README
ΒΆ
CodexSentinel
CodexSentinel is a powerful, blazing-fast static code analyzer for Go, built to identify security vulnerabilities, bad practices, architectural violations, and dependency risks. Designed for developers, DevSecOps, and auditors, it supports both CLI usage and structured JSON reports for integration with CI/CD pipelines.
π Features
- π OWASP Top 10 & common vulnerability detection (XSS, SQLi, SSRF, etc.)
- π¦ Third-party dependency audit (licenses, entropy, vulnerabilities via OSV)
- π§ Taint analysis and SSA-based dataflow tracing
- π Architecture compliance (direct calls, layer violations)
- π Code metrics (cyclomatic complexity, size, duplication, dead code)
- π
.codexsentinel.ignoresupport for suppressions - β‘ CLI-first experience, ready for automation and pipelines
- π Reports in SARIF, JSON, Markdown, and HTML formats
- βοΈ YAML-based custom rule definition
- β Zero-config startup with smart defaults
- π Individual file analysis - scan files with different package names
- π‘οΈ Graceful error handling - continues analysis even with package conflicts
- π Automatic report organization - saves reports to
scan_reports/directory
π οΈ Installation and Usage (All OS)
1. Quick Install (Recommended)
curl -sSfL https://raw.githubusercontent.com/Voskan/codexsentinel/main/scripts/install.sh | sh
This script will:
- Download the latest binary for your OS
- Install it globally (add to PATH)
- Create a convenient
codexalias - Work on Linux, macOS, and Windows (via Git Bash/WSL)
2. Manual Install via Go
go install github.com/Voskan/codexsentinel/cmd/codex-cli@latest
2. Where to find the binary
- By default, Go installs the binary as codex-cli in:
- Linux/macOS:
$HOME/go/bin/ - Windows:
%USERPROFILE%\go\bin\
- Linux/macOS:
3. Make codex-cli globally available
Linux/macOS:
# Add to PATH permanently
echo 'export PATH="$PATH:$HOME/go/bin"' >> ~/.bashrc
echo 'export PATH="$PATH:$HOME/go/bin"' >> ~/.zshrc
# Reload shell configuration
source ~/.bashrc # or source ~/.zshrc
# Now you can run from anywhere:
codex-cli version
Windows (PowerShell):
# Add to PATH permanently
$goBinPath = "$env:USERPROFILE\go\bin"
$currentPath = [Environment]::GetEnvironmentVariable("PATH", "User")
[Environment]::SetEnvironmentVariable("PATH", "$currentPath;$goBinPath", "User")
# Reload environment variables
refreshenv # if you have Chocolatey installed
# or restart your terminal
# Now you can run from anywhere:
codex-cli version
Windows (Command Prompt):
# Add to PATH permanently
setx PATH "%PATH%;%USERPROFILE%\go\bin"
# Restart your terminal, then run:
codex-cli version
4. (Optional) Create a shorter alias
Linux/macOS:
# Add alias to your shell config
echo 'alias codex="codex-cli"' >> ~/.bashrc
echo 'alias codex="codex-cli"' >> ~/.zshrc
# Reload and use:
source ~/.bashrc # or source ~/.zshrc
codex version
Windows (PowerShell):
# Add to PowerShell profile
echo 'Set-Alias codex codex-cli' >> $PROFILE
# Reload and use:
. $PROFILE
codex version
5. Verify installation
# Should work from any directory:
codex-cli version
π¦ Usage
Basic Scan
# Scan current directory
codex-cli scan .
