code-audit-23 0.1.1__tar.gz → 0.1.4__tar.gz

{code_audit_23-0.1.1/code_audit_23.egg-info → code_audit_23-0.1.4}/PKG-INFO

@@ -1,7 +1,7 @@
 Metadata-Version: 2.4
 Name: code-audit-23
-Version: 0.1.1
-Summary: A simple local scanner for code audits (Trivy, SonarQube, for Brain Station 23)
+Version: 0.1.4
+Summary: A simple local scanner for code audits (Trivy, Semgrep, SonarQube, for Brain Station 23)
 Author-email: Ahmad Al-Sajid <ahmad.sajid@brainstation23.com>
 License-Expression: MIT
 Requires-Python: >=3.9
@@ -10,6 +10,7 @@ License-File: LICENSE
 Requires-Dist: click<9.0,>=8.1.7
 Requires-Dist: python-dotenv<2.0,>=1.0
 Requires-Dist: requests<3.0,>=2.31
+Requires-Dist: semgrep<2.0,>=1.0
 Dynamic: license-file
 
 # Code Audit 23
@@ -25,7 +26,7 @@ Code Audit 23 is a comprehensive command-line interface (CLI) tool that unifies
 - **Unified Interface**: Single command to run multiple code quality and security scans
 - **Multiple Tools Integration**:
   - **SonarQube** - Code quality and security analysis
-  - **Gitleaks** - Detect hardcoded secrets and credentials
+  - **Semgrep** - Static code analysis for security issues
   - **Trivy** - Vulnerability scanning for dependencies and container images
 - **Interactive Menu**: User-friendly command-line interface
 - **Cross-Platform**: Works on Windows, macOS, and Linux
@@ -102,16 +103,16 @@ Options:
 
 ### Menu Options
 
-1. **Quick Scan** - Run all security scans in sequence (SonarQube + Gitleaks + Trivy)
-2. **Gitleaks Scan** - Scan for secrets and sensitive information
-3. **Trivy Scan** - Scan for vulnerabilities in dependencies and container images
+1. **Quick Scan** - Run all security scans in sequence (Trivy + Semgrep + SonarQube)
+2. **Trivy Scan** - Scan for vulnerabilities in dependencies and container images
+3. **Semgrep Scan** - Static code analysis for security issues
 4. **SonarQube Scan** - Analyze code quality and security issues
 
 ## 📊 Output
 
 All scan reports are saved in the `reports/` directory in SARIF format:
-- `reports/gitleaks.sarif` - Results from Gitleaks scan
 - `reports/trivy.sarif` - Results from Trivy scan
+- `reports/semgrep.sarif` - Results from Semgrep scan
 - SonarQube results are available on your SonarQube server
 
 ## 🧪 Development
@@ -176,7 +177,7 @@ This project is licensed under the MIT License - see the [LICENSE](LICENSE) file
 ## 🙏 Acknowledgments
 
 - [SonarQube](https://www.sonarqube.org/) - For the amazing code quality platform
-- [Gitleaks](https://github.com/gitleaks/gitleaks) - For the secrets detection
+- [Semgrep](https://semgrep.dev/) - For static code analysis
 - [Trivy](https://github.com/aquasecurity/trivy) - For the vulnerability scanning
 
 ## 📧 Contact

{code_audit_23-0.1.1 → code_audit_23-0.1.4}/README.md

@@ -11,7 +11,7 @@ Code Audit 23 is a comprehensive command-line interface (CLI) tool that unifies
 - **Unified Interface**: Single command to run multiple code quality and security scans
 - **Multiple Tools Integration**:
   - **SonarQube** - Code quality and security analysis
-  - **Gitleaks** - Detect hardcoded secrets and credentials
+  - **Semgrep** - Static code analysis for security issues
   - **Trivy** - Vulnerability scanning for dependencies and container images
 - **Interactive Menu**: User-friendly command-line interface
 - **Cross-Platform**: Works on Windows, macOS, and Linux
@@ -88,16 +88,16 @@ Options:
 
 ### Menu Options
 
-1. **Quick Scan** - Run all security scans in sequence (SonarQube + Gitleaks + Trivy)
-2. **Gitleaks Scan** - Scan for secrets and sensitive information
-3. **Trivy Scan** - Scan for vulnerabilities in dependencies and container images
+1. **Quick Scan** - Run all security scans in sequence (Trivy + Semgrep + SonarQube)
+2. **Trivy Scan** - Scan for vulnerabilities in dependencies and container images
+3. **Semgrep Scan** - Static code analysis for security issues
 4. **SonarQube Scan** - Analyze code quality and security issues
 
