Skip to content



Scan (skæn) is an open-source security audit tool for modern DevOps teams. With an integrated multi-scanner based design, Scan can detect various kinds of security flaws in your application and infrastructure code in a single fast scan without the need for any remote server. The kind of flaws detected are:

  • Credentials Scanning to detect accidental secret leaks
  • Static Analysis Security Testing (SAST) for a range of languages and frameworks
  • Open-source dependencies audit for known CVEs
    • Many languages and package formats supported
    • OSS Risk Audit for npm
    • Dependency confusion checks for npm
  • Licence violation checks
  • Container image scanning for application CVEs (New)


Scan is purpose built for DevSecOps workflow integrations with nifty features such as automatic build breaker, Pull Request summary comments, GitHub Code scanning and Bitbucket Code Insights support and so on.

Sample invocation

Easy one-liner command below for some casual testing (Assuming this is fine for you):

sh <(curl

The above command simply invokes the below docker run command.

docker run --rm -e "WORKSPACE=${PWD}" -v $PWD:/app shiftleft/sast-scan scan --build

MD5 hashes for the scripts

MD5 Script URL
3e90e3250f4e8a15c2b808fb00171cab install
9a10d9115d7b096db7921231f9fedc47 credscan

For arm64 based CPU such as Apple M1 use the :arm tag.

docker run --rm -e "WORKSPACE=${PWD}" -v $PWD:/app shiftleft/sast-scan:arm scan --build

Java Scan

Scan is also available as an AppImage. Please download the latest version from GitHub releases or use the one-liner command below.

sh <(curl

Expanded version of the one-liner command.

chmod +x scan
./scan -t nodejs

Supported Languages & Frameworks

Full list of supported languages is as follows:

Language Scan Type (--type) Credential Scan SAST Dependency Scan License Audit Build Breaker
Salesforce Apex apex
Ansible ansible 🚧
AWS CloudFormation / CDK aws
Azure Resource Manager Templates arm
Bash bash
C/C++ cpp 🚧
Clojure clojure
Dart dart
Dockerfile dockerfile
Elixir elixir
Go go
Haskell haskell
Java java
Kotlin kotlin
Scala scala
Groovy groovy
JSP jsp
Node.js nodejs 🚧
PL/SQL plsql
Php php
Python python
Ruby ruby ✓ (1)
Rust rust
Helm Charts yaml
Kubernetes kubernetes
Serverless serverless
Terraform terraform
Salesforce Visual Force vf
Apache Velocity vm
Yaml yaml 🚧
Container Image docker 🚧

🚧 - Work-in-progress feature


(1) - For Ruby, brakeman is the only supported tool and is currently not bundled with the scan image. Once you have a suitable license for brakeman (Not free for commercial use), run the below commands before invoking scan.

sudo gem install brakeman
brakeman -q --no-exit-on-warn --no-exit-on-error -o reports/source-ruby-report.json

Scan would then take the json report source-ruby-report.json produced and use it for SARIF conversion and build breaker logic. The file should be produced in the reports directory before the invocation.

To scan AWS CDK codebase, export to cloudformation and then scan using aws type.

Start with your use case

  • Read more about secure development and best practices with scan for a range of languages
  • Configure scan and customize the default build breaker logic


Developers behind scan are available on a dedicated discord channel for questions and support. For defects, raising an issue on GitHub is best.

Last update: January 27, 2023