DragonSec SAST

DragonSec is an advanced security scanner that combines traditional static analysis with AI-powered code review.

Website

中文文档

Features

• Multiple AI Models Support:

  • OpenAI GPT-4
  • Google Gemini
  • Deepseek (via OpenRouter)
  • Grok
  • Local AI Models (via Ollama)

• Static Analysis:

  • Integrated with Semgrep for reliable static code analysis
  • Custom security rules and patterns
  • Support for multiple programming languages

• Hybrid Analysis:

  • Combines AI insights with static analysis results
  • Reduces false positives through cross-validation
  • Provides comprehensive security scoring

• Asynchronous parallel processing

Installation

git clone https://github.com/zjuguxi/dragonsec
cd dragonsec
pip install -e .

Quick Start

1. Set up your API keys:

export OPENAI_API_KEY="your-openai-key"  # For OpenAI models
export GEMINI_API_KEY="your-gemini-key"  # For Google Gemini
export OPENROUTER_API_KEY="your-openrouter-key"  # For Deepseek via OpenRouter

2. Run a scan:

# Using OpenAI GPT-4
dragonsec scan --path /path/to/code --mode openai --api-key $OPENAI_API_KEY

# Using Google Gemini
dragonsec scan --path /path/to/code --mode gemini --api-key $GEMINI_API_KEY

# Using Deepseek via OpenRouter
dragonsec scan --path /path/to/code --mode deepseek --api-key $OPENROUTER_API_KEY

# Using Local AI Model via Ollama
dragonsec scan --path /path/to/code --mode local --local-url http://localhost:11434 --local-model deepseek-r1:32b

# Using only Semgrep (no API key needed)
dragonsec scan --path /path/to/code --mode semgrep

Configuration

DragonSec uses a default configuration that can be customized:

# Custom configuration
DEFAULT_CONFIG = {
    'skip_dirs': {'node_modules', 'build', ...},
    'batch_size': 4,
    'batch_delay': 0.1,
    ...
}

You can override these settings using command line options:

• --batch-size: Number of files to process in parallel
• --batch-delay: Delay between batches in seconds
• --include-tests: Include test files in scan
• --verbose: Show detailed progress
• --output-dir: Custom directory for scan results

Supported Languages

• Python
• JavaScript
• Java
• Go
• PHP
• Dockerfile

Output

Results are saved in JSON format with:

• Detailed vulnerability descriptions
• Severity ratings
• Line numbers
• Risk analysis
• Remediation recommendations
• Overall security score

Command Line Usage

DragonSec provides several commands and options:

Main Commands

dragonsec scan   # Run security scan
dragonsec rules  # List available security rules

Scan Command Options

dragonsec scan [OPTIONS]

Required:
  --path PATH               Path to scan (file or directory)

Scan Mode:
  --mode MODE              Scanning mode [default: semgrep]
                          Choices:
                          - semgrep (basic static analysis)
                          - openai (OpenAI enhanced)
                          - gemini (Google Gemini enhanced)
                          - deepseek (Deepseek via OpenRouter)
                          - local (Local AI model)

Authentication:
  --api-key KEY            API key for AI service (required for AI modes)

Performance:
  --batch-size N          Files to process per batch [default: 4]
  --batch-delay SECONDS   Delay between batches [default: 0.1]

File Selection:
  --include-tests         Include test files in scan [default: False]

Output:
  --output-dir DIR        Directory for scan results [default: ~/.dragonsec/scan_results]
  --verbose, -v          Show detailed progress [default: False]

Example Commands

# Basic scan with default settings
dragonsec scan --path ./myproject

# AI-enhanced scan
dragonsec scan \
  --path ./myproject \
  --mode openai \
  --api-key $OPENAI_API_KEY \
  --batch-size 4 \
  --batch-delay 0.2 \
  --include-tests \
  --verbose

# View available security rules
dragonsec rules