If you want to scan your Code and Infrastructure (including Secrets, SBOMs, dependencies)
Install Docker Engine (Instructions for Ubuntu), if you don't already have it, and run this in your Git code directory
2 options are available:
- HTML output (result will be in the current directory in "report.html" file)
Run in command prompt:
sh <(curl https://dl.betterscan.io/cli-html.sh)
- CLI output
Run in command prompt:
sh <(curl https://dl.betterscan.io/cli.sh)
If you need CI/CD and Web Interface, you need Docker-Compose (Instructions for Ubuntu) installed as well, if you don't already have it.
Run in command prompt:
git clone https://github.com/marcinguy/betterscan-ce.git
cd betterscan-ce/dockerhub
./start.sh
Open up the Browser to:
http://localhost:5000
Sign up locally (and login in when needed)
That's it.
Read more below for GitHub/GitLab/Azure DevOps Server integration, PR scanning, GitHub Action, GitHub App, DefectDojo etc.
Scanmycode is now called Betterscan (both references will work)
It is a Code and Infrastructure (IaC) and Cloudnative Scanning/SAST/Static Analysis/Linting solution using many tools/Scanners with One Report. You can also add any tool to it. Currently, it supports many languages and tech stacks. Similar to SonarQube, but it is different.
Fig. 1 Betterscan concept diagram
How is Betterscan different than SonarQube?
If you like it, please give it a GitHub star/fork/watch/contribute. This will ensure continous development ⭐
This project would not be possible without the generous support of our sponsors.
Your Logo Here | Your Logo Here | Your Logo Here | Your Logo Here |
If you also want to support this project, head over to our Github sponsors page or Patreon (preferred due to better Tax handling)
Run this command in your code directory (checkout from Git - .git folder needs to be there, if you work with the normal directory, make the Git repo out of it git init && git add . && git commit
etc):
sh <(curl https://dl.betterscan.io/cli.sh)
or for an HTML report:
sh <(curl https://dl.betterscan.io/cli-html.sh)
That's it. You just checked your code for 2,300+ Checks (Defects, Vulnerabilities, Best Practices, Secrets - 166+ secret types - including GitLeaks, SBOM, dependencies vulnerabilities) and 4,000+ YARA rules for Antidebug, Antivm, Crypto, CVE, Exploits Kits, Malware, Webshells, APTs.
Sample CLI report
Sample HTML report
Fig 2. Sample Report using CLI HTML output
FYI Above will maintain state via (.checkmate folder), only new commits will be checked.
If you want to use the Platform, follow below:
Install docker
and docker-compose
2 options:
- Fastest method (use DockerHub built images). If unsure, use this.
git clone https://github.com/marcinguy/betterscan-ce.git
cd betterscan-ce/dockerhub
./start.sh
- Slower method (build everything)
git clone https://github.com/marcinguy/betterscan-ce.git
cd betterscan-ce/docker
./start.sh
Open up the Browser to:
http://localhost:5000
Sign up locally (and login in when needed)
Cloud and Kubernetes (scaling) installation:
If your connection is not fast and/or you have no server.
Installation time: ca. 1 minute
Check installation on Kubernetes (Free) thanks to Okteto.com
https://github.com/marcinguy/betterscan-ce/blob/master/okteto/README.md
WIP (Work in Progress)
Add this to your workflow (in your GitHub repo under .github/workflows/betterscan.yml) with this content:
name: Betterscan Scan
on: [push]
jobs:
Betterscan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Betterscan Scan
uses: topcodersonline/betterscan@v3
- name: Upload the SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: report.sarif
Results will be printed in Job/Action output. Plan to add SARIF output to integrate it in GitHub Code Scanning Interface/tab (possibly in PRO version only)
See sample integration below:
Fig 3. Sample integration with GitHub Action in Code Scanning tab
If you want to scan on PR to main, use this:
name: Betterscan Scan
on:
pull_request:
types: [opened, edited, reopened, review_requested, synchronize]
branches:
- 'main'
jobs:
Betterscan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Betterscan Scan
uses: topcodersonline/betterscancustom@v1
with:
branch: ${{ github.head_ref || github.ref_name }}
- name: Upload the SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: report.sarif
Action source: https://github.com/topcodersonline/betterscancustom
Feel free to adjust.
