Want Sighthound without the setup? Sign up for Corgea, where Sighthound is built in alongside AI SAST, secrets, container, dependency, and IaC scanning—with false-positive reduction and automated fixes.
- Scans source code for security issues using AST-aware rules.
- Supports pattern mode and taint mode (source to sink tracking).
- Handles multi-file projects and parallel execution.
- Outputs findings as text, JSON, CSV, or SARIF.
- Loads embedded rule packs by file extension, with optional file-based custom rules.
| Language | Extensions | Parser | Bundled Rules |
|---|---|---|---|
| Python | .py, .pyw, .pyi, .pyx |
Yes | Yes |
| JavaScript | .js, .mjs, .cjs, .jsx, .vue, .svelte |
Yes | Yes |
| TypeScript / TSX | .ts, .tsx, .mts, .cts |
Yes | Yes (JS rules) |
| Java | .java |
Yes | Yes |
| PHP | .php, .phtml |
Yes | Yes |
| C# | .cs, .csx |
Yes | Yes |
| Go | .go |
Yes | Yes |
| Ruby | .rb |
Yes | Yes |
| HTML | .html, .htm, .twig, .ejs, .hbs, ... |
Yes | Yes |
| Django templates | .html (Django syntax) |
Yes | Yes (HTML rules) |
Not currently supported: Razor (.cshtml), C/C++ (.c, .h).
Prerequisites:
- Rust 1.85+
- Git
Build from source:
git clone https://github.com/Corgea/Sighthound.git
cd Sighthound
cargo build --releaseBinary path: target/release/sighthound
Linux-container-compatible release export:
DOCKER_BUILDKIT=1 docker build \
--target export \
--output type=local,dest=./sighthound_release \
.Or run ./build_all_platforms.sh.
# Auto-detect languages and run embedded rules
cargo run --bin sighthound -- /path/to/project
# Explicit language + custom rules path
cargo run --bin sighthound -- /path/to/project python rules/python
# Taint-only scan and JSON output
cargo run --bin sighthound -- --taint-analysis --output-format json /path/to/project > findings.json
# SARIF output for GitHub Code Scanning
cargo run --bin sighthound -- --output-format sarif /path/to/project > results.sarifCLI shape:
sighthound [OPTIONS] <ROOT_DIR> [LANGUAGE] [RULES_PATH]Run sighthound --help for the full option list.
The sarif output format writes SARIF 2.1.0, which GitHub Code Scanning
ingests directly. Upload it from a workflow so findings appear inline on the
pull request and in the repository's Security tab:
Run the scan from the repository root and use . (or the repository root's
absolute path) as <ROOT_DIR> so SARIF artifact URIs stay repository-relative.
- name: Run Sighthound
run: sighthound --output-format sarif . > results.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarifRules are written in RON and support both:
mode: "search"for pattern matchingmode: "taint"for source/sink/sanitizer analysis
Start here:
Core commands:
make check # fix + format + lint + test + suppression report
make pre-commit # staged Rust files (hook)
make pre-push # push gate checks
make ci # strict CI pipelineAdditional quality gates:
make complexity
make audit
make acceptance
cargo harness coverage --min=0
cargo harness crap --max=30- Runtime-only vulnerabilities in dynamic code paths may be missed.
- Very large files can increase scan time.
- Multi-file taint is supported but still an area to harden further.
