Account security
- magoo/ato-checklist - A checklist of practices for organizations dealing with account takeover (ATO)
- xpn/OktaPostExToolkit - This repo contains projects to support the "Okta for Red Teamers" blog
Supply chain security
- guacsec/guac - GUAC aggregates software security metadata into a high fidelity graph database - 1K star
- trailofbits/it-depends - A tool to automatically build a dependency graph and Software Bill of Materials (SBOM) for packages and arbitrary source code repositories. Supports Go, JavaScript, Rust, Python, and C/C++ projects
- trailofbits/pip-audit - Audits Python environments and dependency trees for known vulnerabilities
- deps.dev: Open Source Insights
- RetireJS - Scanner detecting the use of JavaScript libraries with known vulnerabilities
- snyk.io - helps you use open source and stay secure
- nodesecurity.io - Continuous Security monitoring for your node apps
- OWASP Dependency Check - a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities
All-in-one suite
- wireghoul/graudit - Grep rough audit - source code auditing tool - 1.3K star, 2022停更
- Tencent/CodeAnalysis - 支持Java/C++/Objective-C/C#/JavaScript/Python/Go/PHP - 这个仓库啥有用的也没有!就是瞎扯淡的
- returntocorp/semgrep - Lightweight static analysis for many languages. Find bug variants with patterns that look like source code - gitlab开发的,支持taint,5.4K star
- facebook/infer - A static analyzer for Java, C, C++, and Objective-C - 14.3K star
- WhaleShark-Team/cobra - Source Code Security Audit - 2.8K star,2021停更
- LoRexxar/Kunlun-M - Kunlun-Mirror 专注于安全研究员使用的审计辅助工具 - 1.2K star,ISSUE也很有价值
- SonarSource - Continuous Code Quality
- Microsoft/ApplicationInspector - A software characterization source code analyzer that helps you understand what a program does by identifying interesting features and characteristics using static analysis and a customizable json based rules engine
Browser extension
- elevenpaths/neto - A tool to analyse browser extensions
- mandatoryprogrammer/tarnish - A Chrome extension static analysis tool to help aide in security reviews
Joern
- joernio/joern - Open-source code analysis platform for C/C++/Java based on code property graphs - 分析大项目,对内存要求很高,远远超过codeql;好处是不用编译
- joernio/workshops
CodeQL
- l3yx/Choccy - GitHub项目监控 && CodeQL自动扫描
- webraybtl/CodeQLpy - CodeQLpy是一款基于CodeQL实现的半自动化代码审计工具,目前仅支持java语言。实现从源码反编译,数据库生成,脆弱性发现的全过程,可以辅助代码审计人员快速定位源码可能存在的漏洞
- hudangwei/codemillx - codemillx is a tool for CodeQL, extract the comments in the code and generate codeql module. 强化Go开源项目安全检测&漏洞挖掘
- safe6Sec/CodeqlNote - 记录学习Codeql的笔记,国内资料真的挺少。摘抄各种大佬文章随便记的,比较乱
- Query console - LGTM - 官方的CodeQL在线查询,有一些开源项目数据库可以直接用,也可以下载到本地
- ice-doom/codeql_compile - 自动反编译闭源应用,创建codeql数据库
- trailofbits/itergator - CodeQL library and queries for iterator invalidation
- doyensec/graph-ql - GraphQL Security Research Material
- github/securitylab - CodeQL_Queries
- ASTTeam/CodeQL - 《深入理解CodeQL》Finding vulnerabilities with CodeQL
Configuration hardening
- bridgecrewio/checkov - Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew - 3.4K star
- tfsec - Security scanner for your Terraform code - 3.5K star
Java
- Feysh-Group/corax-community - CoraxJava(Corax社区版)是一款针对Java项目的静态代码安全分析工具,其核心分析引擎来自于Corax商业版,具备与Corax商业版一致的底层代码分析能力,并在此基础上配套了专用的开源规则检查器与规则
- pascal-lab/Tai-e - An easy-to-learn/use static analysis framework for Java - 1.2K star
- pietrobraione/jbse - A symbolic Java virtual machine for program analysis, verification and test generation
- c2nes/javalang - Pure Python Java parser and tools - 2021停更
- threedr3am/learnjavabug - Java安全相关的漏洞和技术demo,原生Java、Fastjson、Jackson、Hessian2、XML反序列化漏洞利用和Spring、Dubbo、Shiro、CAS、Tomcat、RMI、Nexus等框架\中间件\功能的exploits以及Java Security Manager绕过、Dubbo-Hessian2安全加固等等实践代码
- Y4tacker/JavaSec - a rep for documenting my study, may be from 0 to 0.1
- 4ra1n/JavaSecInterview - 打造最强的Java安全研究与安全开发面试题库,包含问题和详细的答案,帮助师傅们找到满意的工作
