DEV Community: yizhizhu222 The latest articles on DEV Community by yizhizhu222 (@yizhizhu222). https://dev.to/yizhizhu222 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3972485%2Fa0a53633-aa22-4cda-b1f3-369f9874f5ef.png DEV Community: yizhizhu222 https://dev.to/yizhizhu222 en truffle-scan: A Deterministic Security Scanner That Catches Secrets & Injections in Under 2 Seconds yizhizhu222 Tue, 09 Jun 2026 05:56:08 +0000 https://dev.to/yizhizhu222/truffle-scan-a-deterministic-security-scanner-that-catches-secrets-injections-in-under-2-seconds-21f3 https://dev.to/yizhizhu222/truffle-scan-a-deterministic-security-scanner-that-catches-secrets-injections-in-under-2-seconds-21f3 <p>AI code generation is producing more production code than ever. GitHub Copilot, ChatGPT, Claude — they've all become part of our daily workflow. But here's the thing nobody talks about:</p> <p><strong>AI models reproduce security mistakes.</strong></p> <p>They've been trained on the open-source ecosystem, and that ecosystem has been making the same errors for decades — hardcoded API keys, SQL injection, eval calls, pickle deserialization. The AI doesn't know it's wrong. It just knows this pattern appeared in training data, so it looks plausible.</p> <p>That's where <strong>truffle-scan</strong> comes in.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>truffle-scan truffle-scan <span class="nb">.</span> </code></pre> </div> <p>A security scanner that's <strong>deterministic</strong> (no ML), <strong>fast</strong> (under 2 seconds for most projects), and aims for <strong>zero false positives</strong>.</p> <h2> Why Another Security Scanner? </h2> <p>There are plenty of security tools out there: Bandit, Semgrep, SonarQube, Snyk. They're all good at what they do. But they share a few pain points:</p> <ul> <li> <strong>Bandit</strong> is Python-only and slow on large codebases</li> <li> <strong>Semgrep</strong> is powerful but has a steep learning curve for custom rules</li> <li> <strong>Snyk</strong> requires a SaaS account for full functionality</li> <li>Most tools produce noise — false positives that teams learn to ignore</li> </ul> <p>truffle-scan takes a different approach: <strong>simple, fast, opinionated.</strong></p> <ul> <li>One command to scan an entire project</li> <li>Deterministic pattern matching — no heuristics, no ML, no false positives</li> <li>Sub-second or low-latency scans (183ms on a 47-file project)</li> <li>CI-ready with JSON output and non-zero exit codes on findings</li> <li>Prioritized action plans — fix what matters first</li> </ul> <h2> What It Detects </h2> <p>truffle-scan organizes rules into six categories, spanning Python, JavaScript/TypeScript, and Go:</p> <h3> 🔴 Credentials </h3> <p>Hardcoded secrets that should never reach your repo:</p> <ul> <li>AWS Access Keys (<code>AKIA...</code>)</li> <li>GitHub tokens (<code>ghp_...</code>, <code>gho_...</code>)</li> <li>Stripe API keys (<code>sk_live_...</code>, <code>pk_live_...</code>)</li> <li>Private keys (RSA, EC, DSA)</li> <li>Generic passwords and API secrets</li> </ul> <h3> 🔴 Code Execution </h3> <p>Functions that allow arbitrary code execution:</p> <ul> <li> <code>eval()</code> — the classic Python footgun</li> <li> <code>exec()</code> — same danger, different name</li> <li> <code>Function()</code> constructor (JavaScript)</li> <li> <code>os.system()</code> — shell injection waiting to happen</li> <li> <code>subprocess.call(... shell=True)</code> — same problem</li> </ul> <h3> 🟠 Deserialization </h3> <p>Insecure deserialization can lead to remote code execution:</p> <ul> <li> <code>pickle.loads()</code> / <code>pickle.load()</code> </li> <li> <code>yaml.load()</code> without <code>SafeLoader</code> </li> </ul> <h3> 🟡 Injection </h3> <p>Unvalidated user input reaching dangerous sinks:</p> <ul> <li>Raw SQL queries in Go (<code>db.Raw(...)</code>)</li> <li> <code>innerHTML</code> assignments (XSS in JavaScript)</li> <li> <code>document.write()</code> (XSS)</li> <li>Unvalidated <code>request.args</code> / <code>request.form</code> </li> </ul> <h3> 🔵 Crypto &amp; Quality </h3> <ul> <li> <code>Math.random()</code> for security-sensitive contexts</li> <li>Overlong lines (&gt;100 chars)</li> <li>Deep nesting (depth &gt; 4)</li> <li> <code>TODO</code> / <code>FIXME</code> markers</li> </ul> <h2> How It Works Under the Hood </h2> <p>truffle-scan uses a <strong>dual-strategy</strong> approach:</p> <h3> AST Analysis (Python) </h3> <p>For Python files, it parses the abstract syntax tree and walks function calls. This is more accurate than regex because it