Static Application Security Testing

Application Securityv4.0.0

Multi-language SAST covering Java, PHP, Python, MERN, and OWASP LLM Top 10 with 200+ rules, 80+ dependency CVEs, and M365 SSPM

200+
rules
6
scanners
80+
cves
11
loc

01Overview

Static Application Security Testing (SAST) is a toolkit of self-contained, zero-dependency Python scanners that hunt source-code vulnerabilities across five language ecosystems - Java, PHP, Python, MERN/Node.js, and AI/LLM applications. Every scanner is a single .py file that runs on stock Python 3.8+ with no pip install, no agents, and no cloud back-end, so a security engineer can drop one file onto a build box or into a CI job and start scanning immediately.

Under the hood the toolkit ships roughly 257 regex-driven detection rules and 97 dependency-CVE signatures, all tagged with CWE identifiers and paired with concrete remediation advice. It goes beyond classic injection and crypto checks: the Java scanner unpacks WAR/JAR/EAR archives and flags Log4Shell, Spring4Shell, Struts and Shiro-550; the Python and MERN scanners cover framework misconfigurations and secrets; and a dedicated OWASP LLM Top 10 (2025) scanner catches modern AI failure modes like prompt injection, excessive agency (ShellTool / PythonREPLTool), unsafe LLM-output handling, and unbounded token consumption.

It is built for AppSec engineers, DevSecOps teams, and consultants who want a fast, auditable, dependency-free way to gate merges (exit code 1 on any CRITICAL/HIGH finding) and to bring both traditional and AI-era code under one consistent scanning model.

02Key Capabilities

Five-ecosystem SAST coverage

One toolkit scans Java, PHP, Python, MERN/Node.js (JS/TS), and AI/LLM code with language-specific rule sets rather than a lowest-common-denominator regex pass.

OWASP LLM Top 10 (2025) scanner

A dedicated engine maps 69 rules across all ten LLM categories - prompt injection, sensitive-info disclosure, supply chain, excessive agency, improper output handling, and unbounded consumption.

Dependency CVE / software-composition analysis

Parses pom.xml, build.gradle, package.json, requirements.txt, Pipfile, and pyproject.toml against 97 version-ranged CVE signatures including Log4Shell, Spring4Shell, Struts and Shiro-550.

AI / agentic-specific Python detections

Flags LangChain allow_dangerous_deserialization, ShellTool/PythonREPLTool, LLM output piped to eval/exec, and leaked sk- / cloud API keys that generic scanners miss.

Archive-aware Java scanning

Unpacks WAR/JAR/EAR archives to inspect nested JARs, pom.properties, web.xml servlet descriptors, and Spring Boot .properties/.yml misconfigurations.

Zero-dependency single-file design

Each scanner is one standalone Python file using only the standard library, so it drops into any build box, container, or air-gapped host with no install step.

CI/CD exit-code gating

Returns exit code 1 whenever a CRITICAL or HIGH finding is present, letting pipelines fail a build or block a merge automatically.

CWE-tagged findings with remediation

Every finding carries a CWE ID (53 distinct weaknesses covered), file/line reference, and specific fix guidance citing NIST SP 800-131A for cryptographic weaknesses where relevant.

Console + JSON reporting

Colour-coded ANSI severity console output plus machine-readable JSON (rule_id, name, category, severity, file, line, description, recommendation, cwe, cve) for pipeline consumption.

Config & secret misconfiguration checks

Dedicated rules for php.ini, .env files, and Spring Boot config catch exposed debug modes, wildcard CORS, weak secrets, and embedded database credentials.

Severity filtering

A shared --severity flag on every scanner shows only findings at or above CRITICAL/HIGH/MEDIUM/LOW/INFO for triage-friendly output.

03Architecture

Each scanner is a self-contained single Python file that follows one identical pipeline: module-level rule dictionaries feed a path walker and file dispatcher, which routes each file to a per-line regex SAST scan and a manifest version-range CVE analyzer; matches become Finding objects that pass through a severity filter into console and JSON reporting with exit-code gating.

1
Rule engine (module-level dicts)
Each scanner declares rule lists such as SAST_RULES, SPRING_RULES, PHP_INI_RULES, ENV_RULES and LLM_*_RULES, where every rule is a dict of id, category, severity, regex pattern, CWE, description, and recommendation.
2
File dispatcher
scan_path walks directories (honouring SKIP_DIRS like node_modules/.git/target), and _dispatch_file routes each file by extension to the matching language scanner or manifest handler.
3
SAST regex scanner
Per-language _scan_*_source functions (with _sast_scan in the LLM scanner) iterate every line against the applicable rule list, emitting a Finding on each regex match with the offending line captured.
4
Dependency / version analyzer
_parse_ver and _version_in_range parse manifest versions into integer tuples and evaluate <, <=, >, >= and comma-separated ranges against the vulnerable-package CVE tables.
5
Finding model
A Finding class carries rule_id, name, category, severity, file, line, description, recommendation, cwe and cve for every detection.
6
Reporting & gating layer
print_report (ANSI severity colours), save_json (schema with metadata, findings array, summary counts), plus filter_severity and 0/1 exit codes.

