sast 0.1.0__py3-none-any.whl

sast/__init__.py

@@ -0,0 +1,9 @@
+"""sast — thin launcher for the Insomnia SAST binary.
+
+`pip install sast` lays down only this tiny pure-Python launcher. The actual
+SAST engine is a prebuilt, self-contained binary that is fetched on first run
+from insom.ai, matched to your OS, checksum-verified, and cached. Subsequent
+runs exec the cached binary directly.
+"""
+
+__version__ = "0.1.0"

sast/__main__.py

@@ -0,0 +1,6 @@
+"""Allow `python -m sast` to behave like the `sast` console script."""
+
+from .cli import main
+
+if __name__ == "__main__":
+    raise SystemExit(main())

sast/_download.py

@@ -0,0 +1,264 @@
+"""OS detection, manifest fetch, binary download + checksum + cache.
+
+Pure stdlib (urllib/hashlib/platform) so the wheel has zero runtime deps and
+stays a few KB. The hosted layout this expects on insom.ai:
+
+    https://insom.ai/static/downloads/sast/manifest.json
+
+    {
+      "version": "2026.06.04-abc1234",
+      "platforms": {
+        "linux":   {"url": ".../sast-linux-x64",       "sha256": "<hex>"},
+        "macos":   {"url": ".../sast-macos-x64",        "sha256": "<hex>"},
+        "windows": {"url": ".../sast-windows-x64.exe",  "sha256": "<hex>"}
+      }
+    }
+
+`url` may be absolute or relative to the manifest's own URL. `sha256` is
+optional but strongly recommended — when present it is enforced.
+"""
+
+from __future__ import annotations
+
+import hashlib
+import os
+import platform
+import stat
+import sys
+import urllib.request
+from urllib.parse import urljoin
+
+# Override with the SAST_MANIFEST_URL env var (handy for staging / self-hosting).
+DEFAULT_MANIFEST_URL = "https://insom.ai/static/downloads/sast/manifest.json"
+
+_USER_AGENT = "sast-launcher"
+
+
+class DownloadError(RuntimeError):
+    """Raised when the binary cannot be fetched or verified."""
+
+
+def manifest_url() -> str:
+    return os.environ.get("SAST_MANIFEST_URL", DEFAULT_MANIFEST_URL).strip()
+
+
+def detect_platform() -> str:
+    """Map the host OS to a manifest platform key (linux / macos / windows)."""
+    system = platform.system().lower()
+    if system.startswith("linux"):
+        return "linux"
+    if system == "darwin":
+        return "macos"
+    if system.startswith("win"):
+        return "windows"
+    raise DownloadError(
+        f"Unsupported operating system: {platform.system()!r}. "
+        "sast ships binaries for Linux, macOS and Windows only."
+    )
+
+
+def _arch_is_supported() -> bool:
+    """The hosted binaries are x86-64 only (for now). arm64 macs run via Rosetta."""
+    machine = platform.machine().lower()
+    return machine in {"x86_64", "amd64", "x64"} or platform.system().lower() == "darwin"
+
+
+def cache_dir() -> str:
+    """Per-user cache directory for the downloaded binary, by OS convention."""
+    override = os.environ.get("SAST_CACHE_DIR")
+    if override:
+        return override
+    system = platform.system().lower()
+    if system.startswith("win"):
+        base = os.environ.get("LOCALAPPDATA") or os.path.expanduser("~\\AppData\\Local")
+        return os.path.join(base, "sast", "bin")
+    if system == "darwin":
+        return os.path.expanduser("~/Library/Application Support/sast/bin")
+    base = os.environ.get("XDG_CACHE_HOME") or os.path.expanduser("~/.cache")
+    return os.path.join(base, "sast", "bin")
+
+
+def binary_path() -> str:
+    name = "sast.exe" if detect_platform() == "windows" else "sast"
+    return os.path.join(cache_dir(), name)
+
+
+def _version_marker() -> str:
+    return os.path.join(cache_dir(), ".version")
+
+
+def _lastcheck_marker() -> str:
+    return os.path.join(cache_dir(), ".lastcheck")
+
+
+def _update_interval() -> int:
+    """Seconds between background 'is a newer engine available?' checks.
+
+    Default 24h. Set SAST_UPDATE_INTERVAL=0 to disable auto-update entirely
+    (the cached binary is then used until `sast self-update` is run).
+    """
+    raw = os.environ.get("SAST_UPDATE_INTERVAL", "").strip()
+    if not raw:
+        return 86400
+    try:
+        return max(0, int(raw))
+    except ValueError:
+        return 86400
+
+
+def _update_check_due() -> bool:
+    interval = _update_interval()
+    if interval <= 0:
+        return False
+    import time
+
+    try:
+        last = os.path.getmtime(_lastcheck_marker())
+    except OSError:
+        return True  # never checked
+    return (time.time() - last) >= interval
+
+
+def _mark_checked() -> None:
+    try:
+        os.makedirs(cache_dir(), exist_ok=True)
+        with open(_lastcheck_marker(), "w", encoding="utf-8") as fh:
+            fh.write("")
+    except OSError:
+        pass
+
+
+def _http_get(url: str, *, binary: bool) -> bytes:
+    import ssl
+
+    req = urllib.request.Request(url, headers={"User-Agent": _USER_AGENT})
+    try:
+        with urllib.request.urlopen(req, timeout=120) as resp:  # noqa: S310 (https only by default)
+            return resp.read()
+    except ssl.SSLCertVerificationError as exc:
+        hint = ""
+        if platform.system().lower() == "darwin":
+            # Classic python.org-build issue: the bundled OpenSSL has no CA store
+            # until the user runs the post-install "Install Certificates.command".
+            hint = (
+                "\nOn macOS this usually means your Python install has no CA "
+                "certificates. Run:\n"
+                '  /Applications/Python\\ 3.x/Install\\ Certificates.command\n'
+                "or:  pip install --upgrade certifi"
+            )
+        raise DownloadError(f"TLS certificate verification failed for {url}: {exc}{hint}") from exc
+    except Exception as exc:  # urllib raises a zoo of exception types
+        raise DownloadError(f"Could not fetch {url}: {exc}") from exc
+
+
+def _load_manifest() -> dict:
+    import json
+
+    raw = _http_get(manifest_url(), binary=False)
+    try:
+        data = json.loads(raw.decode("utf-8"))
+    except Exception as exc:
+        raise DownloadError(f"Manifest at {manifest_url()} is not valid JSON: {exc}") from exc
+    if not isinstance(data, dict) or "platforms" not in data:
+        raise DownloadError("Manifest is missing the required 'platforms' object.")
+    return data
+
+
+def _verify_sha256(blob: bytes, expected: str) -> None:
+    actual = hashlib.sha256(blob).hexdigest()
+    if actual.lower() != expected.lower():
+        raise DownloadError(
+            "Checksum mismatch — refusing to install a tampered or corrupt binary.\n"
+            f"  expected sha256: {expected}\n"
+            f"  actual   sha256: {actual}"
+        )
+
+
+def current_version() -> str | None:
+    try:
+        with open(_version_marker(), encoding="utf-8") as fh:
+            return fh.read().strip() or None
+    except OSError:
+        return None
+
+
+def ensure_binary(*, force: bool = False, quiet: bool = False) -> str:
+    """Return the path to the cached binary, downloading it if needed.
+
+    Behaviour:
+      * missing binary  -> download it (first run).
+      * force=True      -> always re-fetch the latest (used by `sast self-update`).
+      * binary present  -> reused immediately. At most once per
+        SAST_UPDATE_INTERVAL (default 24h) it also checks insom.ai for a newer
+        version and upgrades automatically. Network failures fail open: the
+        cached binary keeps working offline.
+    """
+    path = binary_path()
+    exists = os.path.exists(path)
+
+    manifest = None
+    if exists and not force:
+        if not _update_check_due():
+            return path
+        # An update check is due — see whether insom.ai has a newer build.
+        try:
+            manifest = _load_manifest()
+        except DownloadError:
+            _mark_checked()  # offline / server down: keep using the cached binary
+            return path
+        _mark_checked()
+        latest = manifest.get("version") or ""
+        if latest == (current_version() or ""):
+            return path  # already on the latest
+        _warn(quiet, f"sast: newer engine available ({latest}); updating...")
+
+    if not _arch_is_supported():
+        _warn(
+            quiet,
+            f"warning: CPU architecture {platform.machine()!r} has no native sast build; "
+            "attempting the x86-64 binary.",
+        )
+
+    plat = detect_platform()
+    if manifest is None:
+        _warn(quiet, "sast: fetching the SAST engine (first run)..." if not force
+              else "sast: updating the SAST engine...")
+        manifest = _load_manifest()
+
+    entry = manifest.get("platforms", {}).get(plat)
+    if not entry or not entry.get("url"):
+        raise DownloadError(f"Manifest has no download entry for platform {plat!r}.")
+
+    url = urljoin(manifest_url(), entry["url"])
+    blob = _http_get(url, binary=True)
+
+    sha = entry.get("sha256")
+    if sha:
+        _verify_sha256(blob, sha)
+    else:
+        _warn(quiet, "warning: manifest provided no sha256 — skipping integrity check.")
+
+    os.makedirs(cache_dir(), exist_ok=True)
+    tmp = path + ".part"
+    with open(tmp, "wb") as fh:
+        fh.write(blob)
+    if plat != "windows":
+        mode = os.stat(tmp).st_mode
+        os.chmod(tmp, mode | stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH)
+    os.replace(tmp, path)
+
+    version = manifest.get("version", "")
+    try:
+        with open(_version_marker(), "w", encoding="utf-8") as fh:
+            fh.write(version)
+    except OSError:
+        pass
+    _mark_checked()
+
+    _warn(quiet, f"sast: installed engine {version or '(unversioned)'} -> {path}")
+    return path
+
+
+def _warn(quiet: bool, msg: str) -> None:
+    if not quiet:
+        print(msg, file=sys.stderr)