Flow:
- Make PR
- It will scan
- make git pull to get state (.checkmate folder) on your PR
- make changes, commits, push to PR
- repeat 2)
If you cannot afford GitHub Enterprise with Code Scanning, use GitHub Teams with CLI output.
It is also possible to use Database Server (i.e PostgreSQL, MySql, MariaDB, Oracle, MS Sql Server) to store state (no need to commit .checmate folder to code).
You can also install it as a GitHub App
https://github.com/apps/betterscan-code-scan
Results will be integrated in GitHub interface (Security->Code Scanning alerts). GitHub Enterprise Cloud and a license for GitHub Advanced Security is required for private repositories, for public repositories not.
Scanning is triggered on Push/PR merge to main branch (master or main etc). Results could be there within minutes or hours, depending on project size.
Scan state will be preserved between scans. With new scan only changes will be rescanned.
It is possible to integrate results also in GitLab's Security & Compliance Dashboad. We can convert SARIF to GitLab format. GitLab Ultimate is required.
You can see Security posture of scanned repos by installing Betterscan platform and below in Backstage:
https://github.com/marcinguy/backstage-plugin-betterscan
You can import via SARIF vulnerabilities and setup pipeline in DefectDojo to manage vulnerabilities
To integrate BetterScan with Azure DevOps, you can do the following:
- Install the Azure DevOps SARIF SAST Scans Tab extension.
- Add this job to your azure-pipelines.yml:
- job: SAST
displayName: Static Application Security Test (SAST)
condition: eq(variables['Build.SourceBranch'], 'refs/heads/main')
pool:
vmImage: 'ubuntu-latest'
container: 'scanmycode/scanmycode3-ce:worker-cli'
steps:
- script: |
sudo apt-get update
sudo apt-get install git-lfs
displayName: Install git LFS
- checkout: self
persistCredentials: true
- script: |
set -e
git config --global user.email "azuredevops@microsoft.com"
git config --global user.name "Azure DevOps"
git checkout -b $(Build.SourceBranchName)
sudo CODE_DIR=$(Build.SourcesDirectory) checkmate init
sudo CODE_DIR=$(Build.SourcesDirectory) checkmate git init
sudo CODE_DIR=$(Build.SourcesDirectory) checkmate git analyze --branch $(Build.SourceBranchName)
sudo CODE_DIR=$(Build.SourcesDirectory) checkmate issues html
displayName: Static Application Security Test (SAST)
env:
CODE_DIR: '$(Build.SourcesDirectory)'
- task: PublishBuildArtifacts@1
displayName: Publish SAST report
inputs:
PathtoPublish: $(Build.SourcesDirectory)
ArtifactName: CodeAnalysisLogs
- script: |
git add .checkmate/db.sqlite
git add report.html
git commit -m '[ci skip] update checkmate db'
git push origin $(Build.SourceBranchName):$(Build.SourceBranch)
displayName: Commit and Push checkmate db
Warning:
It is platform independent (Python). Checkers are also mostly available on different platforms. The "Master" branch is for Linux x86_64, however there is also a "macos" branch with Dockerfiles for arm64 (including arm64 checkers). M1 mac has arm64 architecture (30% cheaper and 30% faster than alternatives)
Yes, by default
macos branch
Install Windows 10, version 1903 or higher or Windows 11.
https://docs.docker.com/desktop/windows/wsl/
Linux images should work
More info in the Wiki:
https://github.com/marcinguy/betterscan-ce/wiki
You can plug it anywhere on your CI/CD pipeline as a command.
