Skip to content

Releases: OmarRao/secure-scope

v8.0.0 — Slack/Teams, GitHub Issues, DAST, Scorecard, License, Supply Chain, PR Diff, Trend, False Positive Suppression

Choose a tag to compare

@OmarRao OmarRao released this 24 Jun 14:11

What's New in v8.0.0

Notification Integrations

  • Slack — post scan summaries to channels via incoming webhooks (--slack-webhook)
  • Microsoft Teams — adaptive card summaries (--teams-webhook)
  • GitHub Issues — auto-create labelled, deduplicated issues for ERROR findings (--create-issues)

Advanced Scanning

  • OpenSSF Scorecard — repo security scorecard via CLI or public REST API (--scorecard)
  • DAST — Nuclei + OWASP ZAP baseline scanning against live URLs (--dast-url)
  • License Compliance — classify dependency licenses by copyleft risk (--license-scan)
  • Supply Chain — dependency confusion + typosquatting detection (--supply-chain)
  • PR Diff Mode — scan only changed files vs base branch, ideal for CI (--pr-diff)

Workflow and Reporting

  • Trend Tracking — SVG sparkline of findings over time appended to trend.jsonl
  • False Positive Suppression — accept-risk workflow with .secscope-suppressions.json
  • GitHub Actions CI — .github/workflows/secscope.yml self-scans on push and uploads SARIF
  • UI — new /api/trend and /api/suppress REST endpoints; all new options in the scan wizard

v7.0.0 - SARIF, Trivy, SBOM, Compliance, Multi-Repo, Webhook

Choose a tag to compare

@OmarRao OmarRao released this 23 Jun 20:28

What's New in v7.0.0

SARIF 2.1.0 Export (--sarif)

Produces a SARIF file compatible with the GitHub Code Scanning API and GitHub Security tab.

Trivy Container Scanning (--image )

Runs Trivy against a Docker image and Dockerfiles in the repo.

CycloneDX SBOM (--sbom)

Generates a CycloneDX 1.4 JSON SBOM from dependency scan results.

Compliance Posture Report (--compliance)

Maps each CWE finding to PCI DSS v4.0, NIST SP 800-53 Rev 5, OWASP Top 10, and SANS/CWE Top 25.

Multi-Repo Scanning

Scan multiple repos with --repos or --repos-file.

GitHub Webhook Trigger

Run as a persistent server: python main.py --webhook --port 8080

v6.2.0 - Complete Security Report

Choose a tag to compare

@OmarRao OmarRao released this 22 Jun 12:11

What's New

Report Completeness

SecureScope now renders all four scan results in the generated HTML report:

  • Secrets Detection - full findings table with severity, category, description, blast radius, file, and line number. Click any row to expand blast radius detail.
  • Dependency Vulnerabilities - CVE table with severity, ecosystem, package name, vulnerability ID/summary, installed version, and fixed version. Click to expand CVSS score and aliases.
  • IaC Misconfigurations - previously added in v6.1.0, now properly linked from the nav sidebar.

Navigation Sidebar

Added nav items with live finding counts for Secrets, Dep. Vulns, and IaC Misconfigs - badges turn red when critical findings are present.

Bug Fixes

  • Removed broken docs/screenshots/07_secrets_scanner.png reference from README

Full Changelog

  • ui/templates/report.html - Secrets and Deps sections, nav sidebar fix
  • README.md - version bump, releases table updated, broken image removed

v6.1.0 - IaC Scanner: Helm support, false positive fixes, report integration

Choose a tag to compare

@OmarRao OmarRao released this 19 Jun 15:39

v6.1.0 - IaC Scanner: Helm support, false positive fixes, report integration

Patch release resolving all known gaps identified after v6.0.0.