- 4ra1n/SpringInspector - Java自动代码审计工具,尤其针对Spring框架,核心原理是模拟JVM栈帧进行分析,无需提供源码,通过一个JAR包即可
- 0e0w/HackJava - 本项目是记录自己在学习Java代码审计过程中遇到的优秀内容,包括Java代码审计技巧以及优秀的代码审计案例。一个不会Java代码审计的师傅不是一个好黑客!一个不会Java代码审计的黑客不是一个好师傅 - 很多地址404了,也不修复
- soot-oss/soot - A Java optimization framework - 也能用于android代码审计,2K star,KCON 2021提过
- momosecurity/momo-code-sec-inspector-java - IDEA静态代码安全审计及漏洞一键修复插件
- fergarrui/custom-bytecode-analyzer - Java bytecode analyzer customizable via JSON rule
- GrrrDog/Java-Deserialization-Cheat-Sheet - The cheat sheet about Java Deserialization vulnerabilities
- find-sec-bugs/find-sec-bugs - The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Groovy and Scala projects) - 1.8K star
- zsdlove/Hades - 静态代码脆弱性检测系统,基于虚拟执行及污点跟踪技术
- threedr3am/gadgetinspector - 一个通过分析字节码进行污点分析的静态代码审计应用
- anbai-inc/javaweb-sec - 攻击Java Web应用
- anbai-inc/javaweb-codereview - 演示java代码审计的示例程序,分为多个模块复现各大类常见漏洞的
- longofo/rmi-jndi-ldap-jrmp-jmx-jms - rmi、jndi、ldap、jrmp、jmx、jms一些demo测试
- JoyChou93/java-sec-code - Java web common vulnerabilities and security code which is base on springboot and spring security
- SmithEcon/Java - 代码审计知识点整理-Java
- dschadow/Java-Web-Security - Java-Web-Security - Sichere Webanwendungen mit Java entwickeln
C/C++
- googleprojectzero/weggli - weggli is a fast and robust semantic search tool for C and C++ codebases. It is designed to help security researchers identify interesting functionality in large codebases
- ergrelet/cpplumber - Static analysis tool based on clang, which detects source-to-binary information leaks in C and C++ projects
- SVF-tools/SVF - Static Value-Flow Analysis Framework for Source Code
- Clang Static Analyzer - a source code analysis tool that finds bugs in C, C++, and Objective-C programs - 使用scan-build编译即可
- docs.google.com: Safer Usage Of C++
- vusec/typesan - TypeSan checks casts in C++ code - code released for CCS 2016
- secure-software-engineering/phasar - A LLVM-based static analysis framework. https://phasar.org
- GoSSIP-SJTU/TripleDoggy - 基于clang static analyzer的源码漏洞检测插件
- vlad902/kernel-uninitialized-memory-checker - A clang analyzer checker that looks for kernel uninitialized memory disclosures to userland
- google/path-auditor - a tool meant to find file access related vulnerabilities by auditing libc functions
Javascript / NodeJS
- tsrc: 面向DevSecOps的编码安全指南 JavaScript篇 - 带一个很长的PDF
- lirantal/awesome-nodejs-security - Awesome Node.js Security resources
- ajinabraham/NodeJsScan - NodeJsScan is a static security code scanner for Node.js applications
- dpnishant/jsprime - a javascript static security analysis tool
- doyensec/electronegativity - Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron applications
- hackerone: Remote Code Execution in Slack desktop apps + bonus - XSS没啥,主要是 Electron 下面,用 BrowserWindow constructor + nodeIntegration 实现了 RCE
Powershell
Ruby
- thesp0nge/dawnscanner - a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks
- presidentbeef/brakeman - A static analysis security vulnerability scanner for Ruby on Rails applications - 6.2K star
Linux kernel
Golang
- praetorian-inc/gokart - A static analysis tool for securing Go code
- securego/gosec - Golang security checker
DotNet
- https://github.com/mandiant/route-sixty-sink - an open source tool that enables defenders and security researchers alike to quickly identify vulnerabilities in any .NET assembly using automated source-to-sink analysis
- Y4er/dotnet-deserialization - dotnet 反序列化学习笔记
- pumasecurity/puma-scan - the leading software security Visual Studio analyzer extension. Built on top of Roslyn, the open-source .NET Compiler Platform, Puma Scan provides real time, continuous source code analysis as development teams write code. Vulnerabilities are immediately displayed in the development environment as spell check and compiler warnings, ...
