mono-sast (monolithic static application security testing tool) is a monolithic tool that runs multiple open-source SAST scanners against your codebase and normalises the output into various formats, fully configurable to support native tool configs.
docker run --rm -v "$(pwd):/target:ro" ghcr.io/notreeceharris/mono-sastPass options as key=value arguments after the image name.
| Flag | Default | Description |
|---|---|---|
f= |
sarif |
Comma-separated output formats: sarif, html, markdown |
o= |
. |
Directory to write output files into |
| Format | File | Description |
|---|---|---|
sarif |
results.json |
Merged SARIF 2.1.0 |
html |
report.html |
Browsable HTML report |
markdown |
report.md |
Markdown report with collapsible finding details |
# SARIF only (default) — writes results.json to the current directory
docker run --rm -v "$(pwd):/target:ro" ghcr.io/notreeceharris/mono-sast
# Using make dev (pass flags via ARGS=)
TARGET_DIR="/path/to/repo" make dev
TARGET_DIR="/path/to/repo" make dev ARGS="f=markdown"
TARGET_DIR="/path/to/repo" make dev ARGS="f=sarif,html,markdown o=/out"
# Markdown report only
docker run --rm -v "$(pwd):/target:ro" -v "$(pwd)/out:/out" ghcr.io/notreeceharris/mono-sast f=markdown o=/out
# All formats into a custom output directory
docker run --rm -v "$(pwd):/target:ro" -v "$(pwd)/out:/out" ghcr.io/notreeceharris/mono-sast f=sarif,html,markdown o=/outProgress toward full scanner coverage. Checked scanners are active and producing output; unchecked are planned or in progress.
| Scanner | Language(s) | Implemented |
|---|---|---|
| microsoft/DevSkim | multilanguage static code analyzer. | |
| github/codeql | GitHub's semantic analysis engine | |
| opengrep/opengrep | OSS Semgrep fork | |
| semgrep/semgrep | Multi-language pattern matching | |
| bearer/bearer | Privacy & security scanning | |
| SonarQube CE | Community edition | |
| aquasecurity/trivy | Vulnerability & misconfiguration | |
| gitleaks/gitleaks | Secret detection | |
| betterleaks/betterleaks | Secret detection | |
| boostsecurityio/poutine | Supply chain vulnerability scanner for build pipelines |
| Scanner | Language(s) | Implemented |
|---|---|---|
| facebook/infer | Java C C++ ObjC Erlang Swift Hack |
|
| rust-lang/rust-clippy | Rust |
|
| joernio/joern | C C++ Java Binary Javascript Python Kotlin |
|
| pycqa/bandit | Python |
|
| securego/gosec | Go |
|
| presidentbeef/brakeman | Ruby |
|
| spotbugs/spotbugs | Java |
|
| thesp0nge/dawnscanner | Ruby |
|
| phpstan/phpstan | PHP |
|
| david-a-wheeler/flawfinder | C C++ |
|
| cppcheck-opensource/cppcheck | C C++ |
|
| ajinabraham/njsscan | Node.js |
|
| quay/clair | Containers |
Scanner additions and output normalisers are the most valuable contributions. If you maintain or regularly use a SAST tool that isn't listed here, open an issue or a PR.
See contributing.md for the full guide.
GPL-3.0. Use it, fork it, embed it, don't sell it as a SaaS without at least feeling a bit guilty.