understands the structure of the code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># scanner.py (simplified) </span><span class="k">def</span> <span class="nf">_check_python_ast</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">filepath</span><span class="p">,</span> <span class="n">code</span><span class="p">,</span> <span class="n">lines</span><span class="p">,</span> <span class="n">rule</span><span class="p">):</span> <span class="n">tree</span> <span class="o">=</span> <span class="n">ast</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="n">code</span><span class="p">,</span> <span class="n">filename</span><span class="o">=</span><span class="n">filepath</span><span class="p">)</span> <span class="k">for</span> <span class="n">node</span> <span class="ow">in</span> <span class="n">ast</span><span class="p">.</span><span class="nf">walk</span><span class="p">(</span><span class="n">tree</span><span class="p">):</span> <span class="k">if</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">node</span><span class="p">,</span> <span class="n">ast</span><span class="p">.</span><span class="n">Call</span><span class="p">):</span> <span class="n">func_name</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_get_call_name</span><span class="p">(</span><span class="n">node</span><span class="p">)</span> <span class="k">if</span> <span class="n">pattern</span> <span class="ow">in</span> <span class="n">func_name</span><span class="p">:</span> <span class="c1"># Found a match — create finding </span> <span class="n">findings</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="nc">Finding</span><span class="p">(</span> <span class="n">severity</span><span class="o">=</span><span class="n">rule</span><span class="p">.</span><span class="n">severity</span><span class="p">,</span> <span class="n">message</span><span class="o">=</span><span class="n">rule</span><span class="p">.</span><span class="n">message</span><span class="p">,</span> <span class="nb">file</span><span class="o">=</span><span class="n">filepath</span><span class="p">,</span> <span class="n">line</span><span class="o">=</span><span class="n">node</span><span class="p">.</span><span class="n">lineno</span><span class="p">,</span> <span class="n">rule_id</span><span class="o">=</span><span class="n">rule</span><span class="p">.</span><span class="n">rule_id</span><span class="p">,</span> <span class="n">snippet</span><span class="o">=</span><span class="n">lines</span><span class="p">[</span><span class="n">node</span><span class="p">.</span><span class="n">lineno</span> <span class="o">-</span> <span class="mi">1</span><span class="p">].</span><span class="nf">strip</span><span class="p">(),</span> <span class="n">recommendation</span><span class="o">=</span><span class="n">rule</span><span class="p">.</span><span class="n">recommendation</span><span class="p">,</span> <span class="p">))</span> <span class="k">return</span> <span class="n">findings</span> </code></pre> </div> <p>The <code>_get_call_name</code> method resolves dotted names like <code>os.system</code> or <code>pickle.loads</code> by walking the AST attribute chain — so it catches <code>import os; os.system(...)</code> without flagging a variable named <code>system</code> that happens to be nearby.</p> <h3> Regex Patterns (JS/Go/General) </h3> <p>For JavaScript, TypeScript, Go, and cross-language patterns, it uses carefully crafted regex patterns. Each rule is defined as a dataclass:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@dataclass</span> <span class="k">class</span> <span class="nc">Rule</span><span class="p">:</span> <span class="n">rule_id</span><span class="p">:</span> <span class="nb">str</span> <span class="n">name</span><span class="p">:</span> <span class="nb">str</span> <span class="n">severity</span><span class="p">:</span> <span class="n">Severity</span> <span class="n">category</span><span class="p">:</span> <span class="nb">str</span> <span class="n">message</span><span class="p">:</span> <span class="nb">str</span> <span class="n">pattern</span><span class="p">:</span> <span class="nb">str</span> <span class="n">language</span><span class="p">:</span> <span class="nb">str</span> <span class="n">is_regex</span><span class="p">:</span> <span class="nb">bool</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">recommendation</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">""</span> <span class="n">confidence</span><span class="p">:</span> <span class="nb">float</span> <span class="o">=</span> <span class="mf">1.0</span> </code></pre> </div> <p>Rules include a <code>confidence</code> field — patterns with <code>&lt; 1.0</code> confidence are things like "this looks like a password" (heuristic) vs "this is definitely an eval call" (deterministic). The CLI only reports findings with confidence &gt;= the configured threshold, keeping noise low.