With Betterscan one command, you add 6,300+ checks using different scanners (Betterscan is a "Meta" scanner in that sense, with supporting smart snapshots and other goodies. It is not just running tools always on full code)
Betterscan supports also CLI only mode, no Web Interface, worker etc. Run a binary in Docker in your own CI/CD pipeline (whatever it is) in Quality Gates that will output line by line (scanner and findings) on checkout code from Git (folder)
Just run this command (it will take care of everything):
sh <(curl https://dl.betterscan.io/cli.sh)
Corresponds to running these:
export CODE_DIR=${PWD}
cd $CODE_DIR
docker run -e CODE_DIR -v ${PWD}:${PWD} -ti scanmycode/scanmycode3-ce:worker-cli /bin/sh -c 'cd $CODE_DIR && checkmate init'
docker run -e CODE_DIR -v ${PWD}:${PWD} -ti scanmycode/scanmycode3-ce:worker-cli /bin/sh -c 'cd $CODE_DIR && checkmate git init'
docker run -e CODE_DIR -v ${PWD}:${PWD} -ti scanmycode/scanmycode3-ce:worker-cli /bin/sh -c 'cd $CODE_DIR && checkmate git analyze --branch `git rev-parse --abbrev-ref HEAD`'
docker run -e CODE_DIR -v ${PWD}:${PWD} -ti scanmycode/scanmycode3-ce:worker-cli /bin/sh -c 'cd $CODE_DIR && checkmate issues'
Just run this command (it will take care of everything):
sh <(curl https://dl.betterscan.io/cli-html.sh)
report will be in the directory under report.html
Corresponds to running these:
export CODE_DIR=${PWD}
cd $CODE_DIR
docker run -e CODE_DIR -v ${PWD}:${PWD} -ti scanmycode/scanmycode3-ce:worker-cli /bin/sh -c 'cd $CODE_DIR && checkmate init'
docker run -e CODE_DIR -v ${PWD}:${PWD} -ti scanmycode/scanmycode3-ce:worker-cli /bin/sh -c 'cd $CODE_DIR && checkmate git init'
docker run -e CODE_DIR -v ${PWD}:${PWD} -ti scanmycode/scanmycode3-ce:worker-cli /bin/sh -c 'cd $CODE_DIR && checkmate git analyze --branch `git rev-parse --abbrev-ref HEAD`'
docker run -e CODE_DIR -v ${PWD}:${PWD} -ti scanmycode/scanmycode3-ce:worker-cli /bin/sh -c 'cd $CODE_DIR && checkmate issues html'
Build Docker image Worker-CLI and run checkmate
from there. Below is sample flow:
CLI Mode only
- Clone the repo i.e into
/tmp/test
- set env var CODE_DIR i.e
export CODE_DIR=/tmp/test
. This env var should point to your Git cloned repo dir. - Cd into it (this is important!)
- Run
checkmate init
- Run
checkmate git init
- Run
checkmate git analyze
Run checkmate issues
This will be shown
/root
/tmp/test
/tmp/test
Loading plugin: git
Loading plugin: trufflehog3
Loading plugin: trojansource
Loading plugin: metrics
Loading plugin: bandit
Loading plugin: brakeman
Loading plugin: phpanalyzer
Loading plugin: gosec
Loading plugin: confused
Loading plugin: pmd
Loading plugin: semgrep
Loading plugin: semgrepdefi
Loading plugin: semgrepjs
Loading plugin: checkov
Loading plugin: kubescape
Loading plugin: insidersecswift
Loading plugin: insiderseckotlin
Loading plugin: insiderseccsharp
Loading plugin: pmdapex
Loading plugin: semgrepccpp
Loading plugin: semgrepjava
Loading plugin: semgrepeslint
semgrepjs ExpressLfrWarning
semgrepjs CookieSessionNoDomain
semgrepjs CookieSessionNoPath
semgrepjs CookieSessionNoSecure
semgrepjs CookieSessionDefault
semgrepjs CookieSessionNoSamesite
There is a DockerHub image also for it ready.
