betterscan: code analysis & automation platform
betterscan-ce
It is a Code and Infrastructure (IaC) and Cloud-native Scanning/SAST/Static Analysis/Linting solution using many tools/Scanners with One Report. You can also add any tool to it. Currently, it supports many languages and tech stacks.
Under the hood
Bandit, Brakeman, gostaticcheck, semgrep, njsscan, log4shell via custom semgrep rule, kubescape, graudit, flawfinder, find sec bugs, eslint, tfsec and other(s). Some were modified. See LICENSE for licensing and acknoweledgements.
Major features
Betterscan uses static analysis (semantic and graph analysis) to find bugs and defects.
- Betterscan supports Cloud-native and Infrastructure Scanning
- Betterscan supports secrets Scanning (166+ secret types)
- Betterscan scans for 4,000 rules for Antidebug, Antivm, Crypto, CVE, Exploits Kits, Malware and Web shells, APTs
- Betterscan can be extended with any tool producing JSON output (any binary, in any technology/language/product)
- Betterscan is open Source
- Betterscan supports scanning only changed files (differential analysis). You can store state in Database (PostgreSQL, MySQL/MariaDB, Oracle, Microsoft SQL Server) or in you Git repo.
- Outputs in CLI, HTML, SARIF, JSON
- Betterscan uses many tools adding up to 6,300+ checks which also semgrep as one of the tools
Betterscan is based on QuantifedCode. Available as a CLI (to run as a command and get outputs in Terminal or HTML, SARIF outputs)
Currently supports: PHP, Java, Scala, Python, PERL, Ruby, C, C++, Swift, Kotlin, Apex (Salesforce), GO, Infrastructure as a Code (IaC) Security and Best Practices (Docker, Kubernetes (k8s), Terraform AWS, GCP, Azure), Secret Scanning (166+ secret types), Trojan Source, Open Source and Proprietary Checks (total ca. 6,000+ checks). Checks for misconfigurations across all major (and some minor) cloud providers (AWS Checks, Azure Checks, GCP Checks, CloudStack Checks, DigitalOcean Checks, GitHub Checks, Kubernetes Checks, OpenStack Checks, Oracle Checks)
Advantages:
- Many tools, one report (unification)
- Dismiss, and collaborate on findings. Mark false-positives
- Enable/disable each individual check in Checkers
- ca. 6,300+ checks now (Linters, Static Code Analysis/Code Scanning, YARA ca. 4000 YARA binary matching/textual matching rules for Antidebug, Antivm, Crypto, CVE, Exploits Kits, Malware and Webshells, APTs )
- any tool outputting JSON can be added
- fast (checks only new code on recheck)
- you can store state in Database (PostgreSQL, MySQL/MariaDB, Oracle, Microsoft SQL Server) or in you Git repo.
- Outputs in CLI, HTML, SARIF, JSON.
- Git support (HTTPS/TLS and SSH). For private repositories only SSH.
- Swiss army knife tool/SIEM for Code Scanning
- 100% Code transparency & full control of your code