Skip to content

aliasgarabidsabunwala/secode

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

343 Commits
.github/ISSUE_TEMPLATE
.github/ISSUE_TEMPLATE
 
 
Code Analysis Results
Code Analysis Results
 
 
Non Vulnerable Programs
Non Vulnerable Programs
 
 
Secode Script
Secode Script
 
 
Vulnerable Test Programs
Vulnerable Test Programs
 
 
src
src
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
INSTALL.md
INSTALL.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
Ruleset.py
Ruleset.py
 
 
SECURITY.md
SECURITY.md
 
 

Repository files navigation

Secode

License Hits

  • Static Code Analyzer, analyzes your code, to find anomalies. Currently only limited to "Insecure Functions" in your code!
  • It doesn't stop there - as a precautionary measure, it provides you with safer function as an alternative - like instead of using strcpy() which is vulnerable to Buffer Overflow, it provides you with safer function as an alternative like lstrcy(), which is not vulnerable to Buffer Overflow, that you can implement on your code, to make it secure

How is it different?

  • Secode is powered by a stringent and comprehensive ruleset, that can detect vulnerabilities pretty easily, which will be updated regularly, as more vulnerabilities and exploits emerge
  • Secode enforces the concept of "Secure Coding" and "Secure Software Development Life Cycle (Secure SDLC)" which is now gaining much needed traction during the development process of any software

What does it scan on the code you provide?

Your Code Report provides you information about -

  • Hit count of vulnerable functions (total count)
  • Vulnerability at hand
  • CWE Number associated with it
  • A brief description about the vulnerability
  • Risk level of your code (graded from 1 - 5, on the severity basis)
  • Secure alternative(s) that you must use which are totally safe from exploits

Installation guide

Refer to the installation file for an in-depth walkthrough on how to install the tool, on your Linux distribution

Under the hood

  • More technically, Secode uses lexical scanning/analysis to find tokens (such as function names) that suggest likely vulnerabilities, estimates their level of risk (e.g., by the text of function calls), and reports the results
  • Secode does not use or have access to information about control flow, data flow, or data types
  • Thus, secode will necessarily produce many false positives for vulnerabilities and fail to report many vulnerabilities
  • On the other hand, secode can find vulnerabilities in programs that cannot be built or cannot be linked
  • Secode also doesn't get as confused by macro definitions and other oddities that more sophisticated tools have trouble with.

Roadmap

  • Dockerize it to provide support across all platforms
  • Extending Scanning functionalities within the tool to:
    1. Web Technologies like HTML, CSS, Js and PHP
    2. App Development languages like Java and Kotlin
  • GitHub Actions workflows Integration.

Contributions

We love contributions! For more information on contributing, please see the file here.

License

Secode is released under the GNU GPL license version 2 or later (GPL-2.0+). Please see this file for license information.

About

Static code analyzer for scanning insecure functions in the given c++ code.

Topics

python security c-plus-plus security-audit cpp static-code-analysis code-analysis python3 python-3 vulnerability-scanners security-tools

Resources

Readme

License

GPL-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Contributors 3

  •  
  •  
  •  

Languages