Bug fixes

Issue Fix
Helm charts silently skipped Added _check_helm() - scans Chart.yaml (deprecated apiVersion, missing appVersion) and values.yaml (hardcoded secrets, privileged: true, :latest image tag)
Terraform false positives on password = Pattern now excludes var.*, data.*, local.*, module.* references - only flags literal hardcoded strings
Checkov framework field showed raw extension (tf, yml) Mapped check_type strings to proper framework names (terraform, kubernetes, etc.)
Duplicate findings for repeated patterns in same file Added deduplication by (check_id, file_path, line)

New checks

ID Framework Severity What's detected
TF015 Terraform CRITICAL secret_key hardcoded (not via var.*)
TF016 Terraform MEDIUM S3 bucket versioning disabled - ransomware risk
TF017 Terraform CRITICAL SSH (22) or RDP (3389) open to 0.0.0.0/0
TF018 Terraform HIGH CloudTrail logging disabled
TF019 Terraform HIGH MFA delete disabled on S3 bucket
K8S014 Kubernetes MEDIUM Missing NetworkPolicy - default allow-all pod traffic
K8S015 Kubernetes HIGH hostPath volume mount - container can read host filesystem
HELM001 Helm LOW Chart.yaml missing appVersion
HELM002 Helm LOW Deprecated Helm API version v1
HELM003 Helm CRITICAL Hardcoded secret in values.yaml
HELM004 Helm CRITICAL privileged: true in Helm values
HELM005 Helm MEDIUM Image tag :latest in Helm values

Report integration

  • IaC section added to report.html - renders in every scan report
  • 6-KPI strip: Files Scanned, Frameworks, Critical, High, Medium, Engine
  • Collapsible findings table - click any row to expand fix details and resource name
  • Handles empty (no findings) and unavailable (scan not run) states

v6.0.0 - IaC Misconfiguration Scanner

Choose a tag to compare

@OmarRao OmarRao released this 18 Jun 15:30

v6.0.0 - IaC Misconfiguration Scanner

Detect cloud and container misconfigurations before they reach production. Scans Terraform, Kubernetes, Dockerfiles, GitHub Actions workflows, CloudFormation templates, and Ansible playbooks - integrated into every repo scan and available as a standalone dashboard panel.


What's scanned

Framework Key Checks
Terraform Public S3 buckets, open security groups (0.0.0.0/0), publicly accessible RDS, wildcard IAM ("Action": "*"), disabled encryption, hardcoded credentials, no deletion protection
Kubernetes Privileged containers, hostNetwork/PID/IPC, allowPrivilegeEscalation, root UID, wildcard RBAC verbs, :latest image tags, missing resource limits, auto-mounted service account tokens
Dockerfile No USER (runs as root), ADD instead of COPY, :latest base image, hardcoded secrets in ENV/ARG, curl | bash in RUN, --privileged flag, missing HEALTHCHECK
GitHub Actions write-all permissions, pull_request_target misuse, unpinned actions (@main/@master), curl | bash in run steps, script injection via ${{ github.event.* }}, hardcoded credentials
CloudFormation Publicly accessible RDS, public S3 ACLs, wildcard IAM actions, missing DeletionPolicy, disabled storage encryption
Ansible Privilege escalation (become: yes), no_log: false on secret tasks, hardcoded passwords, curl | bash in shell tasks, disabled TLS validation

Checkov integration

When checkov is installed, the scanner uses it for deep analysis:

pip install checkov

Without checkov, 50+ built-in pattern checks run across all 6 frameworks - zero additional dependencies required.


Dashboard panel

  • KPI strip: Frameworks detected, Files scanned, Critical / High / Medium counts, Engine used
  • Framework breakdown cards - click any card to filter findings by that framework
  • Severity filter buttons (All / Critical / High / Medium / Low)
  • Findings table: Severity badge, Framework, Check ID, Resource, File, Line, Description, Fix
  • 5-step IaC remediation workflow guide

