Home
It is a Code and Infrastructure (IaC) and Cloud-native Scanning/SAST/Static Analysis/Linting solution using many tools/Scanners with One Report. You can also add any tool to it. Currently, it supports many languages and tech stacks.
Fig. 1 Betterscan concept diagram
How is Betterscan different than SonarQube?
If you like it, please give it a GitHub star/fork/watch/contribute. This will ensure continuous development ⭐
Run this command in your code directory (checkout from Git - .git folder needs to be there, if you work with the normal directory, make the Git repo out of it git init && git add . && git commit etc):
sh <(curl https://dl.betterscan.io/cli.sh)
or for an HTML report:
sh <(curl https://dl.betterscan.io/cli-html.sh)
That's it. You just checked your code for 2,300+ Checks (Defects, Vulnerabilities, Best Practices, Secrets - 166+ secret types) and 4,000+ YARA rules for Antidebug, Antivm, Crypto, CVE, Exploits Kits, Malware, Web shells, and APTs.
FYI Above will maintain state via (.checkmate folder). Only new commits will be checked.
This solutions should be part of DevOps/DevSecOps/Platform Engineering efforts. You can "shift left" your security efforts using below and providing tools to developers.
That way you can setup asynchronous DevSecOps feedback for the repositories you set up to scan (daily, on commit etc.)
git clone git@github.com:tcosolutions/betterscan-ce.git
cd betterscan-ce/dockerhub
docker compose up
Just run for CLI:
sh <(curl https://dl.betterscan.io/cli.sh)
or for an HTML report:
sh <(curl https://dl.betterscan.io/cli-html.sh)
It will maintain state in .checkmate folder. First run can be longer, next should be very fast. Just re-run the same command on the next iteration.
Let me know your setup.
If you want to use the Platform, follow below:
Install docker and docker-compose
2 options:
- Fastest method (use DockerHub built images). If unsure, use this.
git clone git@github.com:tcosolutions/betterscan-ce.git
cd betterscan-ce/dockerhub
docker compose up
- Slower method (build everything)
git clone git@github.com:tcosolutions/betterscan-ce.git
cd betterscan-ce/docker
docker compose up
Open up the Browser to:
http://localhost:5000
Sign up locally (and login in when needed)
It is possible to integrate results also in GitLab's Security & Compliance Dashboad. We can convert SARIF to GitLab format. GitLab Ultimate is required.
You can import via SARIF vulnerabilities and setup a pipeline in DefectDojo to manage vulnerabilities.
To integrate BetterScan with Azure DevOps, you can do the following:
- Install the Azure DevOps SARIF SAST Scans Tab extension.
- Add this job to your azure-pipelines.yml:
- job: SAST
displayName: Static Application Security Test (SAST)
condition: eq(variables['Build.SourceBranch'], 'refs/heads/main')
pool:
vmImage: 'ubuntu-latest'
container: 'tcosolutions/betterscan-ce:worker-cli'
steps:
- script: |
sudo apt-get update
sudo apt-get install git-lfs
displayName: Install git LFS
- checkout: self
persistCredentials: true
- script: |
set -e
git config --global --add safe.directory $(Build.SourcesDirectory)
git config --global user.email "azuredevops@microsoft.com"
git config --global user.name "Azure DevOps"
git checkout -b $(Build.SourceBranchName)
sudo CODE_DIR=$(Build.SourcesDirectory) checkmate init
sudo CODE_DIR=$(Build.SourcesDirectory) checkmate git init
sudo CODE_DIR=$(Build.SourcesDirectory) checkmate git analyze --branch $(Build.SourceBranchName)
sudo CODE_DIR=$(Build.SourcesDirectory) checkmate issues html
displayName: Static Application Security Test (SAST)
env:
CODE_DIR: '$(Build.SourcesDirectory)'
- task: PublishBuildArtifacts@1
displayName: Publish SAST report
inputs:
PathtoPublish: $(Build.SourcesDirectory)
ArtifactName: CodeAnalysisLogs
- script: |
git add .checkmate/db.sqlite
git add report.html
git commit -m '[ci skip] update checkmate db'
git push origin $(Build.SourceBranchName):$(Build.SourceBranch)
displayName: Commit and Push checkmate dbIt is platform independent (Python). Checkers are also primarily available on different platforms. The "main" branch is for Linux x86_64
Yes, by default
Yes, by default
Preferred is WSL with Docker.
