Skip to content

Add cognium — semantic taint-tracking SAST for Java, JS, TS, Python, Rust, Bash #1795

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
coggiyadmin wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add cognium — semantic taint-tracking SAST for Java, JS, TS, Python, Rust, Bash #1795

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 11 additions & 9 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1228,7 +1228,7 @@ Kani verifies:

- **Prusti** :warning: — A static verifier for Rust, based on the Viper verification infrastructure. By default Prusti verifies absence of panics by proving that statements such as unreachable!() and panic!() are unreachable.

- **Rudra** :warning: — Rust Memory Safety & Undefined Behavior Detection. It is capable of analyzing single Rust packages as well as all the packages on crates.io.
- [Rudra](https://github.com/sslab-gatech/Rudra) — Rust Memory Safety & Undefined Behavior Detection. It is capable of analyzing single Rust packages as well as all the packages on crates.io.

- **Rust Language Server** :warning: — Supports functionality such as 'goto definition', symbol search, reformatting, and code completion, and enables renaming and refactorings.

Expand Down Expand Up @@ -1471,6 +1471,8 @@ It supports multiple languages and is designed to be extensible, allowing you to

- [Codiga](https://www.codiga.io) :copyright: — Automated Code Reviews and Technical Debt management platform that supports 12+ languages.

- [cognium](https://cognium.dev) — Semantic taint-tracking SAST engine with a 36-pass analysis pipeline covering security (SQL injection, XSS, SSRF, command injection, path traversal, and 15 more CWEs), reliability, performance, and maintainability. Supports Java, JavaScript, TypeScript, Python, Rust, and Bash. Outputs text, JSON, and SARIF 2.1.0. OWASP Benchmark: 100% TPR, 0% FPR across 1415 test cases.

- [Corgea](https://corgea.com/) :copyright: — Corgea is an AI-powered SAST scanner that helps developers find and fix insecure code. It finds business logic flaws, broken authentication, API vulnerabilities, and more with little false positives. Additionally, it automatically writes security fixes for them to approve. Corgea integrates with GitHub, GitLab, Azure DevOps, IDEs and CLI. It is free to try it.

- **Corrode** :warning: — Semi-automatic translation from C to Rust. Could reveal bugs in the original implementation by showing Rust compiler warnings and errors. Superseded by C2Rust.
Expand Down Expand Up @@ -1662,7 +1664,7 @@ orchestration to ensure zero breaking changes. Specialized for React, Next.js, a

- [Teamscale](https://teamscale.com) :copyright: — Static and dynamic analysis tool supporting more than 25 languages and direct IDE integration. Free hosting for Open Source projects available on request. Free academic licenses available.

- [TencentCodeAnalysis](https://tca.tencent.com/) — Tencent Cloud Code Analysis (TCA for short, code-named CodeDog inside the company early) is a comprehensive platform for code analysis and issue tracking. TCA consist of three components, server, web and client. It integrates of a number of self-developed tools, and also supports dynamic integration of code analysis tools in various programming languages.
- **TencentCodeAnalysis** :warning: — Tencent Cloud Code Analysis (TCA for short, code-named CodeDog inside the company early) is a comprehensive platform for code analysis and issue tracking. TCA consist of three components, server, web and client. It integrates of a number of self-developed tools, and also supports dynamic integration of code analysis tools in various programming languages.

- [ThreatMapper](https://github.com/deepfence/ThreatMapper) — Vulnerability Scanner and Risk Evaluation for containers, serverless and hosts at runtime. ThreatMapper generates runtime BOMs from dependencies and operating system packages, matches against multiple threat feeds, scans for unprotected secrets, and scores issues based on severity and risk-of-exploit.

