01Overview
Static Application Security Testing (SAST) is a toolkit of self-contained, zero-dependency Python scanners that hunt source-code vulnerabilities across five language ecosystems - Java, PHP, Python, MERN/Node.js, and AI/LLM applications. Every scanner is a single .py file that runs on stock Python 3.8+ with no pip install, no agents, and no cloud back-end, so a security engineer can drop one file onto a build box or into a CI job and start scanning immediately.
Under the hood the toolkit ships roughly 257 regex-driven detection rules and 97 dependency-CVE signatures, all tagged with CWE identifiers and paired with concrete remediation advice. It goes beyond classic injection and crypto checks: the Java scanner unpacks WAR/JAR/EAR archives and flags Log4Shell, Spring4Shell, Struts and Shiro-550; the Python and MERN scanners cover framework misconfigurations and secrets; and a dedicated OWASP LLM Top 10 (2025) scanner catches modern AI failure modes like prompt injection, excessive agency (ShellTool / PythonREPLTool), unsafe LLM-output handling, and unbounded token consumption.
It is built for AppSec engineers, DevSecOps teams, and consultants who want a fast, auditable, dependency-free way to gate merges (exit code 1 on any CRITICAL/HIGH finding) and to bring both traditional and AI-era code under one consistent scanning model.
02Key Capabilities
Five-ecosystem SAST coverage
One toolkit scans Java, PHP, Python, MERN/Node.js (JS/TS), and AI/LLM code with language-specific rule sets rather than a lowest-common-denominator regex pass.
OWASP LLM Top 10 (2025) scanner
A dedicated engine maps 69 rules across all ten LLM categories - prompt injection, sensitive-info disclosure, supply chain, excessive agency, improper output handling, and unbounded consumption.
Dependency CVE / software-composition analysis
Parses pom.xml, build.gradle, package.json, requirements.txt, Pipfile, and pyproject.toml against 97 version-ranged CVE signatures including Log4Shell, Spring4Shell, Struts and Shiro-550.
AI / agentic-specific Python detections
Flags LangChain allow_dangerous_deserialization, ShellTool/PythonREPLTool, LLM output piped to eval/exec, and leaked sk- / cloud API keys that generic scanners miss.
Archive-aware Java scanning
Unpacks WAR/JAR/EAR archives to inspect nested JARs, pom.properties, web.xml servlet descriptors, and Spring Boot .properties/.yml misconfigurations.
Zero-dependency single-file design
Each scanner is one standalone Python file using only the standard library, so it drops into any build box, container, or air-gapped host with no install step.
CI/CD exit-code gating
Returns exit code 1 whenever a CRITICAL or HIGH finding is present, letting pipelines fail a build or block a merge automatically.
CWE-tagged findings with remediation
Every finding carries a CWE ID (53 distinct weaknesses covered), file/line reference, and specific fix guidance citing NIST SP 800-131A for cryptographic weaknesses where relevant.
Console + JSON reporting
Colour-coded ANSI severity console output plus machine-readable JSON (rule_id, name, category, severity, file, line, description, recommendation, cwe, cve) for pipeline consumption.
Config & secret misconfiguration checks
Dedicated rules for php.ini, .env files, and Spring Boot config catch exposed debug modes, wildcard CORS, weak secrets, and embedded database credentials.
Severity filtering
A shared --severity flag on every scanner shows only findings at or above CRITICAL/HIGH/MEDIUM/LOW/INFO for triage-friendly output.
03Architecture
Each scanner is a self-contained single Python file that follows one identical pipeline: module-level rule dictionaries feed a path walker and file dispatcher, which routes each file to a per-line regex SAST scan and a manifest version-range CVE analyzer; matches become Finding objects that pass through a severity filter into console and JSON reporting with exit-code gating.
04Project Structure
java_scanner.pyv4.0 combined engine (~3,750 lines): Java SAST plus embedded PHP/Python/MERN rule sets, Maven/Gradle CVEs, and WAR/JAR/EAR archive extraction.php_scanner.pyStandalone PHP scanner: 36 source-code rules plus 11 php.ini runtime misconfiguration checks.python_scanner.pyStandalone Python scanner: 56 rules including AI/agentic patterns, plus 26 PyPI dependency CVEs.mern_scanner.pyStandalone JS/TS scanner: 39 source rules + 8 .env rules + 25 npm dependency CVEs for MongoDB/Express/React/Node.owasp_llm_scanner.pyOWASP LLM Top 10 (2025) scanner: 69 rules across Python/JS/env/YAML plus 27 vulnerable LLM package CVEs.tests/samples/Eleven intentionally-vulnerable fixtures (VulnerableApp.java, vulnerable.php, vulnerable_agent.py, vulnerable_mern.js, pom.xml, php.ini, .env, application.properties, gap_services_bad.yaml, etc.) that exercise the scanner rules.README.mdFull scanner catalogue, per-language vulnerability tables, CVE lists, CLI usage, and report-format documentation.CLAUDE.mdArchitecture reference: shared scanner pattern, rule-ID conventions, dispatch flow, and per-scanner rule inventory.banner.svgProject banner graphic used in the README.LICENSEGNU General Public License v3 text (the LICENSE file is GPLv3, although the README labels the project MIT)..gitignoreExcludes Python bytecode, scanner JSON reports, and editor/OS noise.05Security Controls
06Technology Stack
- Language
- Python 3.8+
- Dependencies
- Standard library only - no third-party packages required
- Core libraries
- re, xml.etree.ElementTree, zipfile (WAR/JAR/EAR), json, argparse, pathlib
- Reporting
- ANSI colour console output and machine-readable JSON
- Testing
- tests/samples corpus of 11 intentionally-vulnerable fixtures (no external test framework)
- CI/CD
- Exit-code gating (1 on CRITICAL/HIGH) for pipeline/merge blocking
- Deployment
- Single-file, zero-install scanners runnable standalone
07Quick Start
$ python3 java_scanner.py /path/to/project --json report.json --severity HIGH $ python3 python_scanner.py requirements.txt --verbose $ python3 mern_scanner.py /path/to/mern-app --json report.json $ python3 owasp_llm_scanner.py /path/to/ai-project --severity HIGH $ python3 php_scanner.py tests/samples/ # run against the intentionally-vulnerable fixtures
08Compliance & Frameworks
09Integrations & Outputs
Explore Static Application Security Testing
Full source, documentation, and deployment guides live on GitHub.