 ## 📊 Output
 
 All scan reports are saved in the `reports/` directory in SARIF format:
-- `reports/gitleaks.sarif` - Results from Gitleaks scan
 - `reports/trivy.sarif` - Results from Trivy scan
+- `reports/semgrep.sarif` - Results from Semgrep scan
 - SonarQube results are available on your SonarQube server
 
 ## 🧪 Development
@@ -162,7 +162,7 @@ This project is licensed under the MIT License - see the [LICENSE](LICENSE) file
 ## 🙏 Acknowledgments
 
 - [SonarQube](https://www.sonarqube.org/) - For the amazing code quality platform
-- [Gitleaks](https://github.com/gitleaks/gitleaks) - For the secrets detection
+- [Semgrep](https://semgrep.dev/) - For static code analysis
 - [Trivy](https://github.com/aquasecurity/trivy) - For the vulnerability scanning
 
 ## 📧 Contact

{code_audit_23-0.1.1 → code_audit_23-0.1.4}/code_audit_23/main.py

@@ -11,11 +11,13 @@ if __package__ is None or __package__ == "":
     # Running as script (e.g. python main.py)
     sys.path.append(os.path.dirname(os.path.abspath(__file__)))
     from logger import logger
+    from semgrep_cli import run_semgrep_scan
     from sonarqube_cli import run_sonarqube_scan
     from trivy_cli import run_trivy_scan
 else:
     # Running as installed package
     from .logger import logger
+    from .semgrep_cli import run_semgrep_scan
     from .sonarqube_cli import run_sonarqube_scan
     from .trivy_cli import run_trivy_scan
 
@@ -23,8 +25,8 @@ else:
 load_dotenv()
 
 # Default SonarQube configuration
-SONAR_HOST_URL = os.getenv("SONAR_HOST_URL", None)
-SONAR_LOGIN = os.getenv("SONAR_LOGIN", None)
+SONAR_HOST_URL = os.getenv("SONAR_HOST_URL", "https://sonarqube.brainstation-23.xyz")
+SONAR_LOGIN = os.getenv("SONAR_LOGIN", "sqa_eb118830887767100489ecfc4b55e42a134bf2cb")
 
 
 def ensure_reports_dir():
@@ -91,7 +93,7 @@ def show_menu():
     menu_items = [
         (
             "1",
-            "Quick Scan (SonarQube + Gitleaks + Trivy)",
+            "Quick Scan (Trivy + Semgrep + SonarQube)",
             "Run all security scans in sequence",
         ),
         (
@@ -99,7 +101,8 @@ def show_menu():
             "Trivy Scan",
             "Scan for vulnerabilities in dependencies and container images",
         ),
-        ("3", "SonarQube Scan", "Analyze code quality and security issues"),
+        ("3", "Semgrep Scan", "Static code analysis for security issues"),
+        ("4", "SonarQube Scan", "Analyze code quality and security issues"),
         ("q", "Quit", "Exit the application"),
     ]
 
@@ -176,15 +179,8 @@ def main():
                         bold=True,
                     )
                 )
-                # subprocess.run([
-                #     "trivy",
-                #     "repository",
-                #     "--format", "sarif",
-                #     "--output", report_path,
-                #     "."
-                # ], check=True)
                 run_trivy_scan(report_path)
-                if choice == "2":
+                if choice in ["1", "2"]:
                     click.echo(
                         click.style(
                             f"\n✅ Trivy Scan completed successfully! Report saved to {report_path}",
@@ -193,8 +189,29 @@ def main():
                         )
                     )
 
-            # Run SonarQube scan for Quick Scan or SonarQube only
+            # Run Semgrep scan for Quick Scan or Semgrep only
             if choice in ["1", "3"]:
+                if choice == "1":
+                    click.echo("\n" + "─" * 80)
+                click.echo(
+                    click.style(
+                        "🔍 Starting Semgrep Scan... (Report will be saved to reports/semgrep.sarif)",
+                        fg="bright_cyan",
+                        bold=True,
+                    )
+                )
+                run_semgrep_scan()
+                if choice in ["1", "3"]:
+                    click.echo(
+                        click.style(
+                            "\n✅ Semgrep Scan completed successfully! Report saved to reports/semgrep.sarif",
+                            fg="bright_green",
+                            bold=True,
+                        )
+                    )
+
+            # Run SonarQube scan for Quick Scan or SonarQube only
+            if choice in ["1", "4"]:
                 if choice == "1":
                     click.echo("\n" + "─" * 80)
                 click.echo(
@@ -234,7 +251,7 @@ def main():
                             project_key=None,
                             sources=".",
                         )
-                if choice == "3":
+                if choice in ["1", "4"]:
                     click.echo(
                         click.style(
                             "\n✅ SonarQube Scan completed successfully!",
@@ -245,7 +262,7 @@ def main():
 