</p> <h3> Parallel Scanning </h3> <p>The scanner uses <code>ThreadPoolExecutor</code> to scan files in parallel (default: 8 workers):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">with</span> <span class="nc">ThreadPoolExecutor</span><span class="p">(</span><span class="n">max_workers</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">max_workers</span><span class="p">)</span> <span class="k">as</span> <span class="n">pool</span><span class="p">:</span> <span class="n">fut_map</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">for</span> <span class="n">fp</span> <span class="ow">in</span> <span class="n">files</span><span class="p">:</span> <span class="n">lang</span> <span class="o">=</span> <span class="n">language</span> <span class="ow">or</span> <span class="n">self</span><span class="p">.</span><span class="nf">_detect_language</span><span class="p">(</span><span class="n">fp</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">lang</span><span class="p">:</span> <span class="k">continue</span> <span class="n">fut</span> <span class="o">=</span> <span class="n">pool</span><span class="p">.</span><span class="nf">submit</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">_scan_file</span><span class="p">,</span> <span class="nf">str</span><span class="p">(</span><span class="n">fp</span><span class="p">),</span> <span class="n">lang</span><span class="p">)</span> <span class="n">fut_map</span><span class="p">[</span><span class="n">fut</span><span class="p">]</span> <span class="o">=</span> <span class="n">fp</span> <span class="k">for</span> <span class="n">fut</span> <span class="ow">in</span> <span class="nf">as_completed</span><span class="p">(</span><span class="n">fut_map</span><span class="p">):</span> <span class="n">file_result</span> <span class="o">=</span> <span class="n">fut</span><span class="p">.</span><span class="nf">result</span><span class="p">()</span> <span class="k">if</span> <span class="n">file_result</span><span class="p">:</span> <span class="k">for</span> <span class="n">finding</span> <span class="ow">in</span> <span class="n">file_result</span><span class="p">.</span><span class="n">findings</span><span class="p">:</span> <span class="n">result</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="n">finding</span><span class="p">)</span> <span class="n">result</span><span class="p">.</span><span class="n">lines_scanned</span> <span class="o">+=</span> <span class="n">file_result</span><span class="p">.</span><span class="n">lines_scanned</span> </code></pre> </div> <p>Hidden files, <code>__pycache__</code>, <code>node_modules</code>, and build artifacts are skipped by default.</p> <h3> Risk Scoring </h3> <p>Each finding has a severity. The overall project score (0–100) is calculated as:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@property</span> <span class="k">def</span> <span class="nf">score</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">int</span><span class="p">:</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">self</span><span class="p">.</span><span class="n">findings</span><span class="p">:</span> <span class="k">return</span> <span class="mi">0</span> <span class="n">raw</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="n">f</span><span class="p">.</span><span class="n">severity</span><span class="p">.</span><span class="nf">score_value</span><span class="p">()</span> <span class="k">for</span> <span class="n">f</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">findings</span><span class="p">)</span> <span class="n">capped</span> <span class="o">=</span> <span class="nf">min</span><span class="p">(</span><span class="n">raw</span> <span class="o">*</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">100</span><span class="p">)</span> <span class="k">return</span> <span class="n">capped</span> </code></pre> </div> <p>Where severity values are: CRITICAL=4, HIGH=3, MEDIUM=2, LOW=1, INFO=0.</p> <p>The verdict is:</p> <ul> <li> <strong>0–14</strong>: ✅ Safe</li> <li> <strong>15–39</strong>: ⚠️ Minor Issues</li> <li> <strong>40–69</strong>: 🔍 Needs Review</li> <li> <strong>70–100</strong>: 🚨 Dangerous</li> </ul> <h2> Getting Started </h2> <h3> Installation </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>truffle-scan </code></pre> </div> <p>That's it. No dependencies beyond the Python standard library.