README
¶
Seqra — security-focused static analyzer for Java
Issues | FAQ | Discord | seqradev@gmail.com
Why Seqra?
- CodeQL power + Semgrep simplicity:
- Write security rules using familiar patterns while getting cross-module dataflow analysis
- Free and source-available:
- Use for any purpose except competing commercial offerings for free
- Workflow ready:
- CLI tool with SARIF output for seamless CI/CD integration
Table of Contents
License
This project is released under the MIT License.
The core analysis engine is source-available under the Functional Source License (FSL-1.1-ALv2), which converts to Apache 2.0 two years after each release. You can use Seqra for free, including for commercial use, except for competing products or services.
Install Seqra CLI
Prerequisites:
- Install Docker
- For Apple Silicon Mac: Enable x86_64/amd64 emulation in Docker Desktop
Download and Install Precompiled Binaries (Linux)
Install Globally
Install seqra globally on your machine by placing the compiled binary on your path.
mkdir seqra
cd seqra
curl -L https://github.com/seqrateam/seqra/releases/latest/download/seqra_linux_amd64.tar.gz -o seqra.tar.gz
tar -xzf seqra.tar.gz seqra
rm seqra.tar.gz
sudo ln -s $(pwd)/seqra /usr/local/bin/seqra
Install via Go (Linux/macOS)
Note: Support Apple Silicon Mac is experimental you need Enable x86_64/amd64 emulation in Docker Desktop
go install github.com/seqrateam/seqra@latest
Optional: Add
GOPATHto path
- bash
echo 'export PATH=$PATH:$(go env GOPATH)/bin' >> ~/.bashrc && source ~/.bashrc - zsh (macOS)
echo 'export PATH=$PATH:$(go env GOPATH)/bin' >> ~/.zshrc && source ~/.zshrc
Compile from source (Linux/macOS)
You can compile the project from source using the following commands:
git clone https://github.com/seqrateam/seqra.git
cd seqra
go build
./seqra --version
Scan
Scan a Java project and generate SARIF report
seqra scan --output results.sarif /path/to/your/java/project
View and Analyze Results
Seqra generates results in the SARIF format, which can be explored in several ways:
-
VS Code
Open
results.sarifwith the SARIF Viewer extension for a rich, interactive experience. -
GitHub
Upload results to GitHub code scanning by seqra-action for security alerts and code quality feedback.
-
Command-line preview
Quickly review the findings with:
seqra summary --show-findings results.sarif -
CodeChecker
Use CodeChecker for advanced result management, tracking, and team collaboration.
CI/CD Integration
For seamless integration with your CI/CD pipelines, check out our dedicated integration repositories:
- seqra-action - GitHub Action for easy integration with GitHub workflows
- seqra-gitlab - GitLab CI template for automated security scanning
Troubleshooting
Docker not running
- Make sure Docker is installed on your system.
- Run
docker infoto confirm that Docker is up and accessible.
Build Issues
Note: only Maven and Gradle projects are supported
- Verify that your project builds successfully with
MavenorGradle - If the Docker image is missing required dependencies, try scanning the project with a native compilation:
seqra scan --compile-type native --output results.sarif /path/to/your/java/project
Logs and Debugging
- Add the
--verbosity debugflag to enable detailed logging - Check logs in:
~/.seqra/logs/
Changelog
See CHANGELOG.
Documentation
¶
There is no documentation for this package.
Source Files
Directories