It is a Code Scanning/SAST/Static Analysis/Linting solution using many tools/Scanners with One Report. You can also add any tool to it. Currently, it supports many languages and tech stacks. Similar to SonarQube, but it is different.
Fig. 1 Scanmycode concept diagram
How is Scanmycode different than SonarQube?
If you like it, please give it a GitHub star/fork/contribute. This will ensure continous development
If you also want to support this project, head over to our Github sponsors page or Patreon (preferred due better VAT handling)
To install it. Install docker
and docker-compose
and then:
2 options
git clone [email protected]:marcinguy/scanmycode-ce.git
cd scanmycode-ce/dockerhub
./start.sh
git clone [email protected]:marcinguy/scanmycode-ce.git
cd scanmycode-ce/docker
./start.sh
Go in the Browser to:
http://localhost:5000
Sign up locally (and login in when needed)
More info in the Wiki:
<https://github.com/marcinguy/scanmycode-ce/wiki>
Progpilot, PMD, Bandit, Brakeman, Gosec, confused, semgrep, trufflehog3, jshint, log4shell via custom semgrep rule and other(s). Some were modified.
Community Edition does not have GitHub support and other plugins. But rest is the same.
Both use static analysis to find bugs and defects, but there are a few differences.
Below are semgrepβs (also Scanmycode advantages over SonarQube):
βExtending Semgrep with custom rules is simple, since Semgrep rules look like the source code youβre writing. Writing custom rules with SonarQube is restricted to a handful of languages and requires familiarity with Java and abstract syntax trees (ASTs).β
βSemgrep focuses on speed and ease-of-use, making analysis possible at up to 20K-100K loc/sec per rule. SonarQube authors report approximately 0.4K loc/sec for rulesets in production.β
Source: semgrepβs website
Scanmycode is based on QuantifedCode. QuantifiedCode is a code analysis & automation platform. It helps you to keep track of issues and metrics in your software projects, and can be easily extended to support new types of analyses. The application consists of several parts:
Currently supports: PHP, Java, Scala, Python, Ruby, Javascript, GO, Secret Scanning, Dependency Confusion, Trojan Source, Open Source and Proprietary Checks (total ca. 1000 checks)
Advantages:
Cloud version and more at <https://www.scanmycode.today>
Cloud version has also many other plugins, also other plugins are commercially available for licensing (GitHub, GitHub organizations, Slack)
Looking for contributing individuals and organizations. Feel free to contact me at [email protected]
TODO
Scanmycodeβs QuantifiedCode parts remain released under BSD-3 Clause License. However, modifications are released under LGPL-2.1 with Commonsclause.
You can use this software, but cannot sell it, also base services on it (SaaS - Software as a Service setups). This is the Commonsclause. If you would like to do it, please contact me first for the permission at [email protected]
We provide several options for installing Scanmycode. Which one is the right one for you depends on your use case.
The following section will only discuss the manual installation process, for the other options please check their corresponding repositories.
The installation consists of three parts:
Scanmycode requires the following external dependencies:
Now with the dependencies installed, we can go ahead and download Scanmycode:
git clone [email protected]:marcinguy/scanmycode-ce.git
In addition, it is advised to create a (Python 2.7) virtual environment to run Scanmycode in:
Β Β virtualenv venv
Β Β #activate the virtual environment
Β Β source venv/bin/activate
Scanmycode CE manages dependencies via the Python package manager, pip. To install them, simply run
pip install -r requirements.txt
Scanmycode gets configured via YAML settings files. When starting up the application, it incrementally loads settings from several files, recursively updating the settings object. First, it will load default settings from quantifiedcode/settings/default.yml
. Then, it will check if a QC_SETTINGS
environment variable is defined and points to a valid file, and if so it will load settings from it (possibly overwriting default settings). If not, it will look for a settings.yml
file in the current working directory and load settings from there. Additionally, it will check if a QC_SECRETS
environment variable is defined and points to a valid file, and also load settings from there (this is useful for sensitive settings that should be kept separate from the rest [e.g. to not check them into version control]).
There is a sample settings.yml
file in the root of the repository that you can start from.
After editing your settings, run the setup command via
Β Β #run from the root directory of the repository
Β Β python manage.py setup
The setup assistant will iteratively walk you through the setup, and when finished you should have a working instance of Scanmycode!
To run the web application, simply run
python manage.py runserver
To run the background worker, simply run
python manage.py runworker
See docker folder. You can spin up everything using one command.
Coming Soon!
github.com/marcinguy/scanmycode-ce
github.com/marcinguy/scanmycode-ce#how-is-scanmycode-different-than-sonarqube
github.com/marcinguy/scanmycode-ce/wiki
github.com/sponsors/marcinguy
user-images.githubusercontent.com/20355405/152678316-04fdcd54-73e8-42f8-9bf2-fb9a69618ff9.gif
user-images.githubusercontent.com/20355405/154044790-a07ef065-9881-4ab6-ba05-ddf5be84e19a.png
user-images.githubusercontent.com/20355405/154044817-92d3ebde-45b6-4b63-a0ee-414001effbe0.png
user-images.githubusercontent.com/20355405/154044857-f53f1922-7e0c-4ede-ad96-b1d21075dad3.png
user-images.githubusercontent.com/20355405/154044887-4d69d551-9cb3-4892-85e0-1383eeab8332.png
user-images.githubusercontent.com/20355405/154044929-74ea5e0f-550e-4833-bd33-8d285e2195dd.png
user-images.githubusercontent.com/20355405/154044957-3ace283a-bb76-4f15-9f49-520d6f21e7d3.png
user-images.githubusercontent.com/20355405/155940853-04cb916d-658b-48e1-bae9-959af96fd2ba.png