Expand Down Expand Up @@ -1722,10 +1724,10 @@ orchestration to ensure zero breaking changes. Specialized for React, Next.js, a
<h2>Archive</h2>


- [alquitran](https://github.com/ferivoz/alquitran) — Inspects tar archives and tries to spot portability issues in regard to POSIX 2017 pax specification and common tar implementations.
- **alquitran** :warning: — Inspects tar archives and tries to spot portability issues in regard to POSIX 2017 pax specification and common tar implementations.
This project is intended to be used by maintainers of projects who want to offer portable source code archives for as many systems as possible. Checking tar archives with alquitran before publishing them should help spotting issues before they reach distributors and users.

- **packj** :warning: — Packj (pronounced package) is a command line (CLI) tool to vet open-source software packages for "risky" attributes that make them vulnerable to supply chain attacks. This is the tool behind our large-scale security analysis platform Packj.dev that continuously vets packages and provides free reports.
- [packj](https://github.com/ossillate-inc/packj) — Packj (pronounced package) is a command line (CLI) tool to vet open-source software packages for "risky" attributes that make them vulnerable to supply chain attacks. This is the tool behind our large-scale security analysis platform Packj.dev that continuously vets packages and provides free reports.

- **pure** :warning: — Pure is a static analysis file format checker that checks ZIP files for dangerous compression ratios, spec deviations, malicious archive signatures, mismatching local and central directory headers, ambiguous UTF-8 filenames, directory and symlink traversals, invalid MS-DOS dates, overlapping headers, overflow, underflow, sparseness, accidental buffer bleeds etc.

Expand Down Expand Up @@ -1887,7 +1889,7 @@ Loading address: binbloom can parse a raw binary firmware and determine its load

- **Docker Label Inspector** :warning: — Lint and validate Dockerfile labels.

- **Dockle** :warning: — Container Image Linter for Security helping build the Best-Practice Docker Image. Scans Docker images for security vulnerabilities and CIS Benchmark compliance. Checks for secrets, credential exposure, and security best practices. Provides multiple severity levels (FATAL, WARN, INFO) and supports various output formats for CI/CD integration.
- [Dockle](https://github.com/goodwithtech/dockle) — Container Image Linter for Security helping build the Best-Practice Docker Image. Scans Docker images for security vulnerabilities and CIS Benchmark compliance. Checks for secrets, credential exposure, and security best practices. Provides multiple severity levels (FATAL, WARN, INFO) and supports various output formats for CI/CD integration.

- [GitGuardian ggshield](https://www.gitguardian.com/ggshield) — ggshield is a CLI application that runs in your local environment or in a CI environment to help you detect more than 350+ types of secrets, as well as other potential security vulnerabilities or policy breaks affecting your codebase.

Expand Down Expand Up @@ -1977,7 +1979,7 @@ Its technology helps developers automate testing, find bugs, and reduce manual l

- [Code Pathfinder](https://codepathfinder.dev) — An open-source security suite aiming to combine structural code analysis with AI-powered vulnerability detection. Built for advanced structural search, derive insights, find vulnerabilities in code.

- **Dockle** :warning: — Container Image Linter for Security helping build the Best-Practice Docker Image. Scans Docker images for security vulnerabilities and CIS Benchmark compliance. Checks for secrets, credential exposure, and security best practices. Provides multiple severity levels (FATAL, WARN, INFO) and supports various output formats for CI/CD integration.
- [Dockle](https://github.com/goodwithtech/dockle) — Container Image Linter for Security helping build the Best-Practice Docker Image. Scans Docker images for security vulnerabilities and CIS Benchmark compliance. Checks for secrets, credential exposure, and security best practices. Provides multiple severity levels (FATAL, WARN, INFO) and supports various output formats for CI/CD integration.


<a name="embedded" />
Expand Down Expand Up @@ -2284,7 +2286,7 @@ but with the following improvements:
- [detect-secrets](https://github.com/Yelp/detect-secrets) — An enterprise friendly way of detecting and preventing secrets in code.
It does this by running periodic diff outputs against heuristically crafted regex statements, to identify whether any new secret has been committed. This way, it avoids the overhead of digging through all git history, as well as the need to scan the entire repository every time.

