codexsentinel

module
v1.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 10, 2025 License: MIT

README ΒΆ

CodexSentinel

CodexSentinel is a powerful, blazing-fast static code analyzer for Go, built to identify security vulnerabilities, bad practices, architectural violations, and dependency risks. Designed for developers, DevSecOps, and auditors, it supports both CLI usage and structured JSON reports for integration with CI/CD pipelines.

πŸš€ Features

  • πŸ” OWASP Top 10 & common vulnerability detection (XSS, SQLi, SSRF, etc.)
  • πŸ“¦ Third-party dependency audit (licenses, entropy, vulnerabilities via OSV)
  • 🧠 Taint analysis and SSA-based dataflow tracing
  • πŸ“ Architecture compliance (direct calls, layer violations)
  • πŸ“ Code metrics (cyclomatic complexity, size, duplication, dead code)
  • πŸ”• .codexsentinel.ignore support for suppressions
  • ⚑ CLI-first experience, ready for automation and pipelines
  • πŸ“„ Reports in SARIF, JSON, Markdown, and HTML formats
  • ✍️ YAML-based custom rule definition
  • βœ… Zero-config startup with smart defaults

πŸ› οΈ Installation

go install github.com/Voskan/codexsentinel/cmd/codex@latest

Or use the install script:

curl -sSfL https://raw.githubusercontent.com/Voskan/codexsentinel/main/scripts/install.sh | sh

πŸ“¦ Usage

codex scan ./...

Optional flags:

Flag Description
--config Path to .codex.yml config file
--output Output report file path
--format Report format:json, html, sarif, markdown
--severity Minimum severity to report (low-critical)
--ignore-file Path to .codexsentinel.ignore

πŸ“ Project Structure

codexsentinel/
β”œβ”€β”€ analyzer/        # Core analyzers (AST, SSA, Taint, Rules)
β”œβ”€β”€ deps/            # Dependency & license scanners
β”œβ”€β”€ metrics/         # Complexity, duplication, dead code
β”œβ”€β”€ arch/            # Architecture layer rules
β”œβ”€β”€ report/          # Report generation (HTML, SARIF, etc.)
β”œβ”€β”€ cmd/             # CLI entrypoints
β”œβ”€β”€ internal/        # Internal utils (logging, config, fs)
β”œβ”€β”€ testdata/        # Example test files with issues
└── assets/          # Rules, templates, CSS, etc.

πŸ“š Example

// insecure_sql.go
query := "SELECT * FROM users WHERE id = " + id
db.Query(query) // ❌ Vulnerable to SQL Injection

codex scan ./testdata/insecure_sql.go --format markdown

πŸ“˜ Custom Rules

Write custom YAML rules and place them under assets/rules/.

id: go.insecure.xss.reflected_input
pattern: "w.Write([]byte({{input}}))"
filters:
  - type: param
    sources: [r.FormValue]

Learn more in assets/rules/.

πŸ§ͺ Testing

go test ./...

πŸ“„ License

MIT Β© Voskan - see the LICENSE file for details.

πŸ’¬ Contributing

We welcome PRs and new rule contributions. Please follow our contribution guide and ensure all changes are covered by tests.

✨ Example Report

---
version: "0.1.0"
timestamp: "2024-01-01T12:00:00Z"
issues:
  - id: "SEC001"
    name: "SQL Injection"
    description: "Potential SQL injection vulnerability detected"
    severity: "high"
    location:
      file: "main.go"
      line: 42
      column: 10
    category: "security"
    rule_id: "go.insecure.sql_injection"
---

Directories ΒΆ

Path Synopsis
ast
engine
flow
result
rules
rules/builtin
rules/yaml
ssa
Package arch provides architectural structure analysis for Go projects.
 Package arch provides architectural structure analysis for Go projects.
Package config provides loading and management of CodexSentinel configuration.
 Package config provides loading and management of CodexSentinel configuration.
Package deps provides analysis of dependencies and potential secrets.
 Package deps provides analysis of dependencies and potential secrets.
internal
fsutil
Package fsutil provides safe and configurable filesystem traversal.
 Package fsutil provides safe and configurable filesystem traversal.
git
Package git provides utilities to extract Git metadata for files and lines.
 Package git provides utilities to extract Git metadata for files and lines.
ignore
Package ignore provides functionality for parsing and applying ignore rules defined in .codexsentinel.ignore file.
 Package ignore provides functionality for parsing and applying ignore rules defined in .codexsentinel.ignore file.
logx
Package logx provides a structured logger for CodexSentinel.
 Package logx provides a structured logger for CodexSentinel.
matcher
Package matcher provides wildcard-based matching for rule IDs, paths, etc.
 Package matcher provides wildcard-based matching for rule IDs, paths, etc.
version
Package version provides build-time version information for CodexSentinel CLI.
 Package version provides build-time version information for CodexSentinel CLI.
Package metrics provides static code quality metrics such as cyclomatic complexity.
 Package metrics provides static code quality metrics such as cyclomatic complexity.
Package report provides functionality to generate various types of reports.
 Package report provides functionality to generate various types of reports.
formats

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.