| ▲ | Show HN: Sighthound - open-source vulnerability scanner for source code(github.com) | |
| 2 points by asadeddin 5 hours ago | ||
We open-sourced Sighthound today. Sighthound is a Rust-based static vulnerability scanner for source code. It runs locally or in CI, uses Tree-sitter parsers, and supports pattern-based detection plus taint flow analysis. It also comes with all it's rulesets with no paid account or signup needed. Why build another static scanner in 2026? We wanted to improve scan results for our customers and for something to compliment our AI SAST. Looking at the market, Semgrep and OpenGrep are useful, but we kept running into a few constraints: the OCaml core raises the contribution bar for many developers, adding language support is not as simple as we wanted, and some higher-signal rule content in the ecosystem sits behind accounts or paid offerings. We wanted something fast, inspectable, easy to extend, and fully open. A few implementation details: - Rust binary for local and CI use - Tree-sitter parsing - MIT licensed - Pattern matching and taint analysis by default - Cross-file taint propagation and dependency tracking - Parallel file discovery and scanning - Text, JSON, and CSV output - Rules written in RON and deserialized into typed Rust structs/enums Current support includes Python, JS/TS, Java, Go, C#, HTML, PHP and Ruby. It focuses on source-code vulnerability classes like command injection, SQL injection, XSS, path traversal, code injection, unsafe deserialization, and crypto issues. It is not a secrets scanner. We're still have a lot of work to getting to where we want it to be so, we would love the community to test it, break it, report issues, and tell us where it falls short. PRs for rules, language support, fixtures, and false-positive tuning are very welcome. I’ll be around today to answer questions about the parser design, rule format, taint analysis, RON, limitations, and roadmap. | ||