- security-code-scan - Vulnerability Patterns Detector for C# and VB.NET
Python
- Microsoft/pyright - Static type checker for Python - 8K star
- CoolerVoid/codecat - an open-source tool to help you find/track user input sinks and security bugs using static code analysis. These points follow regex rules
- python-security/pyt - A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications
- PyCQA/bandit - a tool designed to find common security issues in Python code - 3.6K star
- SeriousAlpha/py-security-audit-tool - python security audit tool,用于python源码的代码审计,支持命令注入,sql注入
- MisakiKata/python_code_audit - python 代码审计项目
PHP
- phpstan/phpstan - PHP Static Analysis Tool - discover bugs in your code without running it - 10.4K star
- exakat/php-static-analysis-tools - A reviewed list of useful PHP static analysis tools
- Qihoo360/phptrace - A tracing and troubleshooting tool for PHP scripts - 2018停更
- fate0/prvd - PHP Runtime Vulnerability Detection
- laruence/taint - Taint is a PHP extension, used for detecting XSS codes - 污点检测,只做了GPC
- webarx-security/wpbullet - A static code analysis for WordPress (and PHP)
- phith0n/chip - a simple tool to detect potential security threat in php code - 挖掘PHP动态特性
- designsecurity/progpilot - A static analysis tool for security
- SukaraLin/php_code_audit_project - 该项目用来记录,我用来练手的PHP代码审计项目
- bowu678/php_bugs - PHP代码审计分段讲解
- Xyntax/1000php - 1000个PHP代码审计案例(2016.7以前乌云公开漏洞)
- jiangsir404/PHP-code-audit - php code audit for cms vulnerabilities / 代码审计,对一些大型cms漏洞的复现研究,更新源码和漏洞exp
Android
- FSecureLABS/Jandroid - A tool for template matching against apps. Current use case is to identify potential logic bug exploit chains on Android
- secure-software-engineering/FlowDroid - Static Data Flow Tracker,KCON 2021有提到
- facebook/mariana-trench - Our security focused static analysis tool for Android and Java applications
- vincentcox/StaCoAn - a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications
- hitb-2018dxb: D1T2 - Gold Digging - Discovering Hidden Gems in APKs - Marc Schoenefeld - APK安全测试案例
Uncategorized
- wux1an/wxapkg - 微信小程序 .wxapkg 文件扫描 + 解密 + 解包工具
- thezdi/PoC/MySQL - 自定义clang static checker模块和codeql查询语句,用于发现mysql cluster的漏洞
- hac425xxx/sca-workshop - source code analysis workshop - 包含一些codeql/fortify/joern的测试代码和查询语句
- terryyin/lizard - A simple code complexity analyser without caring about the C/C++ header files or Java imports, supports most of the popular languages - 1.3K star,不知道有什么用
- scottrogowski/code2flow - Code2flow generates call graphs for dynamic programming language. Code2flow supports Python, Javascript, Ruby, and PHP - 1.6K star
- Tencent/secguide - 面向开发人员梳理的代码安全指南
- jiangsir404/Audit-Learning - 记录自己对《代码审计》的理解和总结,对危险函数的深入分析以及在p牛的博客和代码审计圈的收获
- CHYbeta/Code-Audit-Challenges - 一些有趣的代码审计“小”题目
- phith0n/code-breaking - 这里是code-breaking puzzles游戏的所有环境与相关writeup
- CHYbeta/Web-Security-Learning
- analysis-tools-dev/static-analysis - Static analysis tools for all programming languages, build tools, config files and more
- fkie-cad/cwe_checker - is a BAP plugin to find vulnerable patterns in binary executables
- nccgroup/sobelow - Security-focused static analysis for the Phoenix Framework
- google/vulncode-db - a database for vulnerabilities and their corresponding source code if available
- 阿里开发者 - 安全同学讲Maven间接依赖场景的仲裁机制
- go.dev - How Go Mitigates Supply Chain Attacks - golang包管理器如何避免供应链安全问题
- Malicious code analysis: Abusing SAST (mis)configurations to hack CI systems - 多个开源白盒检测工具会加载源码目录的配置,分析代码时可能造成RCE
- seebug: Fastjson 反序列化漏洞史
- seebug: 从0开始聊聊自动化静态代码审计工具
- 2023 SDC 议题回顾 | JDoop:下一代针对Java Web应用的静态分析框架