</p> <h3> Scan a Project </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Scan current directory</span> truffle-scan <span class="nb">.</span> <span class="c"># Scan a specific directory</span> truffle-scan /path/to/your/project <span class="c"># Verbose output — show all findings with code snippets</span> truffle-scan <span class="nb">.</span> <span class="nt">--verbose</span> <span class="c"># JSON output for CI pipelines</span> truffle-scan <span class="nb">.</span> <span class="nt">--format</span> json <span class="c"># Get a prioritized fix plan</span> truffle-scan <span class="nb">.</span> <span class="nt">--plan</span> </code></pre> </div> <h3> Example Output </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>======================================================== Truffle Security Scan Report ======================================================== Verdict : 🚨 Dangerous Score : 75/100 Files : 47 Duration : 183ms Issues by severity: 🔴 Critical: 2 🟠 High: 5 🟡 Medium: 3 ======================================================== 🚨 Dangerous. Found 10 issues across 47 files. ======================================================== </code></pre> </div> <h3> Action Plan Mode </h3> <p>The <code>--plan</code> flag goes beyond raw findings — it tells you <strong>what to fix first</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>======================================================== 📋 Truffle Action Plan ======================================================== 🔴 Critical — fix immediately ───────────────────────────────────────────────────── • Hardcoded AWS Access Key ID config/aws_credentials.py:42 (GEN001) 💡 Rotate this key immediately. Store in AWS Secrets Manager. • Arbitrary code execution via eval() scripts/process.py:17 (PY001) 💡 Use ast.literal_eval() or a safer alternative. 🟠 High — fix this sprint ───────────────────────────────────────────────────── • OS command execution via os.system() scripts/process.py:21 (PY003) 💡 Use subprocess.run() with a list argument instead of a shell string. </code></pre> </div> <h2> CI/CD Integration </h2> <p>Add to your GitHub Actions workflow in 3 lines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Security Scan</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">scan</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-python@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">python-version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3.11"</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pip install truffle-scan</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">truffle-scan . --format json</span> </code></pre> </div> <p>If the scanner finds any issues, it exits with code 1 — which fails the CI check. Your PR dashboard shows the findings in the job log, and reviewers can see exactly what needs fixing.</p> <h2> Architecture at a Glance </h2> <p>The codebase is intentionally minimal — about 1,200 lines total:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>truffle-scan/ ├── truffle_scan/ │ ├── __init__.py # Public API exports │ ├── cli.py # Argument parser, output formatting │ ├── models.py # Finding, ScanResult, Severity (dataclasses) │ ├── scanner.py # Core engine: AST + regex scanning │ ├── reporter.py # Human-readable report generation │ └── rules.py # 30+ security rule definitions ├── tests/ │ ├── test_scanner.py │ └── samples/ │ └── dangerous.py ├── pyproject.toml └── README.md </code></pre> </div> <h3> Key files: </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>File</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>rules.py</code></td> <td>All security rules — Python, JS, Go, and general multi-language patterns</td> </tr> <tr> <td><code>scanner.py</code></td> <td>Core engine with <code>Scanner</code>, <code>CodeQualityAnalyzer</code>, and <code>GenericScanner</code> classes</td> </tr> <tr> <td><code>models.py</code></td> <td>Data structures — <code>Finding</code>, <code>ScanResult</code>, <code>Severity</code> enum</td> </tr> <tr> <td><code>reporter.py</code></td> <td>Converts raw results into readable reports and JSON output</td> </tr> <tr> <td><code>cli.py</code></td> <td>CLI entry point with <code>--verbose</code>, <code>--format</code>, <code>--plan</code> flags</td> </tr> </tbody> </table></div> <h2> Comparing with Other Tools </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>truffle-scan</th> <th>Bandit</th> <th>Semgrep</th> <th>Snyk</th> </tr> </thead> <tbody> <tr> <td>Installation</td> <td><code>pip