Shisho is a lightweight static code analyzer designed for developers and security teams.
The key motivation of Shisho is providing a means of Security-as-Code for Code. It allows us to analyze and transform your source code with an intuitive DSL. Here’s an example of policies for Terraform code:
In addition, Shisho runs everywhere! You can use this tool offline so that you don’t need to transfer your code anywhere. One can use Shisho inside Continuous Integration (CI) systems like GitHub Actions.
We already have
sed or something like that. There are already several static analysis engines in the world indeed. Now you may wonder why do we need shisho now. See the Comparison page to see why.
As of 2021/08/18, Shisho supports the following languages:
- HCL (Terraform)
A rule describes how matched parts for a pattern should be treated. It mainly consists of:
A rule set is a set of rules with Shisho’s version information. Here’s an example ruleset:
Copyright (C) 2021 flatt-security
Source: Penetration Testing