π‘οΈ Drogonsec Security Scanner
An open-source, comprehensive security scanner combining SAST, SCA, and secret detection aligned with OWASP Top 10:2025 β created for intelligent remediation.
Documentation
π Full Documentation: --> Drogonsec Doc
Features
| Engine | Description |
|---|---|
| SAST | Static Application Security Testing for 20+ languages |
| SCA | Software Composition Analysis β scan dependencies for CVEs |
| Leaks | Secret detection β 50+ patterns (AWS, GCP, GitHub, JWT, SSH keys...) |
| IaC | Infrastructure as Code misconfigurations (Terraform, Kubernetes) |
| AI | AI-powered remediation β Ollama (local/free) or cloud providers |
Security Frameworks
- OWASP Top 10:2025 β All 10 categories covered (including 2 new: Supply Chain & Mishandling Exceptions)
- CWE β Common Weakness Enumeration mapping
- CVSS 3.1 β Severity scoring
- SARIF 2.1 β GitHub/Azure DevOps integration
Supported Languages
Python Java JavaScript TypeScript Go Kotlin C# PHP Ruby Swift Dart Elixir Erlang Shell C/C++ HTML Terraform Kubernetes Nginx
Quick Start
Installation
Go Install (requires Go 1.25+):
go install github.com/filipi86/drogonsec/cmd/drogonsec@latestFrom source:
git clone https://github.com/filipi86/drogonsec
cd drogonsec
make installDocker:
docker run --rm -v $(pwd):/scan ghcr.io/filipi86/drogonsec scan /scanBasic Usage
# Scan current directory
drogonsec scan .
# Scan with JSON output
drogonsec scan ./myproject --format json --output report.json
# Scan with HTML report
drogonsec scan . --format html --output report.html
# Scan with AI remediation (local Ollama β free, no API key needed)
drogonsec scan . --enable-ai
# Scan with AI remediation (cloud provider β requires API key)
AI_API_KEY="..." drogonsec scan . --enable-ai --ai-provider anthropic
# Scan git history for secrets
drogonsec scan . --git-history
# Only report HIGH and CRITICAL
drogonsec scan . --severity HIGH
# Disable specific engines
drogonsec scan . --no-sca
drogonsec scan . --no-leaks
drogonsec scan . --no-sastOutput Formats
Text (default)
Drogonsec Security Scanner
βββββββββββββββββββββββββββββββββββββββββββ
Target : /path/to/project
SAST : enabled
SCA : enabled
Leaks : enabled
βββββββββββββββββββββββββββββββββββββββββββ
βββ SAST FINDINGS ββββββββββββββββββββββ
#1 [HIGH] SQL Injection via string formatting
File : src/users.py:42
Rule : PY-001
OWASP : A05:2025 - Injection
CWE : CWE-89 CVSS: 9.8
Fix : Use parameterized queries...JSON
{
"version": "0.1.0",
"stats": { "total_findings": 5, "critical": 1, "high": 3 },
"sast_findings": [ ... ],
"sca_findings": [ ... ],
"leak_findings": [ ... ]
}SARIF (GitHub Security Integration)
# .github/workflows/security.yml
- name: DrogonSec Scan
run: drogonsec scan . --format sarif --output results.sarif
- name: Upload to GitHub Security
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: results.sarifConfiguration
Create .drogonsec.yaml in your project root:
scan:
min_severity: LOW
workers: 4
git_history: false
ignore_paths:
- node_modules
- vendor
- dist
engines:
sast:
enabled: true
sca:
enabled: true
leaks:
enabled: true
min_entropy: 3.5
ai:
enabled: false
high_severity_only: true
fail_on:
critical: true
high: trueAI-Powered Remediation
DrogonSec includes AI-powered remediation, providing intelligent, context-aware fixes for detected vulnerabilities. Ollama + DeepSeek Coder is the recommended open-source option β Ollama is open-source (MIT license) and runs 100% locally with no data leaving your machine.