Full release history

Version Highlights
v6.0.0 IaC Misconfiguration Scanner - 6 frameworks, 50+ checks, checkov integration
v5.0.0 Expanded YARA library - 11 rule sets, 50+ rules (Cl0p, Play, Akira, RansomHub, LotL, credential harvesting, supply chain)
v4.0.0 Dependency Vulnerability Scanner - OSV.dev, 7 ecosystems, CVSS scoring
v3.0.0 Secrets Detection Engine - 60+ patterns, git history scan, entropy, blast radius
v2.0.0 Threat Intelligence Dashboard, YARA scanner, enterprise prevention guide
v1.0.0 Initial release - Semgrep, Docker sandbox, multi-LLM advisor, ransomware engine

v5.0.0 - Expanded YARA Threat Library

Choose a tag to compare

@OmarRao OmarRao released this 17 Jun 14:53

v5.0.0 - Expanded YARA Threat Library

5 new rule sets added. YARA coverage grows from 6 to 11 rule sets (23 ? 50+ rules).


New Rule Sets

File Threats Covered Rules
clop.yar Cl0p ransomware ransom notes, MOVEit exploitation (CVE-2023-34362), GoAnywhere exploitation (CVE-2023-0669), defence evasion 4
emerging_ransomware.yar Play, Akira, RansomHub, Black Basta, Hunters International - all active 2024-2025 5
lotl_techniques.yar certutil download/encode, mshta remote HTA, regsvr32 Squiblydoo, wscript/cscript abuse, bitsadmin, PowerShell download cradles, rundll32 LOLBAS 7
credential_harvesting.yar Browser credential DB theft (Chrome/Edge/Firefox), DPAPI master key extraction, SAM/NTDS dump, Kerberoasting + AS-REP Roasting, LSA secrets, cloud credential theft (AWS/Azure/GCP/K8s) 6
supply_chain_attacks.yar Dependency confusion (PyPI/npm), CI/CD pipeline tampering (GitHub Actions/GitLab CI/Jenkins), malicious npm postinstall hooks, malicious PyPI setup.py, Git submodule tampering, poisoned Docker images 6

Full YARA Rule Set Inventory (v5.0.0)

File Coverage
ransomware_common.yar Generic ransomware: file extension change, ransom notes, VSS deletion, CryptoAPI
lockbit.yar LockBit 3.0: ransom note format, dropper anti-analysis, defence evasion
blackcat_alphv.yar BlackCat/ALPHV: Rust binary markers, config JSON, ESXi targeting
apt_lateral_movement.yar Mimikatz, LSASS dump, WMI lateral movement, AD recon, scheduled task persistence
data_exfiltration.yar Rclone cloud exfil, cURL upload, FTP staging, 7-Zip data archiving
backup_tampering.yar Veeam service stop, Windows Backup deletion, agent process kill, NAS share deletion
clop.yar Cl0p ransom notes, MOVEit/GoAnywhere exploitation, defence evasion
emerging_ransomware.yar Play, Akira, RansomHub, Black Basta, Hunters International
lotl_techniques.yar certutil, mshta, regsvr32, wscript/cscript, bitsadmin, PowerShell cradles, rundll32
credential_harvesting.yar Browser creds, DPAPI, SAM/NTDS, Kerberoasting, LSA secrets, cloud credentials
supply_chain_attacks.yar Dependency confusion, CI/CD tampering, malicious packages, Docker poisoning

Total: 11 rule sets - 50+ rules

v4.0.0 - Dependency Vulnerability Scanner

Choose a tag to compare

@OmarRao OmarRao released this 17 Jun 14:44

Dependency Vulnerability Scanner

Every third-party package is a potential supply chain risk. SecureScope now queries OSV.dev - Google's open vulnerability database - for every dependency found in your repository. No API key required.

What's New

  • Auto-discovery - finds all package manifests automatically, no configuration needed
  • 7 ecosystems - PyPI, npm, Go, Maven, RubyGems, Cargo, Packagist
  • OSV.dev batch API - efficient bulk CVE lookup for every pinned dependency
  • CVSS scoring - Critical / High / Medium / Low severity with numeric score
  • Fixed version - every finding shows the exact version to upgrade to
  • Integrated into main scan - runs automatically on every repo scan alongside SAST, secrets, and ransomware
  • Standalone dashboard panel - scan any repo or local path independently

Supported Manifest Files

Ecosystem Files
PyPI (Python) requirements.txt, requirements-dev.txt, requirements-test.txt
npm (Node.js) package.json, package-lock.json
Go go.mod
Maven (Java) pom.xml
RubyGems Gemfile.lock
Cargo (Rust) Cargo.lock
Packagist (PHP) composer.json

Why Dependency Scanning?

