🔒 SecScanner

Cloud-Native Security Scanner for Modern DevOps

Installation • Quick Start • Features • Documentation • Contributing

---

🚀 Overview

SecScanner is a high-performance, modular security scanning CLI tool built with Go. Designed for 2026 and beyond, it seamlessly integrates into CI/CD pipelines while providing rich terminal output for local development.

# Scan your project in seconds
secscanner scan .

📸 Screenshot

╔══════════════════════════════════════════════════════════════════════════════╗
║                         🔒 SECSCANNER REPORT                                 ║
╚══════════════════════════════════════════════════════════════════════════════╝

📊 SCAN SUMMARY
────────────────────────────────────────────────────────────────────────────────
  Scan Duration:          1.234s
  Targets Scanned:        156
  Total Findings:         3
  Errors:                 0

📈 SEVERITY BREAKDOWN
────────────────────────────────────────────────────────────────────────────────
  CRITICAL   [████░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░] 1
  HIGH       [████████░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░] 2
  MEDIUM     [░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░] 0

✨ Features

🔐 Secret Detection

• 20+ Built-in Rules for AWS, GitHub, Stripe, Slack, Google, and more
• Entropy-based detection for unknown secret patterns
• Smart allowlisting to reduce false positives
• Masked output - never expose secrets in logs

⚙️ Misconfiguration Scanner

• Dockerfile Security - Root user, latest tags, secrets in ENV, and more
• Kubernetes Manifests - Privileged containers, host access, missing limits
• Infrastructure as Code ready for Terraform and Helm (coming soon)

📊 Output Formats

• Table (TUI) - Beautiful terminal output with colors and progress bars
• JSON - Machine-readable for custom integrations
• SARIF - Native GitHub Code Scanning integration
• Markdown - Documentation-ready reports

⚡ Performance

• Worker Pool Architecture - Concurrent scanning with configurable workers
• Memory Efficient - Stream processing for large codebases
• Fast Startup - Single binary, no runtime dependencies

🎯 Quick Start

Basic Scan

# Scan current directory
secscanner scan .

# Scan specific paths
secscanner scan ./src ./configs

# Scan with specific output
secscanner scan . -f json -o results.json

Configuration File

Create .secscanner.yaml in your project root:

version: "1.0"

scan:
  workers: 10
  timeout: "5m"
  exclude:
    - "**/node_modules/**"
    - "**/.git/**"
    - "**/vendor/**"
    - "**/test/**"

rules:
  disabled:
    - SEC014  # Disable generic API key detection

output:
  format: table
  color: true

ci:
  fail_on: high
  annotate_findings: true

📋 Available Commands

Command	Description
scan [paths...]	Scan files for security issues
rules	List all available security rules
init	Create a configuration file
version	Print version information

Scan Options

secscanner scan [flags]

Flags:
  -f, --format string        Output format: table, json, sarif, markdown (default "table")
  -o, --output string        Output file path
  -w, --workers int          Number of parallel workers (default 10)
  -t, --timeout duration     Scan timeout (default 5m)
  -e, --exclude strings      Exclude patterns (glob)
  -i, --include strings      Include patterns (glob)
      --severity strings     Filter by severity: critical,high,medium,low,info
      --scanners strings     Scanners to run: secrets,misconfig,all (default [all])
      --fail-on string       Exit with error on severity: critical,high,medium,low
      --rules strings        Enable specific rules by ID
      --disable-rules strings Disable specific rules by ID
  -v, --verbose              Enable verbose output
  -q, --quiet                Suppress all output except errors
      --no-color             Disable colored output
      --progress             Show progress bar (default true)

🔍 Security Rules

Secret Detection Rules

Rule ID	Severity	Description
SEC001	CRITICAL	AWS Access Key ID
SEC002	CRITICAL	AWS Secret Access Key
SEC003	HIGH	GitHub Personal Access Token
SEC004	HIGH	GitHub OAuth Access Token
SEC005	HIGH	GitHub App Token
SEC006	CRITICAL	Stripe API Key
SEC007	HIGH	Google API Key
SEC008	HIGH	Google OAuth Client Secret
SEC009	HIGH	Slack Bot Token
SEC010	MEDIUM	Slack Webhook URL
SEC011	CRITICAL	RSA Private Key
SEC012	CRITICAL	SSH Private Key
SEC013	MEDIUM	JSON Web Token
SEC014	MEDIUM	Generic API Key
SEC015	HIGH	Password in Code
SEC016	HIGH	Database Connection String
SEC017	HIGH	Twilio API Key
SEC018	HIGH	SendGrid API Key
SEC019	HIGH	npm Token
SEC020	HIGH	Discord Bot Token

