SCARF is an open-source SAST tool that harnesses the power of ChatGPT to automatically spot security vulnerabilities and conveniently export them in a report format.
SCARF is a utility that enables developers and security professionals to analyze source code for security vulnerabilities. This tool leverages the OpenAI GPT-3.5 Turbo model to provide detailed security analysis reports for your codebase.
Note: This is a learning project and does not represent my job responsibilities.
- GitHub Integration: Fetch code directly from your GitHub repositories for analysis.
- Security Analysis: Automatically identify and report security vulnerabilities in your code.
- Structured Reports: Generate downloadable PDF reports with vulnerability details, code snippets, and recommendations.
- Flexible Configuration: Customize analysis parameters and prompts for tailored results.
Before using the Tool, make sure you have the following prerequisites installed:
- Python 3.x
- Django (for the backend server)
- OpenAI API Key
-
Clone this repository to your local machine.
git clone https://github.com/uunibic/scarf.git
-
Install the required packages.
pip3 install -r requirements.txt
-
Create a .env file and set the environment variables.
GITHUB_TOKEN=<Your-Github-Token> GITHUB_ORG_NAME=<Github-Org-Name> OPENAI_API_KEY=<Your-OpenAI-API-Key>
-
Apply migrations.
python3 manage.py makemigrations python3 manage.py migrate
-
Run the server.
python3 manage.py runserver
If you don't have Docker installed on your system, you can follow up with the official Docker installation guide.
- Start by cloning the repository:
$ git clone https://github.com/uunibic/scarf.git
- Build the Docker image:
$ docker build -t scarf --no-cache .
- Build and run Docker container:
$ docker run --name scarf -d -p 8000:8000 scarf
and now your app is ready to launch at http://127.0.0.1:8000
Click Here to View Sample PDF Report
-
API Rate Limits: SCARF relies on the ChatGPT API, which is subject to rate limits and usage restrictions imposed by OpenAI. This means there may be limitations on the number of requests or tokens processed within a given timeframe.
-
Dependence on External Service: SCARF's core functionality depends on the availability and reliability of the OpenAI API. Any downtime or changes to the API by OpenAI can impact the tool's performance.
-
Cost Considerations: While SCARF is open-source, the use of the OpenAI API for extensive analysis can incur costs, especially for large-scale or frequent scanning of codebases.
-
False Positives/Negatives: Like all automated analysis tools, SCARF may produce false positives (identifying vulnerabilities that are not real) or false negatives (missing actual vulnerabilities). Human review and validation of results are still essential.
-
Limited to Code Analysis: SCARF primarily focuses on source code analysis for security vulnerabilities. It may not cover all aspects of security testing, such as runtime or environmental factors.
-
Privacy Considerations: When using SCARF with code repositories, be mindful of potential privacy and security implications, especially when dealing with sensitive code or data.
- Integration with Jenkins
- PDF Report Enhancement
- Implementing Authentication
I'm excited to have you on board to enhance this project! Since this is my initial foray into working with Django, I'm conscious there might be numerous oversights or areas needing refinement, so your expertise and corrections are pivotal. They not only shape this work but also fuel my learning curve, propelling me toward more ambitious projects. Rest assured, every contribution you make is deeply valued, and it undoubtedly helps make this community an extraordinary space for growth and inspiration.
Distributed under the MIT License. See LICENSE for more information.