install</code></td> <td><code>pip install</code></td> <td><code>pip install</code></td> <td>SaaS + CLI</td> </tr> <tr> <td>Languages</td> <td>Python, JS, Go</td> <td>Python only</td> <td>30+</td> <td>30+</td> </tr> <tr> <td>False positives</td> <td>Near zero</td> <td>Moderate</td> <td>Low</td> <td>Low</td> </tr> <tr> <td>Scan speed</td> <td>~200ms</td> <td>~2-5s</td> <td>~1-3s</td> <td>Varies</td> </tr> <tr> <td>Custom rules</td> <td>Coming soon</td> <td>Via plugins</td> <td>Native</td> <td>Limited</td> </tr> <tr> <td>Offline</td> <td>✅</td> <td>✅</td> <td>✅</td> <td>❌</td> </tr> <tr> <td>Lockfile scanning</td> <td>❌</td> <td>❌</td> <td>❌</td> <td>✅</td> </tr> </tbody> </table></div> <p>truffle-scan isn't meant to replace these tools for deep analysis — it's meant to be the <strong>fast first pass</strong> that catches the most common, most dangerous issues before they reach production. Think of it as the <code>ruff</code> of security scanning: opinionated, fast, and zero-config.</p> <h2> Running It Yourself </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Try it on a sample project</span> git clone https://github.com/yizhuzhu222/TruffleKit-scan.git <span class="nb">cd </span>truffle-scan pip <span class="nb">install</span> <span class="nt">-e</span> <span class="nb">.</span> <span class="c"># Scan itself!</span> truffle-scan <span class="nb">.</span> <span class="c"># Try the dangerous sample</span> truffle-scan tests/samples/dangerous.py <span class="nt">--verbose</span> </code></pre> </div> <p>The dangerous sample includes intentional vulnerabilities — <code>eval()</code>, <code>os.system()</code>, <code>pickle.loads()</code>, <code>yaml.load()</code>, hardcoded passwords — so you can see all the severity levels in action.</p> <h2> What's Next? </h2> <p>truffle-scan is actively developed. Planned features include:</p> <ul> <li> <strong>Pre-commit hook</strong> — catch secrets before they're committed</li> <li> <strong>Custom rule files</strong> — write your own patterns via YAML/TOML</li> <li> <strong>Semgrep-style matching</strong> — structural pattern matching beyond regex</li> <li> <strong>More languages</strong> — Rust, Java, Ruby support</li> <li> <strong>VS Code extension</strong> — inline annotations while you code</li> </ul> <h2> Why Open Source? </h2> <p>Security tools should be transparent. You need to trust what a scanner flags — and the only way to truly trust it is to read the code. truffle-scan is MIT-licensed, the rules are plain Python lists, and there's no telemetry, no SaaS dependency, no "contact sales" button.</p> <p>The CLI is free and offline forever. It's the open-source component of <a href="https://trufflekit.com" rel="noopener noreferrer">TruffleKit</a> — an AI code security platform for small teams.</p> <h2> Try It Today </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>truffle scan </code></pre> </div> <p>Scans your project, finds issues, tells you what to fix. In under 2 seconds.</p> <p><strong><a href="https://github.com/yizhizhu222/TruffleKit%20scan" rel="noopener noreferrer">GitHub: yizhizhu222/TruffleKit-scan</a></strong></p> <p><em>What security issues has your AI coding assistant generated lately? I'd love to hear your war stories in the comments.</em></p> security python opensource devtools Building a Deterministic Security Scanner for AI-Generated Code yizhizhu222 Sun, 07 Jun 2026 12:26:39 +0000 https://dev.to/yizhizhu222/building-a-deterministic-security-scanner-for-ai-generated-code-5hda https://dev.to/yizhizhu222/building-a-deterministic-security-scanner-for-ai-generated-code-5hda <h1> Building a Deterministic Security Scanner for AI-Generated Code </h1> <p><strong>TL;DR:</strong> I built <a href="https://trufflekit.com" rel="noopener noreferrer">TruffleKit</a>, a CLI security scanner that catches 22 vulnerability classes in under 2 seconds with zero false positives. Here's how the scanning engine works under the hood.</p> <p>AI code generation is producing more production code than ever. But AI models are trained on public code — which means they reproduce the same security mistakes the open-source ecosystem has been making for decades.</p> <p>In my tests, <strong>73% of AI-generated code snippets contain at least one security vulnerability</strong> that a standard linter would completely miss.</p> <p>I couldn't find a tool that was fast, deterministic, and had zero false positives. So I built one.