Log4Shell, XZ Utils backdoor, event-stream - the biggest breaches of recent years weren't code bugs, they were vulnerable or malicious dependencies. OSV.dev aggregates CVEs from GitHub Advisory, NVD, and ecosystem-specific databases into a single queryable API.


Built by Omar Rao - Engineer, Data Resilience, Cybersecurity and Privacy

v3.0.0 - Secrets Detection Engine

Choose a tag to compare

@OmarRao OmarRao released this 16 Jun 16:33

Secrets Detection Engine

The most critical capability for any organisation - a hardcoded secret is the breach.

What's New

  • 60+ regex patterns across 10 provider categories (Cloud, AI/ML, Version Control, Payment, Communications, Cryptographic Keys, Database, Generic)
  • Git history scan - catches secrets deleted from HEAD that still live in every past commit and every clone
  • Shannon entropy analysis (4.6 bpc threshold) - detects generic secrets with no known pattern
  • Blast radius assessment - every finding explains exactly what an attacker gains
  • Secret redaction - only first 6 chars shown, full values never stored
  • Integrated into main scan pipeline - runs automatically on every repo scan
  • Standalone dashboard panel - scan any path or GitHub URL independently

Pattern Coverage

Category Providers
Cloud AWS, Azure, GCP, DigitalOcean
AI / ML Anthropic, OpenAI, Groq, HuggingFace, Cohere
Version Control GitHub (5 token types), GitLab
Payment Stripe, Square, Braintree
Communications Slack (4 types), Twilio, SendGrid, Mailgun
Cryptographic Keys RSA, EC, OpenSSH, PGP, PKCS#8, JWT
Database MongoDB, PostgreSQL, MySQL, Redis
Generic Hardcoded passwords, Bearer tokens, Basic Auth URLs

Why Secrets Detection?

Every other vulnerability class requires exploitation. A hardcoded secret is already a breach - an attacker finds it, uses it, and they are authenticated and invisible in your logs within seconds.


Built by Omar Rao - Engineer, Data Resilience, Cybersecurity and Privacy

v2.0.0 - Threat Intelligence Dashboard

Choose a tag to compare

@OmarRao OmarRao released this 12 Jun 17:10

What's New in v2.0.0

Threat Intelligence Dashboard

  • Live Threat Feed - 26 tracked threat actors including LockBit 3.0, BlackCat/ALPHV, Cl0p, Scattered Spider, Volt Typhoon, APT29/Cozy Bear, and more. Auto-refreshes every 60 seconds.
  • Top 10 Active Variants - 90-day rolling ranking of most active ransomware and APT variants with detection trends and severity ratings.
  • YARA Rule Engine - Scan backups and infrastructure against 6 predefined rule sets (23 rules total): Ransomware Common, LockBit, BlackCat/ALPHV, APT Lateral Movement, Data Exfiltration, Backup Tampering. Real-time streaming progress via WebSocket.
  • Enterprise Prevention Guide - Tabbed best-practice cards for Ransomware, APT, Data Exfiltration, and General hardening - each with difficulty ratings and actionable steps.
  • Data Protection & Resilience - Visual 3-2-1-1-0 backup rule guide, immutability recommendations, air-gap strategy, and interactive DR testing checklist (state persists in localStorage).

Code Quality

  • All Python modules fully documented with module, class, and function docstrings
  • All YARA rule files have header comment blocks explaining threat coverage
  • Graceful degradation: YARA scanner works without the yara-python package installed

Previous Releases

  • v1.0.0 - Ransomware Intelligence Engine (blast radius, APT attribution, family profiling, global impact map)