ransomware: file extension change, ransom notes, VSS deletion, CryptoAPI |
lockbit.yar |
LockBit 3.0: ransom note format, dropper anti-analysis, defence evasion |
blackcat_alphv.yar |
BlackCat/ALPHV: Rust binary markers, config JSON, ESXi targeting |
apt_lateral_movement.yar |
Mimikatz, LSASS dump, WMI lateral movement, AD recon, scheduled task persistence |
data_exfiltration.yar |
Rclone cloud exfil, cURL upload, FTP staging, 7-Zip data archiving |
backup_tampering.yar |
Veeam service stop, Windows Backup deletion, agent process kill, NAS share deletion |
clop.yar |
Cl0p ransom notes, MOVEit/GoAnywhere exploitation, defence evasion |
emerging_ransomware.yar |
Play, Akira, RansomHub, Black Basta, Hunters International |
lotl_techniques.yar |
certutil, mshta, regsvr32, wscript/cscript, bitsadmin, PowerShell cradles, rundll32 |
credential_harvesting.yar |
Browser creds, DPAPI, SAM/NTDS, Kerberoasting, LSA secrets, cloud credentials |
supply_chain_attacks.yar |
Dependency confusion, CI/CD tampering, malicious packages, Docker poisoning |
Total: 11 rule sets - 50+ rules
v4.0.0 - Dependency Vulnerability Scanner
Dependency Vulnerability Scanner
Every third-party package is a potential supply chain risk. SecureScope now queries OSV.dev - Google's open vulnerability database - for every dependency found in your repository. No API key required.
What's New
- Auto-discovery - finds all package manifests automatically, no configuration needed
- 7 ecosystems - PyPI, npm, Go, Maven, RubyGems, Cargo, Packagist
- OSV.dev batch API - efficient bulk CVE lookup for every pinned dependency
- CVSS scoring - Critical / High / Medium / Low severity with numeric score
- Fixed version - every finding shows the exact version to upgrade to
- Integrated into main scan - runs automatically on every repo scan alongside SAST, secrets, and ransomware
- Standalone dashboard panel - scan any repo or local path independently
Supported Manifest Files
| Ecosystem | Files |
|---|---|
| PyPI (Python) | requirements.txt, requirements-dev.txt, requirements-test.txt |
| npm (Node.js) | package.json, package-lock.json |
| Go | go.mod |
| Maven (Java) | pom.xml |
| RubyGems | Gemfile.lock |
| Cargo (Rust) | Cargo.lock |
| Packagist (PHP) | composer.json |
Why Dependency Scanning?
Log4Shell, XZ Utils backdoor, event-stream - the biggest breaches of recent years weren't code bugs, they were vulnerable or malicious dependencies. OSV.dev aggregates CVEs from GitHub Advisory, NVD, and ecosystem-specific databases into a single queryable API.
Built by Omar Rao - Engineer, Data Resilience, Cybersecurity and Privacy
v3.0.0 - Secrets Detection Engine
Secrets Detection Engine
The most critical capability for any organisation - a hardcoded secret is the breach.
What's New
- 60+ regex patterns across 10 provider categories (Cloud, AI/ML, Version Control, Payment, Communications, Cryptographic Keys, Database, Generic)
- Git history scan - catches secrets deleted from HEAD that still live in every past commit and every clone
- Shannon entropy analysis (4.6 bpc threshold) - detects generic secrets with no known pattern
- Blast radius assessment - every finding explains exactly what an attacker gains
- Secret redaction - only first 6 chars shown, full values never stored
- Integrated into main scan pipeline - runs automatically on every repo scan
- Standalone dashboard panel - scan any path or GitHub URL independently
Pattern Coverage
| Category | Providers |
|---|---|
| Cloud | AWS, Azure, GCP, DigitalOcean |
| AI / ML | Anthropic, OpenAI, Groq, HuggingFace, Cohere |
| Version Control | GitHub (5 token types), GitLab |
| Payment | Stripe, Square, Braintree |
| Communications | Slack (4 types), Twilio, SendGrid, Mailgun |
| Cryptographic Keys | RSA, EC, OpenSSH, PGP, PKCS#8, JWT |
| Database | MongoDB, PostgreSQL, MySQL, Redis |
| Generic | Hardcoded passwords, Bearer tokens, Basic Auth URLs |
Why Secrets Detection?
Every other vulnerability class requires exploitation. A hardcoded secret is already a breach - an attacker finds it, uses it, and they are authenticated and invisible in your logs within seconds.
Built by Omar Rao - Engineer, Data Resilience, Cybersecurity and Privacy
v2.0.0 - Threat Intelligence Dashboard
What's New in v2.0.0
Threat Intelligence Dashboard
- Live Threat Feed - 26 tracked threat actors including LockBit 3.0, BlackCat/ALPHV, Cl0p, Scattered Spider, Volt Typhoon, APT29/Cozy Bear, and more. Auto-refreshes every 60 seconds.
- Top 10 Active Variants - 90-day rolling ranking of most active ransomware and APT variants with detection trends and severity ratings.
- YARA Rule Engine - Scan backups and infrastructure against 6 predefined rule sets (23 rules total): Ransomware Common, LockBit, BlackCat/ALPHV, APT Lateral Movement, Data Exfiltration, Backup Tampering. Real-time streaming progress via WebSocket.
- Enterprise Prevention Guide - Tabbed best-practice cards for Ransomware, APT, Data Exfiltration, and General hardening - each with difficulty ratings and actionable steps.
- Data Protection & Resilience - Visual 3-2-1-1-0 backup rule guide, immutability recommendations, air-gap strategy, and interactive DR testing checklist (state persists in localStorage).
Code Quality
- All Python modules fully documented with module, class, and function docstrings
- All YARA rule files have header comment blocks explaining threat coverage
- Graceful degradation: YARA scanner works without the yara-python package installed
Previous Releases
- v1.0.0 - Ransomware Intelligence Engine (blast radius, APT attribution, family profiling, global impact map)