sast/cli.py

@@ -0,0 +1,71 @@
+"""`sast` entry point: ensure the engine binary is present, then hand off to it.
+
+All arguments after `sast` are passed straight through to the underlying SAST
+binary, so `sast --help`, `sast <path> --sarif`, etc. behave exactly like the
+native CLI. A few launcher-only subcommands are intercepted first.
+"""
+
+from __future__ import annotations
+
+import os
+import subprocess
+import sys
+
+from . import __version__
+from ._download import (
+    DownloadError,
+    binary_path,
+    current_version,
+    ensure_binary,
+)
+
+_LAUNCHER_HELP = f"""sast {__version__} — launcher for the Insomnia SAST engine
+
+Usage:
+  sast [SAST-ARGS...]     Run the SAST engine (downloads it on first use).
+  sast self-update        Re-download the latest engine binary.
+  sast self-version       Show launcher + cached-engine versions.
+  sast self-where         Print the path to the cached engine binary.
+
+Everything else is forwarded to the engine. Try:  sast --help
+"""
+
+
+def _run_engine(args: list[str]) -> int:
+    path = ensure_binary()
+    # On POSIX, exec replaces this process so signals/exit codes pass through
+    # cleanly. On Windows there is no exec, so spawn and forward the exit code.
+    if os.name == "posix":
+        os.execv(path, [path, *args])  # never returns
+    completed = subprocess.run([path, *args])
+    return completed.returncode
+
+
+def main(argv: list[str] | None = None) -> int:
+    argv = list(sys.argv[1:] if argv is None else argv)
+
+    if argv:
+        cmd = argv[0]
+        if cmd == "self-update":
+            ensure_binary(force=True)
+            return 0
+        if cmd == "self-version":
+            print(f"sast launcher {__version__}")
+            print(f"engine        {current_version() or '(not yet installed)'}")
+            return 0
+        if cmd == "self-where":
+            print(binary_path())
+            return 0
+        if cmd in ("self-help", "--launcher-help"):
+            print(_LAUNCHER_HELP)
+            return 0
+
+    try:
+        return _run_engine(argv)
+    except DownloadError as exc:
+        print(f"sast: {exc}", file=sys.stderr)
+        return 3
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