Install Windows 10, version 1903 or higher or Windows 11.
https://docs.docker.com/desktop/windows/wsl/
Linux images should work.
If you want to use WSL Docker, follow this:
Install WSL
wsl --update
Check if you are running the Microsoft Store version of WSL version 0.67.6 and higher from the command prompt or the Powershell.
wsl --version
Install Ubuntu, i.e:
wsl --install Ubuntu-22.04
Here are the steps to install Docker and run Docker in WSL distro.
- Enable systemd
From the WSL distro (e.g., Ubuntu 22.04.1 LTS) terminal, edit /etc/wsl.conf file.
sudo nano /etc/wsl.conf
and add
[boot]
systemd=true
And close out of the nano editor using CTRL+O to save and CTRL+X to exit. Exit the WSL distro (e.g., Ubuntu 22.04.1 LTS) terminal.
- Install docker
From the WSL distro (e.g., Ubuntu 22.04.1 LTS) terminal, update the local repository.
sudo apt update
Install Docker.
sudo apt install docker.io -y
Add the user to the docker group.
sudo usermod -aG docker $USER
Check Docker installation.
docker --version
- Validate Docker installation
Exit out of the terminal.
exit
From either the command prompt or PowerShell, shutdown WSL.
wsl --shutdown
Enter the WSL distro (e.g., Ubuntu 22.04.1 LTS) via Windows terminal and validate the docker installation.
docker run hello-world
It should display Hello world from Docker message.
You have completed the installation of Docker! You are able to run docker in WSL without Docker Desktop.
Run
wsl
and then this:
sh <(curl https://dl.betterscan.io/cli.sh)
More info in the Wiki:
https://github.com/tcosolutions/betterscan-ce/wiki
You can plug it anywhere on your CI/CD pipeline as a command.
With Betterscan one command, you add 6,300+ checks using different scanners (Betterscan is a "Meta" scanner in that sense, with supporting smart snapshots and other goodies. It is not just running tools always on full code)
Betterscan supports also CLI only mode, no Web Interface, worker etc. Run a binary in Docker in your own CI/CD pipeline (whatever it is) in Quality Gates that will output line by line (scanner and findings) on checkout code from Git (folder)
Just run this command (it will take care of everything):
sh <(curl https://dl.betterscan.io/cli.sh)
Corresponds to running these:
export CODE_DIR=${PWD}
cd $CODE_DIR
docker run -e CODE_DIR -e LIC -e OPENAI_GPT_API -v ${PWD}:${PWD} -ti tcosolutions/betterscan-ce:worker-cli /bin/sh -c 'cd $CODE_DIR && checkmate init'
docker run -e CODE_DIR -e LIC -e OPENAI_GPT_API -v ${PWD}:${PWD} -ti tcosolutions/betterscan-ce:worker-cli /bin/sh -c 'cd $CODE_DIR && checkmate git init'
docker run -e CODE_DIR -e LIC -e OPENAI_GPT_API -v ${PWD}:${PWD} -ti tcosolutions/betterscan-ce:worker-cli /bin/sh -c 'cd $CODE_DIR && checkmate git analyze --branch `git rev-parse --abbrev-ref HEAD`'
docker run -e CODE_DIR -e LIC -e OPENAI_GPT_API -v ${PWD}:${PWD} -ti tcosolutions/betterscan-ce:worker-cli /bin/sh -c 'cd $CODE_DIR && checkmate issues'
Just run this command (it will take care of everything):
sh <(curl https://dl.betterscan.io/cli-html.sh)
report will be in the directory under report.html
Corresponds to running these:
export CODE_DIR=${PWD}
cd $CODE_DIR
docker run -e CODE_DIR -e LIC -e OPENAI_GPT_API -v ${PWD}:${PWD} -ti tcosolutions/betterscan-ce:worker-cli /bin/sh -c 'cd $CODE_DIR && checkmate init'
docker run -e CODE_DIR -e LIC -e OPENAI_GPT_API -v ${PWD}:${PWD} -ti tcosolutions/betterscan-ce:worker-cli /bin/sh -c 'cd $CODE_DIR && checkmate git init'
docker run -e CODE_DIR -e LIC -e OPENAI_GPT_API -v ${PWD}:${PWD} -ti tcosolutions/betterscan-ce:worker-cli /bin/sh -c 'cd $CODE_DIR && checkmate git analyze --branch `git rev-parse --abbrev-ref HEAD`'
docker run -e CODE_DIR -e LIC -e OPENAI_GPT_API -v ${PWD}:${PWD} -ti tcosolutions/betterscan-ce:worker-cli /bin/sh -c 'cd $CODE_DIR && checkmate issues html'
Build Docker image Worker-CLI and run checkmate from there. Below is a sample flow:
CLI Mode only
- Clone the repo i.e into
/tmp/samplecode - set env var CODE_DIR i.e
export CODE_DIR=/tmp/samplecode. This env var should point to your Git cloned repo dir. Set LIC env var. - Cd into it (this is important!)
