shisho: lightweight static code analyzer designed for developers and security teams
Shisho is a lightweight static code analyzer designed for developers and security teams.
The key motivation of Shisho is providing a means of Security-as-Code for Code. It allows us to analyze and transform your source code with an intuitive DSL. Here’s an example of policies for Terraform code:
Another key aspect of Shisho is speed; it runs so fast with the help of Rust! See Comparison page for further information.
In addition, Shisho runs everywhere! You can use this tool offline so that you don’t need to transfer your code anywhere. One can use Shisho inside Continuous Integration (CI) systems like GitHub Actions.
We already have
sed or something like that. There are already several static analysis engines in the world indeed. Now you may wonder why do we need shisho now. See the Comparison page to see why.
As of 2021/08/18, Shisho supports the following languages:
- HCL (Terraform)
A rule describes how matched parts for a pattern should be treated. It mainly consists of:
- an ID
- a pattern
- a target language name of the pattern
- a message related to the pattern
- rule constraints (optional)
- a rewrite option (optional)
A rule set is a set of rules with Shisho’s version information. Here’s an example ruleset:
Copyright (C) 2021 flatt-security