Local AI (Ollama) β Recommended for OSS
# 1. Install Ollama (https://ollama.com)
# macOS: brew install ollama
# 2. Pull the recommended model
ollama pull deepseek-coder
# 3. Scan with AI (auto-detects local Ollama)
drogonsec scan . --enable-ai
# Use a different model
drogonsec scan . --enable-ai --ai-provider ollama --ai-model codellamaCloud AI (API Key Required)
# Anthropic
AI_API_KEY="sk-ant-..." drogonsec scan . --enable-ai --ai-provider anthropic
# OpenAI-compatible
AI_API_KEY="sk-..." drogonsec scan . --enable-ai \
--ai-provider openai \
--ai-model gpt-4o
# Custom endpoint
AI_API_KEY="..." drogonsec scan . --enable-ai \
--ai-provider custom \
--ai-endpoint https://your-endpoint/v1/messages
# Example output:
# π€ AI Remediation:
# The SQL injection in line 42 allows attackers to manipulate your query...
# Corrected code:
# cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))Bring Your Own AI
Any OpenAI-compatible endpoint works as a custom provider:
AI_API_KEY="your-key" drogonsec scan . --enable-ai \
--ai-provider custom \
--ai-endpoint https://your-api/v1/messagesSecurity Hardening
The AI client includes several defensive controls, documented in docs/security.md:
- No HTTP redirects β refuses 3xx responses to prevent
x-api-keyleaking to a third-party host via302 Location: β¦ - HTTPS enforcement β non-loopback HTTP endpoints are rejected; only
https://orhttp://127.0.0.1/http://localhostare accepted - HMAC-SHA256 cache integrity β every cached response is tagged with a per-user key under
~/.drogonsec/ai-cache/cache.key(0600); tampered entries are discarded on read - Ollama shape validation β auto-detection requires a valid
{"models":[...]}response from/api/tags, not just HTTP 200 on port 11434 - Cache + output perms β cache dir is
0700, every cached file and every--outputreport is0600(reports embed code snippets and secrets)
Shell Completion
Drogonsec supports rich tab-completion for bash, zsh, fish, and PowerShell β with inline descriptions for enum flags, context-aware model suggestions, and directory-only completion for scan paths. See the Usage docs for details.
# Interactive install (detects shell, previews, asks for confirmation)
drogonsec completion install
# Preview only β no files modified
drogonsec completion install --dry-run
# Manual (bash / zsh)
source <(drogonsec completion bash)
source <(drogonsec completion zsh)Security note:
--ai-keyis deliberately excluded from completion so API keys are never captured by shell history-completion caches. Always pass keys viaAI_API_KEY.
OWASP Top 10:2025 Coverage
| # | Category | Status |
|---|---|---|
| A01 | Broken Access Control | β 23 rules |
| A02 | Security Misconfiguration | β 31 rules |
| A03 | Software Supply Chain Failures π | β SCA Engine |
| A04 | Cryptographic Failures | β 18 rules |
| A05 | Injection | β 45 rules |
| A06 | Insecure Design | β 15 rules |
| A07 | Authentication Failures | β 20 rules |
| A08 | Software or Data Integrity Failures | β 9 rules |
| A09 | Security Logging & Alerting Failures | β 11 rules |
| A10 | Mishandling of Exceptional Conditions π | β 8 rules |
Secret Detection Patterns
Drogonsec detects 50+ secret patterns including:
- Cloud: AWS Access Keys, GCP API Keys, Azure Storage Keys
- SCM: GitHub tokens (classic, fine-grained, OAuth, App)
- Payment: Stripe Secret/Restricted Keys
- Communication: Slack Bot/App tokens, Webhook URLs
- Email: SendGrid API Keys
- Crypto: RSA/EC/SSH/PGP private keys, JWT tokens
- DB: Connection strings (PostgreSQL, MySQL, MongoDB, Redis)
- Generic: Hardcoded passwords, API keys, secrets
Architecture
drogonsec/
βββ cmd/drogonsec/ # CLI entrypoint
βββ internal/
β βββ analyzer/ # Main orchestrator
β βββ engine/ # SAST rules engine (20+ languages)
β βββ leaks/ # Secret detection engine
β βββ sca/ # Dependency analysis engine
β βββ reporter/ # Text/JSON/SARIF/HTML reporters
β βββ ai/ # AI remediation engine (Ollama + Cloud)
β βββ config/ # Types and configuration
βββ rules/ # YAML rule definitions (community-extensible)Contributing
Contributions are welcome! Areas to contribute:
- New security rules for any language
- Additional secret patterns
- Parser improvements
- Documentation
- Bug fixes
See CONTRIBUTING for guidelines.
License
Apache License 2.0 β See LICENSE
Credits
Inspired by Horusec. DrogonSec is its modern, actively maintained, and updated with enhanced capabilities.
Built with: Go, Cobra, Viper, go-git.
Maintained by
This open-source project is maintained and supported by CROSS-INTEL.
Links
π Documentation: cross-intel.com/opensource/drogonsec