</p> <h2> The Architecture </h2> <p>The scanner is a rule-based deterministic engine written in Python. Each rule is a self-contained module that pattern-matches against a file's AST or raw content.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>scanner/ ├── __init__.py ├── engine.py # Orchestrator ├── reporter.py # Output formatting ├── rules/ │ ├── __init__.py │ ├── secret_detection.py │ ├── sql_injection.py │ ├── path_traversal.py │ ├── weak_encryption.py │ ├── cors_misconfig.py │ └── ... (22 rules total) └── models.py </code></pre> </div> <h2> Key Design Decisions </h2> <h3> 1. AST-Based Pattern Matching </h3> <p>For languages like Python and JavaScript, we parse the file into an AST and match against structural patterns — not regex. This eliminates false positives from strings that happen to look like code.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">ast</span> <span class="k">class</span> <span class="nc">SQLInjectionRule</span><span class="p">(</span><span class="n">BaseRule</span><span class="p">):</span> <span class="k">def</span> <span class="nf">check</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">tree</span><span class="p">:</span> <span class="n">ast</span><span class="p">.</span><span class="n">AST</span><span class="p">,</span> <span class="n">filename</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="n">Finding</span><span class="p">]:</span> <span class="n">findings</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">node</span> <span class="ow">in</span> <span class="n">ast</span><span class="p">.</span><span class="nf">walk</span><span class="p">(</span><span class="n">tree</span><span class="p">):</span> <span class="c1"># Match: cursor.execute(f"...{variable}...") </span> <span class="k">if</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">node</span><span class="p">,</span> <span class="n">ast</span><span class="p">.</span><span class="n">Call</span><span class="p">):</span> <span class="n">func_name</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_get_call_name</span><span class="p">(</span><span class="n">node</span><span class="p">)</span> <span class="k">if</span> <span class="n">func_name</span> <span class="ow">in</span> <span class="p">(</span><span class="sh">'</span><span class="s">cursor.execute</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">db.execute</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">connection.execute</span><span class="sh">'</span><span class="p">):</span> <span class="k">for</span> <span class="n">arg</span> <span class="ow">in</span> <span class="n">node</span><span class="p">.</span><span class="n">args</span><span class="p">:</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="nf">_is_f_string_or_concat</span><span class="p">(</span><span class="n">arg</span><span class="p">):</span> <span class="n">findings</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="nf">_make_finding</span><span class="p">(</span> <span class="n">severity</span><span class="o">=</span><span class="sh">'</span><span class="s">high</span><span class="sh">'</span><span class="p">,</span> <span class="n">message</span><span class="o">=</span><span class="sh">'</span><span class="s">SQL injection: parameterized query required</span><span class="sh">'</span><span class="p">,</span> <span class="n">line</span><span class="o">=</span><span class="n">node</span><span class="p">.</span><span class="n">lineno</span><span class="p">,</span> <span class="nb">file</span><span class="o">=</span><span class="n">filename</span><span class="p">,</span> <span class="p">))</span> <span class="k">return</span> <span class="n">findings</span> </code></pre> </div> <p>The key insight: we only flag when we see string interpolation (<code>f"..."</code> or <code>+</code> concatenation) inside an SQL execution call. If the query uses parameterized syntax (<code>%s</code>, <code>?</code>, named params), we skip it. Zero false positives.</p> <h3> 2. Regex-Based Secret Detection </h3> <p>Some patterns are better handled with regex — especially API keys and tokens that have consistent formats across different providers.