High-performance security analysis and vulnerability detection built with Rust
Features • Architecture • Installation • Usage • Integrations • License
Guardian is a high-performance security analysis tool designed to detect vulnerabilities in code before they reach production. Built with Rust for maximum performance and memory safety, Guardian provides real-time security feedback directly in your IDE, comprehensive vulnerability scanning based on OWASP Top 10, and intelligent auto-fix suggestions.
Guardian helps development teams:
- Identify security vulnerabilities early in the development process
- Reduce security debt by preventing new vulnerabilities
- Educate developers about secure coding practices
- Accelerate security reviews with automated scanning
- Enforce security policies across the organization
- Instant vulnerability detection as you code
- IDE integration with Visual Studio Code, JetBrains IDEs, and more
- Detailed explanations and security context for each finding
- Comprehensive detection of common security vulnerabilities
- Language-specific security rules for Java, JavaScript, Python, Ruby, Go, and more
- Custom rule creation for organization-specific security policies
- Third-party dependency vulnerability scanning
- Outdated package detection and update recommendations
- License compliance checking
- Intelligent code transformation suggestions for common vulnerabilities
- One-click fixes for simple security issues
- Educational explanations with each fix recommendation
Guardian follows a modular architecture designed for performance, extensibility, and accuracy:
- Parser Engine: Leverages tree-sitter for accurate and efficient code parsing
- Rule Engine: Evaluates parsed code against security rules
- Vulnerability Detector: Identifies security issues based on patterns and dataflow
- Fix Generator: Creates intelligent fix suggestions using templates and transformations
- IDE Integration: Provides real-time feedback through editor plugins
- CI/CD Integration: Enables automated scanning in continuous integration pipelines
- Rust 1.70.0 or higher (for building from source)
- Git
cargo install guardian-scannergit clone https://github.com/yourusername/guardian.git
cd guardian
cargo build --release- VS Code: Install from VS Code Marketplace
- JetBrains IDEs: Install from JetBrains Marketplace
- Vim/Neovim: Install using your preferred plugin manager
# Scan a single file
guardian scan path/to/file.js
# Scan a directory
guardian scan --recursive path/to/directory
# Scan with specific ruleset
guardian scan --ruleset owasp-top10 path/to/directory
# Output results in different formats
guardian scan --format json path/to/directory > results.jsonCreate a .guardian.yml file in your project root:
# Guardian configuration
version: 1
# Specify which rules to include/exclude
rules:
include:
- owasp-top10
- cwe-top25
exclude:
- SQL_INJECTION_PARAMETERIZED_QUERIES
# Configure severity thresholds
severity:
fail_on: high
# Specify paths to ignore
ignore:
- node_modules/
- dist/
- test/fixtures/name: Security Scan
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Guardian Security Scanner
uses: guardian-security/guardian-action@v1
with:
fail_on: highGuardian integrates seamlessly with your development workflow:
- Visual Studio Code
- JetBrains IDEs (IntelliJ, PyCharm, WebStorm, etc.)
- Vim/Neovim
- Emacs
- Sublime Text
- GitHub Actions
- GitLab CI
- Jenkins
- CircleCI
- Travis CI
- Jira
- GitHub Issues
- Linear
- Asana
Guardian includes rules for detecting various security vulnerabilities:
- Injection Flaws: SQL, NoSQL, OS Command, LDAP injection
- Authentication Issues: Broken authentication, session management
- Sensitive Data Exposure: Unencrypted data, hardcoded secrets
- XML External Entities (XXE): Unsafe XML processing
- Broken Access Control: Improper authorization checks
- Security Misconfiguration: Default credentials, error handling
- Cross-Site Scripting (XSS): Reflected, stored, and DOM-based XSS
- Insecure Deserialization: Unsafe object deserialization
- Using Components with Known Vulnerabilities: Outdated dependencies
- Insufficient Logging & Monitoring: Missing audit logs
We welcome contributions! Please see CONTRIBUTING.md for details.
This project is licensed under the MIT License - see the LICENSE file for details.
- tree-sitter for efficient code parsing
- OWASP for security guidelines and best practices
- Rust Security Team for inspiration and guidance