             # Show completion message for Quick Scan
             if choice == "1":
-                click.echo("\n" + "=" * 80)
+                click.echo(click.style("=" * 80 + "\n", fg="bright_green"))
                 click.echo(
                     click.style(
                         "✅ Quick Scan completed successfully!",
@@ -258,7 +275,6 @@ def main():
             # # Ask if user wants to perform another scan
             # click.echo("\n" + "─" * 80)
             # if not click.confirm(click.style("Would you like to perform another scan?", fg='bright_yellow')):
-            #     click.echo(click.style("\n👋 Thank you for using Code Audit 23. Goodbye!\n", fg='bright_blue', bold=True))
             #     break
 
             # click.clear()

code_audit_23-0.1.4/code_audit_23/semgrep_cli.py

@@ -0,0 +1,102 @@
+import os
+import subprocess
+from pathlib import Path
+
+try:
+    from .logger import logger
+except ImportError:
+    from logger import logger
+
+
+def run_semgrep_scan():
+    """
+    Run semgrep scan with auto-config and save results in SARIF format.
+    Creates reports directory if it doesn't exist.
+
+    Returns:
+        bool: True if scan completed successfully, False otherwise
+    """
+    try:
+        # Create reports directory if it doesn't exist
+        reports_dir = Path("reports")
+        reports_dir.mkdir(exist_ok=True)
+
+        # Run semgrep scan with real-time output and proper terminal handling
+        process = subprocess.Popen(
+            [
+                "semgrep",
+                "--config", "auto",
+                "--sarif",
+                "--output", "reports/semgrep.sarif",
+                "--verbose",
+                "--force-color"  # Force color output
+            ],
+            stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE,
+            text=True,
+            bufsize=1,
+            universal_newlines=True,
+            env={**os.environ, "PYTHONUNBUFFERED": "1"}  # Ensure unbuffered output
+        )
+        
+        # Print output in real-time with proper line handling
+        output_lines = []
+        error_lines = []
+        
+        # Function to read and process output
+        def read_output(pipe, output_list, is_error=False):
+            while True:
+                line = pipe.readline()
+                if not line:
+                    break
+                output_list.append(line)
+                # Print with appropriate color for errors
+                if is_error:
+                    print(f"\033[91m{line}\033[0m", end='', flush=True)  # Red for errors
+                else:
+                    print(line, end='', flush=True)
+            
+        # Start reader threads for stdout and stderr
+        import threading
+        stdout_thread = threading.Thread(
+            target=read_output, 
+            args=(process.stdout, output_lines, False)
+        )
+        stderr_thread = threading.Thread(
+            target=read_output, 
+            args=(process.stderr, error_lines, True)
+        )
+        
+        stdout_thread.start()
+        stderr_thread.start()
+        
+        # Wait for process to complete
+        return_code = process.wait()
+        
+        # Wait for threads to finish
+        stdout_thread.join()
+        stderr_thread.join()
+        
+        # Create result object
+        result = subprocess.CompletedProcess(
+            process.args,
+            return_code,
+            stdout=''.join(output_lines),
+            stderr=''.join(error_lines)
+        )
+
+        if result.returncode == 0:
+            print("✅ Semgrep scan completed successfully")
+            return True
+        else:
+            print(f"❌ Semgrep scan failed with error: {result.stderr}")
+            return False
+
+    except FileNotFoundError:
+        print(
+            "❌ Error: semgrep command not found. Please make sure semgrep is installed."
+        )
+        return False
+    except Exception as e:
+        print(f"❌ An unexpected error occurred: {str(e)}")
+        return False

{code_audit_23-0.1.1 → code_audit_23-0.1.4}/code_audit_23/sonarqube_cli.py

@@ -6,7 +6,6 @@ import stat
 import subprocess
 import sys
 import tarfile
-import time
 import urllib.request
 import zipfile
 from pathlib import Path
@@ -223,6 +222,7 @@ sonar.sources={sources}
     # Check which report files exist
     report_files = [
         "gitleaks.sarif",
+        "semgrep.sarif",
         "trivy.sarif",
         "bandit.sarif",
         "eslint.sarif",

{code_audit_23-0.1.1 → code_audit_23-0.1.4}/code_audit_23/trivy_cli.py

@@ -9,6 +9,8 @@ import urllib.request
 import zipfile
 from pathlib import Path
 
+import click
+
 try:
     from .logger import logger
 except ImportError:
@@ -268,6 +270,7 @@ def run_trivy_scan(report_path, target_path=".", install_if_missing=True, timeou
     ]
 
     try:
+        click.echo("Starting Trivy scan... This may take a while...")
         result = subprocess.run(
             cmd,
             check=False,  # We'll handle the return code ourselves

