- Scans source code for security issues using AST-aware rules.
- Supports pattern mode and taint mode (source to sink tracking).
- Handles multi-file projects and parallel execution.
- Outputs findings as text, JSON, or CSV.
- Loads embedded rule packs by file extension, with optional file-based custom rules.
| Language | Extensions | Parser | Bundled Rules |
|---|---|---|---|
| Python | .py, .pyw, .pyi, .pyx |
Yes | Yes |
| JavaScript | .js, .mjs, .cjs, .jsx, .vue, .svelte |
Yes | Yes |
| TypeScript / TSX | .ts, .tsx, .mts, .cts |
Yes | Yes (JS rules) |
| Java | .java |
Yes | Yes |
| PHP | .php, .phtml |
Yes | Yes |
| C# | .cs, .csx |
Yes | Yes |
| Go | .go |
Yes | Yes |
| Ruby | .rb |
Yes | Yes |
| HTML | .html, .htm, .twig, .ejs, .hbs, ... |
Yes | Yes |
| Django templates | .html (Django syntax) |
Yes | Yes (HTML rules) |
Not currently supported: Razor (.cshtml), C/C++ (.c, .h).
Prerequisites:
Build from source:
git clone https://github.com/Corgea/Sighthound.git
cd Sighthound
cargo build --releaseBinary path: target/release/sighthound
Linux-container-compatible release export:
DOCKER_BUILDKIT=1 docker build \
--target export \
--output type=local,dest=./sighthound_release \
.Or run ./build_all_platforms.sh.
# Auto-detect languages and run embedded rules
cargo run --bin sighthound -- /path/to/project
# Explicit language + custom rules path
cargo run --bin sighthound -- /path/to/project python rules/python
# Taint-only scan and JSON output
cargo run --bin sighthound -- --taint-analysis --output-format json /path/to/project > findings.jsonCLI shape:
sighthound [OPTIONS] <ROOT_DIR> [LANGUAGE] [RULES_PATH]Run sighthound --help for the full option list.
Rules are written in RON and support both:
mode: "search"for pattern matchingmode: "taint"for source/sink/sanitizer analysis
Start here:
Core commands:
make check # fix + format + lint + test + suppression report
make pre-commit # staged Rust files (hook)
make pre-push # push gate checks
make ci # strict CI pipelineAdditional quality gates:
make complexity
make audit
make acceptance
cargo harness coverage --min=0
cargo harness crap --max=30- Runtime-only vulnerabilities in dynamic code paths may be missed.
- Very large files can increase scan time.
- Multi-file taint is supported but still an area to harden further.