Dockerfile Rules

Rule ID	Severity	Description
DOCKER001	HIGH	Running as Root User
DOCKER002	MEDIUM	Using Latest Tag
DOCKER003	MEDIUM	No Tag Specified
DOCKER004	LOW	ADD Instead of COPY
DOCKER005	HIGH	Secrets in Environment Variables
DOCKER006	CRITICAL	Curl/Wget Piped to Shell
DOCKER007	LOW	apt-get without --no-install-recommends
DOCKER008	LOW	Missing apt-get Clean
DOCKER009	MEDIUM	HEALTHCHECK Not Defined
DOCKER010	MEDIUM	Privileged Port Exposed
DOCKER011	MEDIUM	sudo Usage Detected
DOCKER012	HIGH	Missing USER Instruction

Kubernetes Rules

Rule ID	Severity	Description
K8S001	CRITICAL	Privileged Container
K8S002	HIGH	Running as Root
K8S003	MEDIUM	Root Filesystem Not Read-Only
K8S004	HIGH	Privilege Escalation Allowed
K8S005	HIGH	Host Network Access
K8S006	HIGH	Host PID Namespace
K8S007	MEDIUM	Host IPC Namespace
K8S008	CRITICAL	Dangerous Capabilities Added
K8S009	MEDIUM	No Resource Limits
K8S010	MEDIUM	Latest Image Tag
K8S011	HIGH	Host Path Volume Mount
K8S012	LOW	Default Service Account
K8S013	MEDIUM	Secrets in Environment Variables
K8S014	MEDIUM	Missing Network Policy
K8S015	CRITICAL	Writable /proc Mount

🏗️ Architecture

secscanner/
├── cmd/
│   ├── main.go              # Entry point
│   └── cli/
│       ├── root.go          # Root command & flags
│       ├── scan.go          # Scan command
│       └── config.go        # Configuration handling
├── pkg/
│   ├── scanner/
│   │   ├── types.go         # Core types & interfaces
│   │   ├── pool.go          # Worker pool implementation
│   │   ├── secrets.go       # Secret detection scanner
│   │   ├── misconfig.go     # Misconfiguration scanner
│   │   └── scanner_test.go  # Unit tests
│   ├── report/
│   │   ├── reporter.go      # Report formatters
│   │   └── sarif.go         # SARIF format support
│   └── utils/
│       ├── filewalker.go    # File system traversal
│       └── progress.go      # Progress indicators
├── go.mod
├── go.sum
└── README.md

🛠️ Development

Prerequisites

• Go 1.23 or later
• Git

Building

# Development build
go build -o secscanner ./cmd

# Production build with version info
go build -ldflags "-X main.version=1.0.0 -X main.commit=$(git rev-parse HEAD)" -o secscanner ./cmd

Testing

# Run all tests
go test ./...

# Run with coverage
go test -cover ./...

# Run specific package tests
go test ./pkg/scanner/...

Linting

# Install golangci-lint
go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest

# Run linter
golangci-lint run

🤝 Contributing

Contributions are welcome! Please read our Contributing Guide for details.

Adding Custom Rules

1. YAML Rules (Coming Soon)

# .secscanner.yaml
rules:
  custom:
    - id: CUSTOM001
      name: "Internal API Key"
      pattern: "INTERNAL_[A-Z0-9]{32}"
      severity: HIGH
      remediation: "Use environment variables instead"

2. Go Interface

type Scanner interface {
    Name() string
    Description() string
    Scan(ctx context.Context, target Target) ([]Finding, error)
    SupportedTypes() []TargetType
}

📄 License

MIT License - see LICENSE for details.

🙏 Acknowledgments

• spf13/cobra - CLI framework
• fatih/color - Terminal colors
• owenrumney/go-sarif - SARIF support
• Inspired by truffleHog, gitleaks, and trivy

---

Built with ❤️ by firatmio

Report Bug • Request Feature