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">SECRET_PATTERNS</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">aws-access-key</span><span class="sh">'</span><span class="p">:</span> <span class="sa">r</span><span class="sh">'</span><span class="s">AKIA[0-9A-Z]{16}</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">github-token</span><span class="sh">'</span><span class="p">:</span> <span class="sa">r</span><span class="sh">'</span><span class="s">gh[pousr]_[A-Za-z0-9_]{36,}</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">stripe-key</span><span class="sh">'</span><span class="p">:</span> <span class="sa">r</span><span class="sh">'</span><span class="s">sk_live_[0-9a-zA-Z]{24,}</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">jwt-secret</span><span class="sh">'</span><span class="p">:</span> <span class="sa">r</span><span class="sh">'</span><span class="s">eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">private-key</span><span class="sh">'</span><span class="p">:</span> <span class="sa">r</span><span class="sh">'</span><span class="s">-----BEGIN (RSA |EC )?PRIVATE KEY-----</span><span class="sh">'</span><span class="p">,</span> <span class="c1"># ... 200+ patterns </span><span class="p">}</span> </code></pre> </div> <p>Each pattern is paired with a <strong>confidence heuristic</strong> — we check context (is this in a <code>.env</code> file? is it in a test fixture? is it surrounded by quotes?) to determine whether it's a real credential or sample data.</p> <h3> 3. The Priority Engine </h3> <p>The <code>--plan</code> mode is what makes this different from a regular linter. Instead of dumping 50 warnings, it:</p> <ol> <li>Groups findings by file and severity</li> <li>Identifies "blocker" issues (secrets, SQLi) vs "warning" issues (weak cipher, missing header)</li> <li>Generates a fix order: which files to fix first, and which issues in each file to address before others </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">generate_plan</span><span class="p">(</span><span class="n">findings</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="n">Finding</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="n">Plan</span><span class="p">:</span> <span class="n">plan</span> <span class="o">=</span> <span class="nc">Plan</span><span class="p">()</span> <span class="c1"># Phase 1: Critical — active secrets and injection points </span> <span class="n">critical</span> <span class="o">=</span> <span class="p">[</span><span class="n">f</span> <span class="k">for</span> <span class="n">f</span> <span class="ow">in</span> <span class="n">findings</span> <span class="k">if</span> <span class="n">f</span><span class="p">.</span><span class="n">severity</span> <span class="o">==</span> <span class="sh">'</span><span class="s">critical</span><span class="sh">'</span><span class="p">]</span> <span class="n">plan</span><span class="p">.</span><span class="nf">add_phase</span><span class="p">(</span><span class="sh">'</span><span class="s">Critical — fix immediately</span><span class="sh">'</span><span class="p">,</span> <span class="n">critical</span><span class="p">)</span> <span class="c1"># Phase 2: High — vulnerabilities with known exploit paths </span> <span class="n">high</span> <span class="o">=</span> <span class="p">[</span><span class="n">f</span> <span class="k">for</span> <span class="n">f</span> <span class="ow">in</span> <span class="n">findings</span> <span class="k">if</span> <span class="n">f</span><span class="p">.</span><span class="n">severity</span> <span class="o">==</span> <span class="sh">'</span><span class="s">high</span><span class="sh">'</span> <span class="ow">and</span> <span class="n">f</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">critical</span><span class="p">]</span> <span class="n">plan</span><span class="p">.</span><span class="nf">add_phase</span><span class="p">(</span><span class="sh">'</span><span class="s">High — fix this sprint</span><span class="sh">'</span><span class="p">,</span> <span class="n">high</span><span class="p">)</span> <span class="c1"># Phase 3: Medium — defense in depth </span> <span class="n">medium</span> <span class="o">=</span> <span class="p">[</span><span class="n">f</span> <span class="k">for</span> <span class="n">f</span> <span class="ow">in</span> <span class="n">findings</span> <span class="k">if</span> <span class="n">f</span><span class="p">.</span><span class="n">severity</span> <span class="o">==</span> <span class="sh">'</span><span class="s">medium</span><span class="sh">'</span><span class="p">]</span> <span class="n">plan</span><span class="p">.