Static Analyzer is a command-line tool that scans Go code repositories for common security vulnerabilities. It helps developers identify insecure coding patterns before they reach production, ensuring better security for Go applications.
- Repository Cloning: Automatically fetches and clones repositories from a specified GitHub user or organization, with the option to clone either the latest 10 repositories or all repositories.
- Code Analysis: Parses Go files to inspect their syntax trees for insecure patterns.
- Pattern Detection: Flags insecure code, including:
- Hardcoded Credentials: Detects suspicious string literals that may contain passwords, secrets, or API keys.
- Insecure HTTP URLs: Identifies unsafe HTTP URLs used in network requests.
- Command Injection: Flags usage of functions that may allow shell command injection.
-
Build the Analyzer: Compile the project to produce the binary:
go build -o static-analyzer
-
Get a GitHub Token: Create a personal access token from GitHub.
Make sure it's valid and has the necessary permissions, like
repo
scope for private repositories. Create a new token following these steps:- Go to your GitHub account settings.
- Navigate to "Developer Settings" → "Personal Access Tokens".
- Generate a new token with the required scopes.
-
Run the Analyzer: Execute the analyzer with the GitHub username and token:
./static-analyzer -org=<github-username> -token=<github-token> [-all]
Replace
<github-username>
with the GitHub username to analyze and<github-token>
with your access token. The-all
flag is optional and will clone all repositories if included. Otherwise, the analyzer will scan 10 most recently updated repos.Examples
To scan all repos:
./static-analyzer -org=my-github-org -token=ghp_xxxxxxx -all
To scan 10 most recently updated repos:
./static-analyzer -org=my-github-org -token=ghp_xxxxxxx
-
View the Report: The analyzer will output the findings to the console and log them to a file, listing insecure patterns found in the repositories.
Found issue in repo1/main.go at line 10: Potential hardcoded credentials
Found issue in repo2/server.go at line 24: Insecure HTTP URL detected
Found issue in repo3/utils.go at line 45: Potential command injection detected
You can clone this compromised repo to test the program: https://github.com/EpiXCoder/Compromised_Repo
go get github.com/go-git/go-git/v5
go get github.com/google/go-github/v41/github
go get golang.org/x/oauth2
- The static analyzer is currently set up to clone and analyze all repositories or just the most recent 10.
- The cloned repositories are saved in a timestamped folder to keep them organized.