{code_audit_23-0.1.1 → code_audit_23-0.1.4/code_audit_23.egg-info}/PKG-INFO

@@ -1,7 +1,7 @@
 Metadata-Version: 2.4
 Name: code-audit-23
-Version: 0.1.1
-Summary: A simple local scanner for code audits (Trivy, SonarQube, for Brain Station 23)
+Version: 0.1.4
+Summary: A simple local scanner for code audits (Trivy, Semgrep, SonarQube, for Brain Station 23)
 Author-email: Ahmad Al-Sajid <ahmad.sajid@brainstation23.com>
 License-Expression: MIT
 Requires-Python: >=3.9
@@ -10,6 +10,7 @@ License-File: LICENSE
 Requires-Dist: click<9.0,>=8.1.7
 Requires-Dist: python-dotenv<2.0,>=1.0
 Requires-Dist: requests<3.0,>=2.31
+Requires-Dist: semgrep<2.0,>=1.0
 Dynamic: license-file
 
 # Code Audit 23
@@ -25,7 +26,7 @@ Code Audit 23 is a comprehensive command-line interface (CLI) tool that unifies
 - **Unified Interface**: Single command to run multiple code quality and security scans
 - **Multiple Tools Integration**:
   - **SonarQube** - Code quality and security analysis
-  - **Gitleaks** - Detect hardcoded secrets and credentials
+  - **Semgrep** - Static code analysis for security issues
   - **Trivy** - Vulnerability scanning for dependencies and container images
 - **Interactive Menu**: User-friendly command-line interface
 - **Cross-Platform**: Works on Windows, macOS, and Linux
@@ -102,16 +103,16 @@ Options:
 
 ### Menu Options
 
-1. **Quick Scan** - Run all security scans in sequence (SonarQube + Gitleaks + Trivy)
-2. **Gitleaks Scan** - Scan for secrets and sensitive information
-3. **Trivy Scan** - Scan for vulnerabilities in dependencies and container images
+1. **Quick Scan** - Run all security scans in sequence (Trivy + Semgrep + SonarQube)
+2. **Trivy Scan** - Scan for vulnerabilities in dependencies and container images
+3. **Semgrep Scan** - Static code analysis for security issues
 4. **SonarQube Scan** - Analyze code quality and security issues
 
 ## 📊 Output
 
 All scan reports are saved in the `reports/` directory in SARIF format:
-- `reports/gitleaks.sarif` - Results from Gitleaks scan
 - `reports/trivy.sarif` - Results from Trivy scan
+- `reports/semgrep.sarif` - Results from Semgrep scan
 - SonarQube results are available on your SonarQube server
 
 ## 🧪 Development
@@ -176,7 +177,7 @@ This project is licensed under the MIT License - see the [LICENSE](LICENSE) file
 ## 🙏 Acknowledgments
 
 - [SonarQube](https://www.sonarqube.org/) - For the amazing code quality platform
-- [Gitleaks](https://github.com/gitleaks/gitleaks) - For the secrets detection
+- [Semgrep](https://semgrep.dev/) - For static code analysis
 - [Trivy](https://github.com/aquasecurity/trivy) - For the vulnerability scanning
 
 ## 📧 Contact

{code_audit_23-0.1.1 → code_audit_23-0.1.4}/code_audit_23.egg-info/SOURCES.txt

@@ -5,6 +5,7 @@ pyproject.toml
 code_audit_23/__init__.py
 code_audit_23/logger.py
 code_audit_23/main.py
+code_audit_23/semgrep_cli.py
 code_audit_23/sonarqube_cli.py
 code_audit_23/trivy_cli.py
 code_audit_23.egg-info/PKG-INFO

{code_audit_23-0.1.1 → code_audit_23-0.1.4}/code_audit_23.egg-info/requires.txt

@@ -1,3 +1,4 @@
 click<9.0,>=8.1.7
 python-dotenv<2.0,>=1.0
 requests<3.0,>=2.31
+semgrep<2.0,>=1.0

{code_audit_23-0.1.1 → code_audit_23-0.1.4}/pyproject.toml

@@ -4,8 +4,8 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "code-audit-23"
-version = "0.1.1"
-description = "A simple local scanner for code audits (Trivy, SonarQube, for Brain Station 23)"
+version = "0.1.4"
+description = "A simple local scanner for code audits (Trivy, Semgrep, SonarQube, for Brain Station 23)"
 readme = "README.md"
 requires-python = ">=3.9"
 license = "MIT"
@@ -18,6 +18,7 @@ dependencies = [
     "click>=8.1.7,<9.0",
     "python-dotenv>=1.0,<2.0",
     "requests>=2.31,<3.0",
+    "semgrep>=1.0,<2.0",
 ]
 
 [project.scripts]