Skip to content

Corgea/Sighthound

Repository files navigation

Sighthound

Sighthound Logo

Tree-sitter based static vulnerability scanner with pattern matching and taint-flow analysis.

Rust License CI

Want Sighthound without the setup? Sign up for Corgea, where Sighthound is built in alongside AI SAST, secrets, container, dependency, and IaC scanning—with false-positive reduction and automated fixes.

What It Does

  • Scans source code for security issues using AST-aware rules.
  • Supports pattern mode and taint mode (source to sink tracking).
  • Handles multi-file projects and parallel execution.
  • Outputs findings as text, JSON, CSV, or SARIF.
  • Loads embedded rule packs by file extension, with optional file-based custom rules.

Language Support

Language Extensions Parser Bundled Rules
Python .py, .pyw, .pyi, .pyx Yes Yes
JavaScript .js, .mjs, .cjs, .jsx, .vue, .svelte Yes Yes
TypeScript / TSX .ts, .tsx, .mts, .cts Yes Yes (JS rules)
Java .java Yes Yes
PHP .php, .phtml Yes Yes
C# .cs, .csx Yes Yes
Go .go Yes Yes
Ruby .rb Yes Yes
HTML .html, .htm, .twig, .ejs, .hbs, ... Yes Yes
Django templates .html (Django syntax) Yes Yes (HTML rules)

Not currently supported: Razor (.cshtml), C/C++ (.c, .h).

Installation

Prerequisites:

  • Rust 1.85+
  • Git

Build from source:

git clone https://github.com/Corgea/Sighthound.git
cd Sighthound
cargo build --release

Binary path: target/release/sighthound

Linux-container-compatible release export:

DOCKER_BUILDKIT=1 docker build \
  --target export \
  --output type=local,dest=./sighthound_release \
  .

Or run ./build_all_platforms.sh.

Quick Start

# Auto-detect languages and run embedded rules
cargo run --bin sighthound -- /path/to/project

# Explicit language + custom rules path
cargo run --bin sighthound -- /path/to/project python rules/python

# Taint-only scan and JSON output
cargo run --bin sighthound -- --taint-analysis --output-format json /path/to/project > findings.json

# SARIF output for GitHub Code Scanning
cargo run --bin sighthound -- --output-format sarif /path/to/project > results.sarif

CLI shape:

sighthound [OPTIONS] <ROOT_DIR> [LANGUAGE] [RULES_PATH]

Run sighthound --help for the full option list.

GitHub Code Scanning

The sarif output format writes SARIF 2.1.0, which GitHub Code Scanning ingests directly. Upload it from a workflow so findings appear inline on the pull request and in the repository's Security tab:

Run the scan from the repository root and use . (or the repository root's absolute path) as <ROOT_DIR> so SARIF artifact URIs stay repository-relative.

- name: Run Sighthound
  run: sighthound --output-format sarif . > results.sarif
- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

Rules

Rules are written in RON and support both:

  • mode: "search" for pattern matching
  • mode: "taint" for source/sink/sanitizer analysis

Start here:

Development

Core commands:

make check        # fix + format + lint + test + suppression report
make pre-commit   # staged Rust files (hook)
make pre-push     # push gate checks
make ci           # strict CI pipeline

Additional quality gates:

make complexity
make audit
make acceptance
cargo harness coverage --min=0
cargo harness crap --max=30

Limitations

  • Runtime-only vulnerabilities in dynamic code paths may be missed.
  • Very large files can increase scan time.
  • Multi-file taint is supported but still an area to harden further.

Contributing

License