- **Dockle** :warning: — Container Image Linter for Security helping build the Best-Practice Docker Image. Scans Docker images for security vulnerabilities and CIS Benchmark compliance. Checks for secrets, credential exposure, and security best practices. Provides multiple severity levels (FATAL, WARN, INFO) and supports various output formats for CI/CD integration.
- [Dockle](https://github.com/goodwithtech/dockle) — Container Image Linter for Security helping build the Best-Practice Docker Image. Scans Docker images for security vulnerabilities and CIS Benchmark compliance. Checks for secrets, credential exposure, and security best practices. Provides multiple severity levels (FATAL, WARN, INFO) and supports various output formats for CI/CD integration.

- **Enlightn** :warning: — A static and dynamic analysis tool for Laravel applications that provides recommendations to improve the performance, security and code reliability of Laravel apps. Contains 120 automated checks.

Expand All @@ -2296,7 +2298,7 @@ It does this by running periodic diff outputs against heuristically crafted rege

- [Grype](https://github.com/anchore/grype) — Vulnerability scanner for container images and filesystems. Developed by Anchore, it scans container images, directories, and archives for known vulnerabilities. Supports multiple image formats, SBOM integration, and VEX (Vulnerability Exploitability eXchange) for accurate vulnerability assessment. Works with various vulnerability databases and provides detailed reporting.

- [HasMySecretLeaked](https://gitguardian.com/hasmysecretleaked) :copyright: — HasMySecretLeaked is a project from GitGuardian that aims to help individual users and organizations search across 20 million exposed secrets to verify if their developer secrets have leaked on public repositories, gists, and issues on GitHub projects.
- **HasMySecretLeaked** :warning: :copyright: — HasMySecretLeaked is a project from GitGuardian that aims to help individual users and organizations search across 20 million exposed secrets to verify if their developer secrets have leaked on public repositories, gists, and issues on GitHub projects.

- **iblessing** :warning: — iblessing is an iOS security exploiting toolkit. It can be used for reverse engineering, binary analysis and vulnerability mining.

Expand Down Expand Up @@ -2461,7 +2463,7 @@ TruffleHog is an open source secret-scanning engine that resolves exposed secret

- [GitGuardian ggshield](https://www.gitguardian.com/ggshield) — ggshield is a CLI application that runs in your local environment or in a CI environment to help you detect more than 350+ types of secrets, as well as other potential security vulnerabilities or policy breaks affecting your codebase.

- [HasMySecretLeaked](https://gitguardian.com/hasmysecretleaked) :copyright: — HasMySecretLeaked is a project from GitGuardian that aims to help individual users and organizations search across 20 million exposed secrets to verify if their developer secrets have leaked on public repositories, gists, and issues on GitHub projects.
- **HasMySecretLeaked** :warning: :copyright: — HasMySecretLeaked is a project from GitGuardian that aims to help individual users and organizations search across 20 million exposed secrets to verify if their developer secrets have leaked on public repositories, gists, and issues on GitHub projects.