# Scan specific file
codex-cli scan ./main.go
# Scan specific directory
codex-cli scan ./pkg/
# Scan with custom output
codex-cli scan . --format html --out report.html
# Scan individual files (even with different package names)
codex-cli scan testdata/command_injection.go
codex-cli scan testdata/xss_vulnerability.go
Advanced Usage
# Scan with specific severity
codex-cli scan . --severity high
# Use custom config
codex-cli scan . --config .codex.yml
# Ignore specific files
codex-cli scan . --ignore-file .codexsentinel.ignore
# Generate SARIF for CI/CD
codex-cli scan . --format sarif --out results.sarif
# Generate HTML report (saved to scan_reports/)
codex-cli scan . --format html --out report.html
# Generate JSON report (saved to scan_reports/)
codex-cli scan . --format json --out report.json
# Run dependency analysis only
codex-cli scan . --deps
# Filter by severity (high and above)
codex-cli scan . --severity high
# Use custom config file
codex-cli scan . --config custom-config.yml
Available Flags
| Flag | Description | Default |
|---|---|---|
-p, --path |
Target directory or file to scan | . (current directory) |
-f, --format |
Output report format:sarif, html, markdown, json |
sarif |
-o, --out |
Path to write the output report to | scan_reports/codex-report.{format} |
--strict |
Exit with code 1 if issues are found | false |
--ignore-file |
Path to ignore file | .codexsentinel.ignore |
--deps |
Run dependency analysis only | false |
--config |
Path to a custom config file | .codex.yml (if exists) |
--severity |
Filter issues by severity:low, medium, high, critical |
all (no filtering) |
Report Output
Reports are automatically saved to the scan_reports/ directory:
- HTML reports:
scan_reports/codex-report.html - JSON reports:
scan_reports/codex-report.json - SARIF reports:
scan_reports/codex-report.sarif - Markdown reports:
scan_reports/codex-report.md
The directory is created automatically if it doesn't exist.
π Project Structure
codexsentinel/
βββ analyzer/ # Core analyzers (AST, SSA, Taint, Rules)
βββ deps/ # Dependency & license scanners
βββ metrics/ # Complexity, duplication, dead code
βββ arch/ # Architecture layer rules
βββ report/ # Report generation (HTML, SARIF, etc.)
βββ cmd/ # CLI entrypoints
βββ internal/ # Internal utils (logging, config, fs)
βββ testdata/ # Example test files with security vulnerabilities
β βββ command_injection.go # Command injection examples
β βββ xss_vulnerability.go # XSS vulnerability examples
β βββ sql_injection.go # SQL injection examples
β βββ path_traversal.go # Path traversal examples
βββ assets/ # Rules, templates, CSS, etc.
π Examples
Security Vulnerabilities
SQL Injection:
// β Vulnerable
query := "SELECT * FROM users WHERE id = " + userInput
db.Query(query)
// β
Safe
query := "SELECT * FROM users WHERE id = ?"
db.Query(query, userInput)
Command Injection:
// β Vulnerable
cmd := exec.Command("sh", "-c", userInput)
cmd.Run()
// β
Safe
cmd := exec.Command("echo", userInput)
cmd.Run()
XSS (Cross-Site Scripting):
// β Vulnerable
w.Write([]byte(userInput))
// β
Safe
w.Write([]byte(html.EscapeString(userInput)))
Architecture Violations
Direct Layer Calls:
// β Handler directly calling repository
func (h *Handler) GetUser(id string) {
user := h.repo.GetUser(id) // Direct call to repo layer
}
// β
Handler calling service layer
func (h *Handler) GetUser(id string) {
user := h.service.GetUser(id) // Proper layer separation
}
Running Analysis
# Scan for security issues
codex-cli scan ./... --strict
# Generate HTML report
codex-cli scan ./... --format html --out security-report.html
# Check architecture compliance
codex-cli scan ./... --config .codex.yml
# Scan test files with vulnerabilities
codex-cli scan testdata/
π Custom Rules
Create custom YAML rules and place them under assets/rules/.
id: go.insecure.xss.reflected_input
title: "XSS via Reflected Input"
category: "security"
severity: "high"
pattern: "w.Write([]byte({{input}}))"
filters:
- type: param
sources: [r.FormValue, r.URL.Query]
description: "Potential XSS vulnerability when writing user input directly to response"
suggestion: "Use html.EscapeString() to sanitize user input"
Rule Structure
id: "unique.rule.identifier"
title: "Human readable title"
category: "security|style|performance"
severity: "low|medium|high|critical"
pattern: "Go AST pattern to match"
filters:
- type: "param|call|import"
sources: ["list", "of", "sources"]
description: "Detailed description of the issue"
suggestion: "How to fix the issue"
references:
- "https://owasp.org/..."
