- Secode is an insecure Code Detector tool, that analyzes your code, to find anomalies, say Insecure Functions in your codes, that makee it insecure.
- But, it doesn't stop there - as a precautionary measure, Secode provides you with safer function alternatives - like for the use of
strcpy()
which is vulnerable to Buffer Overflow,you must instead use secure alternative(s) likelstrcy()
, that you can implement on your code, to make it secure.
- Secode is powered by a stringent and comprehensive ruleset, that can detect vulnerabilities pretty easily, which will be updated regularly, as more vulnerabilities and exploits emerge.
- Secode enforces the concept of "Secure Coding" and "Secure Software Devloepment Life Cycle (Secure SDLC)" which is now gaining much needed traction during the development process of any software.
Your Code Report provides information about:-
- Hit count of vulnerable functions (total count)
- Vulnerability at hand
- CWE Number associated with it
- A brief description about the vulnerability
- Risk level of your code (graded from 1 - 5,on the severity basis)
- Secure alternative(s) that you must use which are totally safe from exploits.
You can install Secode by cloning it,using git
Meet the requirements
apt update | apt upgrade
git clone https://github.com/NoelV11/Secode.git
You can also simply run the program in the directory you've unpacked it into. It's a simple Python program, just type into a command line:
python3 secode.py Vulnerable_1.c >> Results.txt
- txt and
- CSV
This is the code report one gets after scanning their .c file(in this case,the analyzed code contains insecure functions,which we had previously identified and compiled in the ruleset file)
From the sample output we can note the following:-
- Hits - number of insecure functions detected
- An appropriate countermeasure function or best practice,that can be used to remove the vulnerable function
- Lines Analyzed - derived from the total number of lines in the code
- Severity levels - graded from 1 to 5
- Risk level of analyzed code
Please note that exploits are attempted everyday,leading to functions being vulnerable.So there may be chances that a secure function today,may become insecure tommorow
More technically, secode uses lexical scanning to find tokens (such as function names) that suggest likely vulnerabilities, estimates their level of risk (e.g., by the text of function calls), and reports the results. secode does not use or have access to information about control flow, data flow, or data types. Thus, secode will necessarily produce many false positives for vulnerabilities and fail to report many vulnerabilities. On the other hand, secode can find vulnerabilities in programs that cannot be built or cannot be linked. secode also doesn't get as confused by macro definitions and other oddities that more sophisticated tools have trouble with.
- Dockerize it to provide support across all platforms
- Extending Scanning functionalities within the tool to:
- Web Technologies like HTML, CSS, Js and PHP
- App Development languages like Java and Kotlin
- GitHub Actions workflows Integration.
We love contributions! For more information on contributing, see the file CONTRIBUTING.md.
Secode is released under the GNU GPL license version 2 or later (GPL-2.0+). See the LICENSE file for license information.