RootCause is a static analysis security testing (SAST) tool built in Rust. It scans configuration files, source code, and infrastructure-as-code to identify security vulnerabilities and misconfigurations.
⚠️ Disclaimer: This project is in its early stages and may contain bugs or incomplete features. Please report any issues you encounter.
- Configuration: Dockerfile, Kubernetes YAML, Terraform
- Source Code: Python, Rust, TypeScript, PHP, Java
- Infrastructure: HCL, JSON, YAML
curl -sSL https://rootcause.sh/install.sh | bashThe scanner requires a rules directory. If the directory is missing, the CLI
will prompt to download the official rule set.
# Scan a directory
rootcause scan ./my-project --rules ./rules
# Scan with specific output format
rootcause scan ./my-project --rules ./rules --format json
# Scan with severity threshold
rootcause scan ./my-project --rules ./rules --fail-on mediumInstall or update built-in or custom rules:
# Install from archive or URL
rootcause rules install https://example.com/pkg.tar.gz
# Update all installed rulesets
rootcause rules update
# List installed rulesets
rootcause rules listRootCause loads rules written in YAML, JSON, Semgrep, or OPA-WASM without any extra flags—Semgrep rules are detected automatically. The engine supports advanced Semgrep capabilities:
- pattern-regex – match text via regular expressions
- metavariable-pattern – constrain metavariables
- taint tracking – follow data from sources to sinks
Minimal examples:
# pattern-regex
- id: semgrep.pattern-regex
message: Slack token
pattern-regex: "xox[baprs]-[0-9a-zA-Z]{10,48}"
severity: HIGH
# metavariable-pattern
- id: semgrep.metavariable-pattern
message: possible double free
pattern: |
free($BUF)
metavariable-pattern:
metavariable: $BUF
pattern: |
getbuf(...)
severity: HIGH
# taint tracking
- id: semgrep.taint
message: user input flows to eval
pattern-sources:
- pattern: input(...)
pattern-sinks:
- pattern: eval($X)
severity: HIGHTo get more info check: https://github.com/rootcausescan/Rules & https://docs.rootcause.sh/en/rules
plugin list shows each plugin with its version, capabilities, and current parameters.
# List installed plugins
rootcause plugin list
# Show or set plugin configuration
rootcause plugin config my-plugin
rootcause plugin config my-plugin level=highTo get more info check: https://github.com/rootcausescan/Plugins & https://docs.rootcause.sh/en/plugins
For comprehensive documentation, examples, and advanced usage:
The documentation includes:
- Detailed installation guides
- Rule creation tutorials
- Plugin development
- API reference
This project is licensed under the GNU General Public License v3.0 - see the LICENSE file for details.
Need help? Visit docs.rootcause.sh or join our community discussions.