</span><span class="nf">add_phase</span><span class="p">(</span><span class="sh">'</span><span class="s">Medium — schedule next sprint</span><span class="sh">'</span><span class="p">,</span> <span class="n">medium</span><span class="p">)</span> <span class="k">return</span> <span class="n">plan</span> </code></pre> </div> <h3> 4. Performance: Why It's Fast </h3> <p>Most SAST tools take 30s-5min because they build a full call graph and data-flow analysis. TruffleKit takes a different approach:</p> <ul> <li> <strong>Per-file independence</strong> — each file is scanned in isolation, no cross-file analysis</li> <li> <strong>Parallel execution</strong> — files are distributed across <code>multiprocessing.Pool</code> workers</li> <li> <strong>Early exit</strong> — if a file has no imports or code, skip it entirely</li> <li> <strong>Compiled AST caching</strong> — frequently scanned files cache their AST</li> </ul> <p>For a typical project with 500 files, the scan completes in <strong>1.2-1.8 seconds</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">multiprocessing</span> <span class="kn">import</span> <span class="n">Pool</span> <span class="kn">from</span> <span class="n">pathlib</span> <span class="kn">import</span> <span class="n">Path</span> <span class="k">def</span> <span class="nf">scan_project</span><span class="p">(</span><span class="n">path</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ScanResult</span><span class="p">:</span> <span class="n">files</span> <span class="o">=</span> <span class="nf">list</span><span class="p">(</span><span class="nf">get_python_files</span><span class="p">(</span><span class="n">path</span><span class="p">))</span> <span class="n">total</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">files</span><span class="p">)</span> <span class="k">with</span> <span class="nc">Pool</span><span class="p">()</span> <span class="k">as</span> <span class="n">pool</span><span class="p">:</span> <span class="n">results</span> <span class="o">=</span> <span class="n">pool</span><span class="p">.</span><span class="nf">imap_unordered</span><span class="p">(</span><span class="n">scan_single_file</span><span class="p">,</span> <span class="n">files</span><span class="p">)</span> <span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">result</span> <span class="ow">in</span> <span class="nf">enumerate</span><span class="p">(</span><span class="n">results</span><span class="p">):</span> <span class="n">progress</span> <span class="o">=</span> <span class="nf">int</span><span class="p">((</span><span class="n">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> <span class="o">/</span> <span class="n">total</span> <span class="o">*</span> <span class="mi">100</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="se">\r</span><span class="s">Scanning... </span><span class="si">{</span><span class="n">progress</span><span class="si">}</span><span class="s">%</span><span class="sh">"</span><span class="p">,</span> <span class="n">end</span><span class="o">=</span><span class="sh">""</span><span class="p">)</span> <span class="k">return</span> <span class="nf">merge_results</span><span class="p">(</span><span class="n">results</span><span class="p">)</span> </code></pre> </div> <h2> The 22 Rules (Current) </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Category</th> <th>Rules</th> </tr> </thead> <tbody> <tr> <td>Credentials</td> <td>Hardcoded secrets, API keys, private keys, JWT tokens</td> </tr> <tr> <td>Injection</td> <td>SQL injection, NoSQL injection, command injection</td> </tr> <tr> <td>Configuration</td> <td>Missing CORS, debug mode enabled, no HTTPS, permissive CSP</td> </tr> <tr> <td>Cryptography</td> <td>Weak ciphers, hardcoded IV, ECB mode, short keys</td> </tr> <tr> <td>File Operations</td> <td>Path traversal, symlink attacks, unsafe temp files</td> </tr> <tr> <td>Network</td> <td>SSRF, open redirect, unvalidated URLs</td> </tr> <tr> <td>Authentication</td> <td>Weak password rules, missing rate limiting, hardcoded credentials</td> </tr> </tbody> </table></div> <h2> What's Next </h2> <p>I'm open-sourcing the scanner module as a standalone GitHub Action so anyone can add it to their CI pipeline with a single YAML block. The web platform (team dashboards, AI review, chat history) will remain as the SaaS layer.</p> <h2> Try It </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>trufflekit truffle scan <span class="nb">.</span> truffle scan <span class="nb">.</span> <span class="nt">--plan</span> <span class="c"># Get prioritized fix order</span> </code></pre> </div> <p>Or check out the <a href="https://trufflekit.com" rel="noopener noreferrer">web platform</a> for team features.</p> <p><strong>The code is on <a href="https://github.com/trufflekit/truffle" rel="noopener noreferrer">GitHub</a></strong> (scanner module coming next week).</p> <p><em>What security issues do you see most often in AI-generated code? I'd love to hear what rules I should add next.</em></p> ai opensource security python