docker pull scanmycode/scanmycode3-ce:worker-cli
You can run the Commands with docker as below:
$ docker run -ti scanmycode/scanmycode3-ce:worker-cli checkmate
/root
/root
Loading plugin: git
Loading plugin: trufflehog3
Loading plugin: trojansource
Loading plugin: metrics
Loading plugin: bandit
Loading plugin: brakeman
Loading plugin: phpanalyzer
Loading plugin: gosec
Loading plugin: confused
Loading plugin: pmd
Loading plugin: semgrep
Loading plugin: semgrepdefi
Loading plugin: semgrepjs
Loading plugin: checkov
Loading plugin: kubescape
Loading plugin: insidersecswift
Loading plugin: insiderseckotlin
Loading plugin: insiderseccsharp
Loading plugin: pmdapex
Loading plugin: semgrepccpp
Loading plugin: semgrepjava
Loading plugin: semgrepeslint
Usage: checkmate [command] [command] [...] [args]
Type "checkmate help" for help
Same workflow as above, but using Docker binary:
export CODE_DIR=/tmp/test
cd /tmp/test
docker run -e CODE_DIR -v /tmp/test:/tmp/test -ti scanmycode/scanmycode3-ce:worker-cli /bin/sh -c 'cd /tmp/test && checkmate init'
docker run -e CODE_DIR -v /tmp/test:/tmp/test -ti scanmycode/scanmycode3-ce:worker-cli /bin/sh -c 'cd /tmp/test && checkmate git init'
docker run -e CODE_DIR -v /tmp/test:/tmp/test -ti scanmycode/scanmycode3-ce:worker-cli /bin/sh -c 'cd /tmp/test && checkmate git analyze'
docker run -e CODE_DIR -v /tmp/test:/tmp/test -ti scanmycode/scanmycode3-ce:worker-cli /bin/sh -c 'cd /tmp/test && checkmate issues'
Progpilot, PMD, Bandit, Brakeman, Gosec, confused, semgrep, trufflehog3, jshint, njsscan, log4shell via custom semgrep rule, checkov, kubescape, graudit, insidersec, flawfinder, find sec bugs, eslint, YARA, osv-scanner and other(s). Some were modified.
Community Edition does not have GitHub support and other plugins. But rest is the same.
or Check the:
Both use static analysis to find bugs and defects, but there are a few differences.
- Betterscan supports Cloudnative and Infrastructure Scanning
- Betterscan supports secrets Scanning (166+ secret types - including GitLeaks)
- Betterscan scans for 4,000 rules for Antidebug, Antivm, Crypto, CVE, Exploits Kits, Malware and Webshells, APTs
- Betterscan scans SBOM and Dependencies vulnerabilities
- Betterscan can be extended with any tool producing JSON output (any binary, in any technology/language/product)
Above are the biggest differences.
- Betterscan is open Source, SonarQube also offers an open-source version, but it is missing features (For example, 12 of the supported languages are not available in the open-source offering, and more powerful dataflow features are only available in the paid versions)
- Betterscan supports scanning only changed files (differential analysis), SonarQube does not. You can store state in Database (PostgreSQL, MySQL/MariaDB, Oracle, Microsoft SQL Server) or in you Git repo.
- Outputs in CLI, HTML, SARIF, JSON. This works nicely with GitHub Codescanning, GitLab Security and Compliance and Azure DevOps Server
- Betterscan uses many tools adding up to 6,300+ checks which also semgrep as one of the tools (without semgrep community rules, only Betterscan's custom rules)
Betterscan is based on QuantifedCode. QuantifiedCode is a code analysis & automation platform. It helps you to keep track of issues and metrics in your software projects, and can be easily extended to support new types of analyses. The application consists of several parts:
- A frontend, realized as a React.js app
- A backend, realized as a Flask app, that exposes a REST API consumed by the frontend
- A background worker, realized using Celery, that performs the code analysis
Currently supports: PHP, Java, Scala, Python, PERL, Ruby, .NET Full Framework, C#, C, C++, Swift, Kotlin, Apex (Salesforce), Javascript, Typescript, GO, Solidity, DeFi Security (DeFi exploits), Infrastructure as a Code (IaC) Security and Best Practices (Docker, Kubernetes (k8s), Terraform AWS, GCP, Azure), Secret Scanning (166+ secret types), Dependency Confusion, Trojan Source, Open Source and Proprietary Checks (total ca. 2,300+ checks)
Advantages:
- Many tools, one report (unification)
- Dismiss, collaborate on findings. Mark false-positives
- Enable/disable each individual check in Checkers
- ca. 6,300+ checks now (Linters, Static Code Analysis/Code Scanning, YARA Ca. 4000 YARA binary matching/textual matching rules for Antidebug, Antivm, Crypto, CVE, Exploits Kits, Malware and Webshells, APTs )
- any tool outputting JSON can be added
- SBOM and Dependencies vulnerabilities
- fast (checks only new code on recheck)
- you can store state in Database (PostgreSQL, MySQL/MariaDB, Oracle, Microsoft SQL Server) or in you Git repo.