04Project Structure

java_scanner.pyv4.0 combined engine (~3,750 lines): Java SAST plus embedded PHP/Python/MERN rule sets, Maven/Gradle CVEs, and WAR/JAR/EAR archive extraction.
php_scanner.pyStandalone PHP scanner: 36 source-code rules plus 11 php.ini runtime misconfiguration checks.
python_scanner.pyStandalone Python scanner: 56 rules including AI/agentic patterns, plus 26 PyPI dependency CVEs.
mern_scanner.pyStandalone JS/TS scanner: 39 source rules + 8 .env rules + 25 npm dependency CVEs for MongoDB/Express/React/Node.
owasp_llm_scanner.pyOWASP LLM Top 10 (2025) scanner: 69 rules across Python/JS/env/YAML plus 27 vulnerable LLM package CVEs.
tests/samples/Eleven intentionally-vulnerable fixtures (VulnerableApp.java, vulnerable.php, vulnerable_agent.py, vulnerable_mern.js, pom.xml, php.ini, .env, application.properties, gap_services_bad.yaml, etc.) that exercise the scanner rules.
README.mdFull scanner catalogue, per-language vulnerability tables, CVE lists, CLI usage, and report-format documentation.
CLAUDE.mdArchitecture reference: shared scanner pattern, rule-ID conventions, dispatch flow, and per-scanner rule inventory.
banner.svgProject banner graphic used in the README.
LICENSEGNU General Public License v3 text (the LICENSE file is GPLv3, although the README labels the project MIT).
.gitignoreExcludes Python bytecode, scanner JSON reports, and editor/OS noise.

05Security Controls

Injection (all languages)
SQL injection (concatenated JDBC/MySQLi, f-string/format queries, Sequelize/Knex), NoSQL injection ($where, mass assignment), command injection (Runtime.exec, ProcessBuilder, os.system, child_process.exec, shell_exec), RCE (eval/exec, preg_replace /e), and SSTI (Jinja2 render_template_string).
Insecure deserialization
Java ObjectInputStream/XMLDecoder/XStream/SnakeYAML, Python pickle/yaml.load/marshal, PHP unserialize() on user input, and Node node-serialize.unserialize().
Weak cryptography
Detects MD5/SHA-1/DES, ECB mode, and insecure PRNGs (java.util.Random, Python random for tokens), with remediation citing NIST SP 800-131A.
Secrets & hardcoded credentials
OpenAI sk- keys, AWS/GCP keys, Django SECRET_KEY, JWT/session secrets, and MongoDB connection URIs embedded in source or .env files.
SSRF, path traversal, XXE, open redirect
User-controlled URLs in requests/axios/fetch/curl, file reads from request parameters, entity-resolving XML parsers (DocumentBuilderFactory, lxml resolve_entities), and reflected redirect headers.
Framework & runtime misconfiguration
Spring Boot exposed actuators/H2 console/debug, Flask/Django DEBUG=True and ALLOWED_HOSTS=[*], wildcard CORS, missing helmet(), insecure cookies, and full php.ini hardening (allow_url_include, register_globals, cookie flags).
Dependency CVEs (SCA)
97 version-ranged signatures including Log4Shell (CVE-2021-44228), Spring4Shell (CVE-2022-22965), Struts (CVE-2017-5638), Shiro-550, fastjson, jackson-databind, xstream, and vulnerable npm/PyPI/LLM packages.
OWASP LLM Top 10 (2025)
Prompt injection (LLM01), sensitive-info disclosure (LLM02), supply chain (LLM03), data/model poisoning (LLM04), improper output handling into eval/exec (LLM05), excessive agency via ShellTool/PythonREPLTool (LLM06), system-prompt leakage (LLM07), vector/embedding weaknesses (LLM08), misinformation (LLM09), and unbounded consumption (LLM10).
JWT & authentication weaknesses
Weak/hardcoded JWT secrets and algorithms:['none'] bypass in Node/MERN apps, plus broken-authentication and insecure-session patterns flagged across the language scanners.

06Technology Stack

Language
Python 3.8+
Dependencies
Standard library only - no third-party packages required
Core libraries
re, xml.etree.ElementTree, zipfile (WAR/JAR/EAR), json, argparse, pathlib
Reporting
ANSI colour console output and machine-readable JSON
Testing
tests/samples corpus of 11 intentionally-vulnerable fixtures (no external test framework)
CI/CD
Exit-code gating (1 on CRITICAL/HIGH) for pipeline/merge blocking
Deployment
Single-file, zero-install scanners runnable standalone

07Quick Start

$ python3 java_scanner.py /path/to/project --json report.json --severity HIGH
$ python3 python_scanner.py requirements.txt --verbose
$ python3 mern_scanner.py /path/to/mern-app --json report.json
$ python3 owasp_llm_scanner.py /path/to/ai-project --severity HIGH
$ python3 php_scanner.py tests/samples/   # run against the intentionally-vulnerable fixtures

08Compliance & Frameworks

OWASP LLM Top 10 (2025)
Full LLM01-LLM10 coverage via the dedicated owasp_llm_scanner (69 rules).
CWE
Findings mapped to 53 distinct Common Weakness Enumeration identifiers.
Known-CVE / KEV-class
Named CVE detection for Log4Shell, Spring4Shell, Struts, Shiro-550, fastjson and more across 97 dependency signatures.
NIST SP 800-131A
Weak-cryptography findings reference approved algorithm-strength guidance (present in the Java and Python scanners).

09Integrations & Outputs

JSON report export (schema with scanner metadata, findings array, and summary counts) for pipeline consumptionANSI colour console output for interactive useCI/CD exit-code gating (0 clean, 1 on CRITICAL/HIGH)Manifest parsing across Maven (pom.xml), Gradle, npm (package.json), and PyPI (requirements.txt/Pipfile/pyproject.toml)

Explore Static Application Security Testing

Full source, documentation, and deployment guides live on GitHub.