Your Site Name
返回新闻

RT Ahmad Sadeddin:我们今天开源了Sighthound。Sightthound是一个基于Rust的源代码静态漏洞扫描器。它在本地运行或.

RT Ahmad Sadeddin: 🚀 We open-sourced Sighthound today. Sighthound is a Rust-based static vulnerability scanner for source code. It runs locally or ...

Garry TanAI2026-07-09
RT Ahmad Sadeddin我们今天开源了Sightthound。Sightthound是一个基于Rust的源代码静态漏洞扫描器。它在本地或CI中运行,使用Tree-sitter解析器,并支持基于模式的检测和污染流分析。它还附带了所有规则集,无需付费帐户或注册needed.https://github.com/Corgea/Sighthound/Why在2026年构建另一个静态扫描仪?Semgrep和OpenGrep很有用,但我们不断遇到一些限制:OCaml核心提高了许多开发人员的贡献标准,添加语言支持并不像我们想要的那么简单,生态系统中一些信号更高的规则内容位于帐户或付费产品后面。我们想要一些快速、可检查、易于扩展且完全开放的东西。一些实现细节:-用于本地和CI使用的Rust二进制文件- Tree-Sitter解析-默认模式匹配和污点分析-跨文件污点传播和依赖跟踪-并行文件发现和扫描-文本,JSON和CSV输出-用RON编写的规则,并将其转换为类型化的Rust结构/枚举- MIT许可目前支持包括Python,JS/TS,Java,Go,C#,HTML,PHP和Ruby。它主要关注源代码漏洞类,如命令注入、SQL注入、XSS、路径遍历、代码注入、不安全的加密和加密问题。这不是一个秘密扫描仪。我们仍然有很多工作要做,以达到我们想要的,所以,我们希望社区测试它,打破它,报告问题,并告诉我们它的不足之处。对于规则、语言支持、fixture和误报调优的PR是非常受欢迎的。

原文

RT Ahmad Sadeddin🚀 We open-sourced Sighthound today.Sighthound is a Rust-based static vulnerability scanner for source code. It runs locally or in CI, uses Tree-sitter parsers, and supports pattern-based detection plus taint flow analysis. It also comes with all it's rulesets with no paid account or signup needed.https://github.com/Corgea/Sighthound/Why build another static scanner in 2026?Semgrep and OpenGrep are useful, but we kept running into a few constraints: the OCaml core raises the contribution bar for many developers, adding language support is not as simple as we wanted, and some higher-signal rule content in the ecosystem sits behind accounts or paid offerings.We wanted something fast, inspectable, easy to extend, and fully open. A few implementation details:- Rust binary for local and CI use- Tree-sitter parsing- Pattern matching and taint analysis by default- Cross-file taint propagation and dependency tracking- Parallel file discovery and scanning- Text, JSON, and CSV output- Rules written in RON and deserialized into typed Rust structs/enums- MIT licensedCurrent support includes Python, JS/TS, Java, Go, C#, HTML, PHP and Ruby. It focuses on source-code vulnerability classes like command injection, SQL injection, XSS, path traversal, code injection, unsafe deserialization, and crypto issues. It is not a secrets scanner.We're still have a lot of work to getting to where we want it to be so, we would love the community to test it, break it, report issues, and tell us where it falls short. PRs for rules, language support, fixtures, and false-positive tuning are very welcome.