sast-0.1.0.dist-info/METADATA

@@ -0,0 +1,129 @@
+Metadata-Version: 2.4
+Name: sast
+Version: 0.1.0
+Summary: sast — free, fast static application security testing for CI/CD. Installs a self-contained SAST engine (17+ languages, taint tracking, secrets, IaC, SCA; HTML/JSON/SARIF) on first run.
+Author: CQR Cybersecurity LLC
+License: Proprietary
+Project-URL: Homepage, https://insom.ai
+Keywords: sast,security,static-analysis,sca,sarif,ci,devsecops
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Quality Assurance
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Dynamic: license-file
+
+# sast
+
+**Free, fast static application security testing for CI/CD.**
+
+`sast` is a tiny launcher. Installing it is instant; the first time you run it,
+it downloads a self-contained SAST engine binary that matches your operating
+system, verifies its checksum, and caches it. Every run after that is native
+speed with no Python dependencies.
+
+```bash
+pip install sast
+sast .                 # scan the current directory
+sast ./src --sarif report.sarif
+sast --help            # full engine options
+```
+
+> Supports Linux, macOS and Windows (x86-64). On Apple Silicon the macOS
+> binary runs under Rosetta.
+
+## What it scans
+
+- **SAST** across 17+ languages with taint tracking
+- **Secrets** detection (entropy + vendor rule packs)
+- **IaC / cloud misconfiguration** (Terraform, K8s, Docker, …)
+- **SCA** — known-vulnerable dependencies
+- Output as **HTML**, **JSON**, or **SARIF** (drops straight into GitHub code scanning)
+
+## How it works
+
+`pip install sast` lays down only a few KB of pure-Python launcher — **no
+download happens at install time** (that keeps offline/CI installs reliable).
+On first invocation the launcher:
+
+1. Detects your OS → `linux` / `macos` / `windows`.
+2. Fetches the manifest from `https://insom.ai/static/downloads/sast/manifest.json`.
+3. Downloads the matching binary and verifies its `sha256`.
+4. Caches it under your per-user cache directory and `exec`s it.
+
+Because the engine lives on the server, new engine releases reach users
+without republishing the pip package.
+
+### Staying on the latest engine
+
+After the first download the cached binary is reused for speed. At most once
+per day (`SAST_UPDATE_INTERVAL`, default `86400` seconds) `sast` also asks
+insom.ai whether a newer engine is published and, if so, upgrades itself
+automatically. Update checks **fail open** — if you're offline or the server
+is unreachable, the cached binary keeps working. Set `SAST_UPDATE_INTERVAL=0`
+to pin the cached version, or run `sast self-update` to force the latest at
+any time.
+
+## Launcher commands
+
+| Command             | What it does                                  |
+|---------------------|-----------------------------------------------|
+| `sast …`            | Forward all args to the SAST engine           |
+| `sast self-update`  | Re-download the latest engine binary          |
+| `sast self-version` | Show launcher + cached-engine versions        |
+| `sast self-where`   | Print the cached binary path                  |
+
+## Environment variables
+
+| Variable                | Purpose                                                    |
+|-------------------------|------------------------------------------------------------|
+| `SAST_MANIFEST_URL`     | Override the manifest URL (staging / self-hosting)         |
+| `SAST_CACHE_DIR`        | Override where the binary is cached                        |
+| `SAST_UPDATE_INTERVAL`  | Seconds between auto-update checks (default `86400`; `0` disables) |
+
+Default cache locations:
+
+- **Linux:** `~/.cache/sast/bin`
+- **macOS:** `~/Library/Application Support/sast/bin`
+- **Windows:** `%LOCALAPPDATA%\sast\bin`
+
+## Use in CI (GitHub Actions)
+
+```yaml
+- run: pip install sast
+- run: sast . --sarif results.sarif --fail-on high
+- uses: github/codeql-action/upload-sarif@v3
+  with:
+    sarif_file: results.sarif
+```
+
+`sast` exits non-zero when findings meet your `--fail-on` threshold, failing
+the build.
+
+## Server-side manifest format
+
+The launcher expects this JSON at `SAST_MANIFEST_URL`:
+
+```json
+{
+  "version": "2026.06.04-abc1234",
+  "platforms": {
+    "linux":   { "url": "sast-linux-x64",       "sha256": "<hex>" },
+    "macos":   { "url": "sast-macos-x64",        "sha256": "<hex>" },
+    "windows": { "url": "sast-windows-x64.exe",  "sha256": "<hex>" }
+  }
+}
+```
+
+`url` may be relative to the manifest URL or absolute. `sha256` is optional but
+enforced when present.
+
+---
+
+© CQR Cybersecurity LLC. The `sast` launcher is open source; the SAST engine
+binary it downloads is proprietary. See <https://insom.ai>.

sast-0.1.0.dist-info/RECORD

@@ -0,0 +1,10 @@
+sast/__init__.py,sha256=h1EO8NTKoKdvOmoAv0AagYQHDe5-XOJuU1qzpjQAe5Y,354
+sast/__main__.py,sha256=4ARGWRWoiMKKgxYtTsl3Vyl5Dy3yKdNaqkx3QNNyHAU,151
+sast/_download.py,sha256=VfqocCiiDsBS5_bLfMzY45MdTPVoeP22iWCCD6HYasE,8808
+sast/cli.py,sha256=fQnKFAmiF3RkqjT975DnKKSySAunwYkIMrh7URJjIMM,2147
+sast-0.1.0.dist-info/licenses/LICENSE,sha256=Op0BssnKeTi7SZWQZDAYa9TQnTnTketj4RawE1nHW8g,1368
+sast-0.1.0.dist-info/METADATA,sha256=0pCl3PLnbHnJWrw6kmkOH_4YuXKbRTD8u2WB4z0LCz4,4825
+sast-0.1.0.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+sast-0.1.0.dist-info/entry_points.txt,sha256=F-3hNUrsGdBB3J6QAPHBRHHigKTpS0sM81ms42i-9G0,39
+sast-0.1.0.dist-info/top_level.txt,sha256=M4oQT0X5raRTlKrbP6SBWFO-9ui8rLTNMCpQfniPHEQ,5
+sast-0.1.0.dist-info/RECORD,,

sast-0.1.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (82.0.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

sast-0.1.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+sast = sast.cli:main

sast-0.1.0.dist-info/licenses/LICENSE

@@ -0,0 +1,26 @@
+MIT License (launcher only)
+
+Copyright (c) 2026 CQR Cybersecurity LLC
+
+This license applies ONLY to the source code in this repository (the "sast"
+launcher). It does NOT apply to the Insomnia SAST engine binary that the
+launcher downloads at runtime, which is proprietary software of CQR
+Cybersecurity LLC and is provided under separate terms.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

sast-0.1.0.dist-info/top_level.txt

@@ -0,0 +1 @@
+sast