## More Collections
Expand Down
55 changes: 49 additions & 6 deletions data/api/tools.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -268,7 +268,7 @@
"plans": null,
"description": "Inspects tar archives and tries to spot portability issues in regard to POSIX 2017 pax specification and common tar implementations.\nThis project is intended to be used by maintainers of projects who want to offer portable source code archives for as many systems as possible. Checking tar archives with alquitran before publishing them should help spotting issues before they reach distributors and users.",
"discussion": null,
"deprecated": null,
"deprecated": true,
"resources": null,
"reviews": null,
"demos": null,
Expand Down Expand Up @@ -4256,6 +4256,49 @@
"demos": null,
"wrapper": null
},
"cognium": {
"name": "cognium",
"categories": [
"linter"
],
"languages": [
"java",
"javascript",
"python",
"rust",
"shell",
"typescript"
],
"other": [
"security"
],
"licenses": [
"MIT"
],
"types": [
"cli"
],
"homepage": "https://cognium.dev",
"source": "https://github.com/cogniumhq/cognium",
"pricing": null,
"plans": null,
"description": "Semantic taint-tracking SAST engine with a 36-pass analysis pipeline covering security (SQL injection, XSS, SSRF, command injection, path traversal, and 15 more CWEs), reliability, performance, and maintainability. Supports Java, JavaScript, TypeScript, Python, Rust, and Bash. Outputs text, JSON, and SARIF 2.1.0. OWASP Benchmark: 100% TPR, 0% FPR across 1415 test cases.",
"discussion": null,
"deprecated": null,
"resources": [
{
"title": "OWASP Benchmark Results",
"url": "https://github.com/cogniumhq/cognium#benchmark-results"
},
{
"title": "GitHub Action",
"url": "https://github.com/marketplace/actions/cognium-security-scan"
}
],
"reviews": null,
"demos": null,
"wrapper": null
},
"cohesion": {
"name": "cohesion",
"categories": [
Expand Down Expand Up @@ -6238,7 +6281,7 @@
"plans": null,
"description": "Container Image Linter for Security helping build the Best-Practice Docker Image. Scans Docker images for security vulnerabilities and CIS Benchmark compliance. Checks for secrets, credential exposure, and security best practices. Provides multiple severity levels (FATAL, WARN, INFO) and supports various output formats for CI/CD integration.",
"discussion": null,
"deprecated": true,
"deprecated": null,
"resources": null,
"reviews": null,
"demos": null,
Expand Down Expand Up @@ -9375,7 +9418,7 @@
"plans": null,
"description": "HasMySecretLeaked is a project from GitGuardian that aims to help individual users and organizations search across 20 million exposed secrets to verify if their developer secrets have leaked on public repositories, gists, and issues on GitHub projects.",
"discussion": null,
"deprecated": null,
"deprecated": true,
"resources": null,
"reviews": null,
"demos": null,
Expand Down Expand Up @@ -13536,7 +13579,7 @@
"plans": null,
"description": "Packj (pronounced package) is a command line (CLI) tool to vet open-source software packages for \"risky\" attributes that make them vulnerable to supply chain attacks. This is the tool behind our large-scale security analysis platform Packj.dev that continuously vets packages and provides free reports.",
"discussion": null,
"deprecated": true,
"deprecated": null,
"resources": null,
"reviews": null,
"demos": null,
Expand Down Expand Up @@ -17549,7 +17592,7 @@
"plans": null,
"description": "Rust Memory Safety & Undefined Behavior Detection. It is capable of analyzing single Rust packages as well as all the packages on crates.io.",
"discussion": null,
"deprecated": true,
"deprecated": null,
"resources": null,
"reviews": null,
"demos": null,
Expand Down Expand Up @@ -20619,7 +20662,7 @@
"plans": null,
"description": "Tencent Cloud Code Analysis (TCA for short, code-named CodeDog inside the company early) is a comprehensive platform for code analysis and issue tracking. TCA consist of three components, server, web and client. It integrates of a number of self-developed tools, and also supports dynamic integration of code analysis tools in various programming languages.",
"discussion": null,
"deprecated": null,
"deprecated": true,
"resources": null,
"reviews": null,
"demos": null,
Expand Down
27 changes: 27 additions & 0 deletions data/tools/cognium.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
name: cognium
categories:
- linter
tags:
- java
- javascript
- typescript
- python
- rust
- shell
- security
license: MIT
types:
- cli
source: https://github.com/cogniumhq/cognium
homepage: https://cognium.dev
description: >-
Semantic taint-tracking SAST engine with a 36-pass analysis pipeline covering
security (SQL injection, XSS, SSRF, command injection, path traversal, and 15
more CWEs), reliability, performance, and maintainability. Supports Java,
JavaScript, TypeScript, Python, Rust, and Bash. Outputs text, JSON, and SARIF
2.1.0. OWASP Benchmark: 100% TPR, 0% FPR across 1415 test cases.
resources:
- title: OWASP Benchmark Results
url: https://github.com/cogniumhq/cognium#benchmark-results
- title: GitHub Action
url: https://github.com/marketplace/actions/cognium-security-scan
Loading