Learn more in assets/rules/.
π§ͺ Testing
# Run all tests
go test ./...
# Run tests with coverage
go test -cover ./...
# Run specific test
go test ./analyzer/...
π CI/CD Integration
GitHub Actions
name: Security Scan
on: [push, pull_request]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Go
uses: actions/setup-go@v4
with:
go-version: "1.21"
- name: Install CodexSentinel
run: go install github.com/Voskan/codexsentinel/cmd/codex-cli@latest
- name: Run Security Scan
run: codex-cli scan ./... --format sarif --output results.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
GitLab CI
security-scan:
stage: test
image: golang:1.21
script:
- go install github.com/Voskan/codexsentinel/cmd/codex-cli@latest
- codex-cli scan ./... --format sarif --output results.sarif
artifacts:
reports:
sarif: results.sarif
π License
MIT Β© Voskan - see the LICENSE file for details.
π§ Related Links
π¬ Contributing
We welcome PRs and new rule contributions. Please follow our contribution guide and ensure all changes are covered by tests.
β¨ Example Reports
JSON Report
{
"version": "0.1.0",
"timestamp": "2024-01-01T12:00:00Z",
"issues": [
{
"id": "SEC001",
"title": "SQL Injection",
"description": "Potential SQL injection vulnerability detected",
"severity": "high",
"location": {
"file": "main.go",
"line": 42,
"column": 10
},
"category": "security",
"rule_id": "go.insecure.sql_injection",
"suggestion": "Use parameterized queries"
}
]
}
SARIF Report (for CI/CD)
{
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "CodexSentinel",
"version": "1.0.0"
}
},
"results": [
{
"ruleId": "go.insecure.sql_injection",
"level": "error",
"message": {
"text": "Potential SQL injection vulnerability"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "main.go"
},
"region": {
"startLine": 42,
"startColumn": 10
}
}
}
]
}
]
}
]
}
Directories
ΒΆ
| Path | Synopsis |
|---|---|
|
Package arch provides architectural structure analysis for Go projects.
|
Package arch provides architectural structure analysis for Go projects. |
|
cmd
|
|
|
codex-cli
command
|
|
|
Package config provides loading and management of CodexSentinel configuration.
|
Package config provides loading and management of CodexSentinel configuration. |
|
Package deps provides analysis of dependencies and potential secrets.
|
Package deps provides analysis of dependencies and potential secrets. |
|
internal
|
|
|
fsutil
Package fsutil provides safe and configurable filesystem traversal.
|
Package fsutil provides safe and configurable filesystem traversal. |
|
git
Package git provides utilities to extract Git metadata for files and lines.
|
Package git provides utilities to extract Git metadata for files and lines. |
|
ignore
Package ignore provides functionality for parsing and applying ignore rules defined in .codexsentinel.ignore file.
|
Package ignore provides functionality for parsing and applying ignore rules defined in .codexsentinel.ignore file. |
|
logx
Package logx provides a structured logger for CodexSentinel.
|
Package logx provides a structured logger for CodexSentinel. |
|
matcher
Package matcher provides wildcard-based matching for rule IDs, paths, etc.
|
Package matcher provides wildcard-based matching for rule IDs, paths, etc. |
|
version
Package version provides build-time version information for CodexSentinel CLI.
|
Package version provides build-time version information for CodexSentinel CLI. |
|
Package metrics provides static code quality metrics such as cyclomatic complexity.
|
Package metrics provides static code quality metrics such as cyclomatic complexity. |
|
Package report provides functionality to generate various types of reports.
|
Package report provides functionality to generate various types of reports. |
Click to show internal directories.
Click to hide internal directories.