- Run
checkmate init - Run
checkmate git init - Run
checkmate git analyze
Run checkmate issues
This will be shown
Loading plugin: git
Loading plugin: trufflehog3
Loading plugin: trojansource
Loading plugin: metrics
Loading plugin: bandit
Loading plugin: brakeman
Loading plugin: phpanalyzer
Loading plugin: pmd
Loading plugin: semgrep
Loading plugin: checkov
Loading plugin: tfsec
Loading plugin: kubescape
Loading plugin: insidersecswift
Loading plugin: insiderseckotlin
Loading plugin: insiderseccsharp
Loading plugin: pmdapex
Loading plugin: semgrepccpp
Loading plugin: semgrepjava
Loading plugin: semgrepeslint
Loading plugin: graudit
Loading plugin: text4shell
Loading plugin: yara
Loading plugin: fluidattacksscanner
Loading plugin: gostaticcheck
There is a DockerHub image also for it ready.
docker pull tcosolutions/betterscan-ce:worker-cli
You can run the Commands with docker as below:
$ docker run -ti tcosolutions/betterscan-ce:worker-cli checkmate
Loading plugin: git
Loading plugin: trufflehog3
Loading plugin: trojansource
Loading plugin: metrics
Loading plugin: bandit
Loading plugin: brakeman
Loading plugin: phpanalyzer
Loading plugin: pmd
Loading plugin: semgrep
Loading plugin: checkov
Loading plugin: tfsec
Loading plugin: kubescape
Loading plugin: insidersecswift
Loading plugin: insiderseckotlin
Loading plugin: insiderseccsharp
Loading plugin: pmdapex
Loading plugin: semgrepccpp
Loading plugin: semgrepjava
Loading plugin: semgrepeslint
Loading plugin: graudit
Loading plugin: text4shell
Loading plugin: yara
Loading plugin: fluidattacksscanner
Loading plugin: gostaticcheck
Usage: checkmate [command] [command] [...] [args]
Type "checkmate help" for help
Same workflow as above, but using Docker binary:
export CODE_DIR=/tmp/samplecode
cd /tmp/samplecode
docker run -e CODE_DIR -e LIC -e OPENAI_GPT_API -v /tmp/samplecode:/tmp/samplecode -ti tcosolutions/betterscan-ce:worker-cli /bin/sh -c 'cd /tmp/samplecode && checkmate init'
docker run -e CODE_DIR -e LIC -e OPENAI_GPT_API -v /tmp/samplecode:/tmp/samplecode -ti tcosolutions/betterscan-ce:worker-cli /bin/sh -c 'cd /tmp/samplecode && checkmate git init'
docker run -e CODE_DIR -e LIC -e OPENAI_GPT_API -v /tmp/samplecode:/tmp/samplecode -ti tcosolutions/betterscan-ce:worker-cli /bin/sh -c 'cd /tmp/samplecode && checkmate git analyze'
docker run -e CODE_DIR -e LIC -e OPENAI_GPT_API -v /tmp/samplecode:/tmp/samplecode -ti tcosolutions/betterscan-ce:worker-cli /bin/sh -c 'cd /tmp/samplecode && checkmate issues'
Progpilot, PMD, Bandit, Brakeman, gostaticcheck, semgrep, trufflehog3, jshint, njsscan, log4shell via custom semgrep rule, checkov, kubescape, graudit, insidersec, flawfinder, find sec bugs, eslint, YARA, fluidattacks scanner, tfsec and other(s). Some were modified. See LICENSE for licensing and acknoweledgements.
Betterscan uses static analysis (semantic and graph analysis) to find bugs and defects.
