sast-runner

# SAST Runner

Wrapper for Semgrep to perform Static Application Security Testing.

## Prerequisites

Semgrep must be installed:
```bash
# pip
pip install semgrep

# macOS
brew install semgrep

# Docker
docker pull semgrep/semgrep
```

## Usage

```bash
# Scan current directory with auto config
npx sast-runner .

# Scan with specific ruleset
npx sast-runner . --config security-audit

# Scan with JSON output
npx sast-runner . --json

# Available rulesets
npx sast-runner --list-configs

# Check if semgrep is installed
npx sast-runner --check
```

## Rulesets

| Config | Description |
|--------|-------------|
| auto | Auto-detect languages and apply relevant rules |
| security-audit | Comprehensive security audit |
| owasp-top-ten | OWASP Top 10 focused |
| cwe-top-25 | CWE/SANS Top 25 |
| default | Default ruleset |

## Output Format

```json
{
  "tool": "semgrep",
  "scanPath": ".",
  "findings": [
    {
      "id": "javascript.express.security.audit.xss.mustache-escape",
      "severity": "high",
      "message": "Potential XSS vulnerability",
      "file": "src/app.js",
      "line": 42,
      "code": "res.send(userInput)",
      "cwes": ["CWE-79"],
      "owasp": ["A03:2021"],
      "fix": "Use proper output encoding"
    }
  ],
  "summary": {
    "total": 1,
    "critical": 0,
    "high": 1,
    "medium": 0,
    "low": 0
  }
}
```

## Exit Codes

- `0`: No issues found
- `1`: Issues detected
- `2`: Tool not installed or error

## CWE Coverage

Common vulnerabilities detected:
- CWE-89: SQL Injection
- CWE-79: Cross-site Scripting (XSS)
- CWE-78: OS Command Injection
- CWE-94: Code Injection
- CWE-22: Path Traversal
- CWE-502: Deserialization of Untrusted Data
- CWE-200: Exposure of Sensitive Information

## Supported Languages

JavaScript, TypeScript, Python, Go, Java, Ruby, PHP, C, C++, Rust, Kotlin, Swift, and more.