Examples • Installation • Usage

poc.mp4

sastsweep is a tool designed for identifying vulnerabilities in open source codebases at scale. It can gather and filter on key repository metrics such as popularity and project size, enabling targeted vulnerability research. It automatically detects potential vulnerabilities using semgrep and provides a streamlined HTML report, allowing researchers to quickly drill down to the affected portion of the codebase.

Examples

Oneliner to scrape every HackerOne open source target and run semgrep on it

bbscope h1 -b -u '<HACKERONE_USERNAME>' -t '<HACKERONE_TOKEN>' -o tdu | grep -E 'https?://github.com/[A-Za-z0-9-]{1,}/[A-Za-z0-9-]{1,}' -o  | sastsweep -threads 10 -desc -stars -files

Scrape flask applications from github search using github-search.py and filter on repositories with 500-3000 stars. Display the number of stars, the repository description, and number of files.

python3 github-search.py --token '<GITHUB TOKEN>' --query '"import Flask" AND ".route("' | sastsweep -stars -desc -files -filter-stars 500-3000

Scan a single repository, display the number of stars, number of security issues, and date of the last commit

sastsweep -repo https://github.com/chebuya/SASTsweep -stars -security-issues -last-commit

Scan a list of targets, display the star count, language composition, number of forks and number of contributors. Filter on repositories with a last commit date after 2024/01/01, less than 5000 stars, and 0 security issues

sastsweep -repos targets.txt -stars -lang -forks -contributors -filter-last-commit 2024/01/01- -filter-stars -5000 -filter-security-issues 0

Run with p/python config

sastsweep -config-path sastsweep.conf ...

sastsweep.conf

FLAGS=--config p/python

Installation

Linux is currently the only supported and tested platform
sastsweep requires go >= 1.23 to install successfully. Run the following command to install sastsweep

go install github.com/chebuya/sastsweep/cmd/sastsweep@latest

Usage

sastsweep -h

This will display help for the tool. Here are all the switches it supports.

Usage of ./sastsweep:
  -branch
    	Display the default branch of a repository
  -commits
    	Display the number of commits to the repository
  -config-path string
    	Path to semgrep.conf file
  -contributors
    	Display the number of contributors in a repository
  -debug
    	Enable debug messages
  -desc
    	Display repo description
  -files
    	Display number of files in repo
  -filter-commits string
    	Filter the number of commits to the repository (500-700, -300, 500-, 3000)
  -filter-contributors string
    	Filter the number of contributors in a repository (500-700, -300, 500-, 3000)
  -filter-files string
    	Filter number of files in repo (500-700, -300, 500-, 3000)
  -filter-first-commit string
    	Filter the date of the first commit to the repository (yyyy/mm/dd-yyyy/mm/dd, -yyyy/mm/dd, yyyy/mm/dd-, yyyy/mm/dd)
  -filter-forks string
    	Filter the number of forks of repository (500-700, -300, 500-, 3000)
  -filter-issues string
    	Filter the number of issues in a repository (500-700, -300, 500-, 3000)
  -filter-last-commit string
    	Filter the date of the last commit to the repository (yyyy/mm/dd-yyyy/mm/dd, -yyyy/mm/dd, yyyy/mm/dd-, yyyy/mm/dd)
  -filter-last-release string
    	Filter the date of the latest release (yyyy/mm/dd-yyyy/mm/dd, -yyyy/mm/dd, yyyy/mm/dd-, yyyy/mm/dd)
  -filter-pull-requests string
    	Filter the number of pull requests in a repository (500-700, -300, 500-, 3000)
  -filter-security-issues string
    	Filter the number of security issues in the repository (500-700, -300, 500-, 3000)
  -filter-stars string
    	Filter repos stars in output (500-700, -300, 500-, 3000)
  -filter-watchers string
    	Filter the number of watchers in a repository (500-700, -300, 500-, 3000)
  -fireprox string
    	Use fireprox for reasons... relates to rate limiting on a certain platform (ex: https://abcdefghi.execute-api.us-east-1.amazonaws.com/fireprox/)
  -first-commit
    	Display the date of the first commit to the repository
  -forks
    	Display the number of forks of repository
  -full-desc
    	Display the full repo description
  -github1s
    	Generate links for the web-based vscode browser at github1s.com rather than github.com
  -issues
    	Display the number of issues in a repository
  -lang
    	Display GitHub repo language
  -last-commit
    	Display the date of the last commit to the repository
  -last-release
    	Display the date of the latest release
  -no-emoji
    	Disable this if you are a boring person (or use a weird terminal)
  -no-semgrep
    	Do not perform a semgrep scan on the repos
  -out-dir string
    	Directory to clone repositories to
  -pull-requests
    	Display the number of pull requests in a repository
  -raw-links
    	Print raw links for semgrep report rather than hyperlink with name, good if you want to save output
  -repo string
    	GitHub repository to scan
  -repo-link
    	Display the link associated with the repository
  -repos string
    	File of GitHub repositories to scan
  -save-repo
    	Save the cloned repository
  -security-issues
    	Display the number of security issues in the repository
  -semgrep-path string
    	Custom path to the semgrep binary
  -stars
    	Display repos stars in output
  -threads int
    	Number of threads to start (default 3)
  -topics
    	Display GitHub repo topics
  -watchers
    	Display the number of watchers in a repository

Roadmap

• Write more docs
• Cross-platform support
• More matchers/filters
• More testing
• Write to output/database
• CodeQL, trufflehog support

Acknowledgements

Thanks to everyone @semgrep/semgrep, this tool would be impossible without it
Inspired by @projectdiscovery/httpx 🩷

---

sastsweep is made with 💙 by @_chebuya and distributed under the GPL-3.0 license.