- Betterscan supports Cloud-native and Infrastructure Scanning
- Betterscan supports secrets Scanning (166+ secret types)
- Betterscan scans for 4,000 rules for Antidebug, Antivm, Crypto, CVE, Exploits Kits, Malware and Web shells, APTs
- Betterscan can be extended with any tool producing JSON output (any binary, in any technology/language/product)
- Betterscan is open Source
- Betterscan supports scanning only changed files (differential analysis). You can store state in Database (PostgreSQL, MySQL/MariaDB, Oracle, Microsoft SQL Server) or in you Git repo.
- Outputs in CLI, HTML, SARIF, JSON
- Betterscan uses many tools adding up to 6,300+ checks which also semgrep as one of the tools
Betterscan is based on QuantifedCode. QuantifiedCode is a code analysis & automation platform. It helps you to keep track of issues and metrics in your software projects, and can be easily extended to support new types of analyses.
The application consists of several parts:
- A frontend, realized as a React.js app
- A backend, realized as a Flask app
- A background worker, realized using Celery, that performs the code analysis
Currently supports: PHP, Java, Scala, Python, PERL, Ruby, C, C++, Swift, Kotlin, Apex (Salesforce), GO, Infrastructure as a Code (IaC) Security and Best Practices (Docker, Kubernetes (k8s), Terraform AWS, GCP, Azure), Secret Scanning (166+ secret types), Trojan Source, Open Source and Proprietary Checks (total ca. 6,000+ checks). Checks for misconfigurations across all major (and some minor) cloud providers (AWS Checks, Azure Checks, GCP Checks, CloudStack Checks, DigitalOcean Checks, GitHub Checks, Kubernetes Checks, OpenStack Checks, Oracle Checks)
Advantages:
- Many tools, one report (unification)
- Dismiss, and collaborate on findings. Mark false-positives
- Enable/disable each individual check in Checkers
- ca. 6,300+ checks now (Linters, Static Code Analysis/Code Scanning, YARA ca. 4000 YARA binary matching/textual matching rules for Antidebug, Antivm, Crypto, CVE, Exploits Kits, Malware and Webshells, APTs )
- any tool outputting JSON can be added
- fast (checks only new code on recheck)
- you can store state in Database (PostgreSQL, MySQL/MariaDB, Oracle, Microsoft SQL Server) or in you Git repo.
- Outputs in CLI, HTML, SARIF, JSON.
- Git support (HTTPS/TLS and SSH). For private repositories only SSH.
- Swiss army knife tool/SIEM for Code Scanning
- 100% Code transparency & full control of your code
Feel free to use, recommend improvements, or contribute to new implementations.
Check out our contributing guide to learn about our development process, how to suggest bugfixes and improvements.
Betterscan's QuantifiedCode parts remain released under BSD-3 Clause License. However, modifications are released under AGPL-3.0 (see LICENSE in the repo for more details)
We provide several options for installing Betterscan. Which one is the right one for you depends on your use case.
- The manual installation is best if you want to modify or change Betterscan
- The Docker-based installation is probably the easiest way to try Betterscan without much work
The following section will only discuss the manual installation process. for the other options, please check their corresponding repositories.
The installation consists of three parts:
- Install the dependencies required to run Betterscan
- Download the required source code
- Set up the configuration
Betterscan requires the following external dependencies:
- A message broker (required for the background tasks message queue). We recommend either RabbitMQ or Redis.
- A database (required for the core application). We recommend PostgreSQL, but SQLite is supported as well. Other database systems might work too (e.g. MySQL), but are currently not officially supported.
Now with the dependencies installed, we can go ahead and download Betterscan:
git clone git@github.com:tcosolutions/betterscan-ce.git
Betterscan CE manages dependencies via the Python package manager, pip.
Betterscan gets configured via YAML settings files. When starting up the application, it incrementally loads settings from several files, recursively updating the settings object. First, it will load default settings from quantifiedcode/settings/default.yml. Then, it will check if a QC_SETTINGS environment variable is defined and points to a valid file, and if so it will load settings from it (possibly overwriting default settings). If not, it will look for a settings.yml file in the current working directory and load settings from there. Additionally, it will check if a QC_SECRETS environment variable is defined and points to a valid file, and also load settings from there
There is a sample settings.yml file in the root of the repository that you can start from.
After editing your settings, run the setup command via
#run from the root directory of the repository
python manage.py setup
The setup assistant will iteratively walk you through the setup, and when finished you should have a working instance of Betterscan!
To run the web application, simply run
python manage.py runserver
To run the background worker, simply run
python manage.py runworker
See docker folder