First off, thanks for taking the time to contribute! As an open-source SAST tool, Auditor relies on the community to keep up with the ever-evolving landscape of security vulnerabilities.
By contributing to this project, you agree that your contributions will be licensed under the GNU GPL v3.
The most impactful way to contribute is by adding new vulnerability detection patterns in the rules/ directory.
- Identify a Sink: Find a dangerous function (e.g.,
eval(),fs.writeFile()). - Define Taint Flow: Map out how user input (Sources) reaches that Sink.
- Test: Create a snippet in
test-snippets/to verify your rule triggers correctly.
If you're a fan of static analysis, help us build out the core logic in src/:
- Parser: Improve AST traversal for complex JavaScript patterns.
- Symbols: Help resolve aliased imports (like
const { exec: run } = require('child_process')). - Reporters: Add support for SARIF, JSON, or HTML output formats.
- Fork the repository and create your branch from
main. - Install dependencies:
npm install. - Run tests: (
npm run test). - Commit your changes: Use descriptive commit messages (e.g.,
feat: add rule for prototype pollution). - Submit a Pull Request: Explain why the change is necessary and include test snippets.
- Reciprocity: We believe in the "Give and Take" of Open Source. If you improve the detection logic or the engine, those improvements belong to the community.
- Clarity over Complexity: Rules should be readable and well-documented.
- False Positive Reduction: A security tool is only as good as its signal-to-noise ratio.
- Use CommonJS (as defined in
package.json). - Follow the existing directory structure:
src/: Engine logic.rules/: YAML-based detection logic.signatures/: Metadata for sources/sinks.
Questions? Feel free to open an Issue to discuss a new feature or rule before you start coding!