- Outputs in CLI, HTML, SARIF, JSON. This works nicely with GitHub Codescanning, GitLab Security and Compliance and Azure DevOps Server
- Git support (HTTPS/TLS and SSH). For private repositories only SSH.
- all REST API callable (CI/CD integrateable)
- Swiss army knife tool/SIEM for Code Scanning
- 100% Code transparency & full control of your code
Cloud version and more at https://www.betterscan.io
Cloud version has also many other plugins, also other plugins are commercially available for licensing (GitHub, GitHub organizations, Slack)
Looking for contributing individuals and organizations. Feel free to contact me at marcinguy@gmail.com
TODO
- update Dependencies (Backend & Frontend - done)
- update to latest React
- update to Python3 (see scanmycode3 branch - done)
- update/add new Checkers (if you wish)
Betterscan's QuantifiedCode parts remain released under BSD-3 Clause License. However, modifications are released under LGPL-2.1 with Commonsclause.
You can use this software, but cannot sell it, also base services on it (SaaS - Software as a Service setups). This is the Commonsclause. If you would like to do it, please contact me first for the permission at marcinguy@gmail.com
We provide several options for installing Betterscan. Which one is the right one for you depends on your use case.
- The manual installation is best if you want to modify or change Betterscan
- The Docker-based installation is probably the easiest way to try Betterscan without much work
- The Ansible-based installation is the most suitable way if you want to run Betterscan in a professional infrastructure (possibly with multiple servers)
The following section will only discuss the manual installation process, for the other options please check their corresponding repositories.
The installation consists of three parts:
- Install the dependencies required to run Betterscan
- Download the required source code
- Set up the configuration
Betterscan requires the following external dependencies:
- A message broker (required for the background tasks message queue). We recommend either RabbitMQ or Redis.
- A database (required for the core application). We recommend PostgreSQL, but SQLite is supported as well. Other database systems might work too (e.g. MySQL), but are currently not officially supported. If you need to run Betterscan on a non-supported database, please get in touch with us and we'll be happy to provide you some guidance.
Now with the dependencies installed, we can go ahead and download Betterscan:
git clone https://github.com/marcinguy/betterscan-ce.git
Betterscan CE manages dependencies via the Python package manager, pip.
Betterscan gets configured via YAML settings files. When starting up the application, it incrementally loads settings from several files, recursively updating the settings object. First, it will load default settings from quantifiedcode/settings/default.yml
. Then, it will check if a QC_SETTINGS
environment variable is defined and points to a valid file, and if so it will load settings from it (possibly overwriting default settings). If not, it will look for a settings.yml
file in the current working
directory and load settings from there. Additionally, it will check if a QC_SECRETS
environment variable is defined and points to a valid file, and also load settings from there (this is useful for sensitive settings that should be kept separate from the rest [e.g. to not check them into version control]).
There is a sample settings.yml
file in the root of the repository that you can start from.
After editing your settings, run the setup command via
#run from the root directory of the repository
python manage.py setup
The setup assistant will iteratively walk you through the setup, and when finished you should have a working instance of Betterscan!
To run the web application, simply run
python manage.py runserver
To run the background worker, simply run
python manage.py runworker
See docker folder. You can spin up everything using one command.
Coming Soon!