A simple local scanner for code audits (Trivy, Semgrep, SonarQube, for Brain Station 23)
Project description
Code Audit 23
Code Audit 23 is a comprehensive command-line interface (CLI) tool that unifies multiple code quality and security scanning tools into a single, easy-to-use interface. It's designed to help developers maintain high code quality and security standards across their projects.
📑 Table of Contents
- ✨ Features
- 🚀 Installation
- 🔧 Configuration
- 🛠 Usage
- 📊 Output
- 🧪 Development
- 🤝 Contributing
- 📄 License
- 🙏 Acknowledgments
- 🔧 Troubleshooting
- 📧 Contact
✨ Features
- Unified Interface: Single command to run multiple code quality and security scans
- Multiple Tools Integration:
- SonarQube - Code quality and security analysis
- Semgrep - Static code analysis for security issues
- Trivy - Vulnerability scanning for dependencies and container images
- Interactive Menu: User-friendly command-line interface
- Cross-Platform: Works on Windows, macOS, and Linux
- SARIF Reports: Standardized output format for all scan results
- No Installation Required: Self-contained executable available
🚀 Installation
Prerequisites
- Python 3.10 to 3.13
- Java 11+ (for SonarQube Scanner)
- Microsoft Visual c++ 14 (for Windows). See the troubleshooting section for more details.
Install from PyPI
pip install code-audit-23
Install from Source
-
Clone the repository:
git clone https://github.com/BrainStation-23/CodeAudit23.git cd CodeAudit23
-
Create and activate a virtual environment:
# Linux/macOS python -m venv venv source venv/bin/activate # Windows python -m venv venv .\venv\Scripts\activate
-
Install dependencies:
pip install -e .
🔧 Configuration
-
Create a
.envfile in your project root with the following variables:SONAR_HOST_URL=https://your-sonarqube-instance.com SONAR_LOGIN=your_sonarqube_token
-
The first time you run a scan, the tool will prompt you for SonarQube credentials if they're not in the
.envfile.
🛠 Usage
Basic Usage
Run the interactive menu:
code-audit-23
Command Line Options
Usage: code-audit-23 [OPTIONS]
Interactive entrypoint for Audit Scanner
Options:
--help Show this message and exit.
Menu Options
- Quick Scan - Run all security scans in sequence (Trivy + Semgrep + SonarQube)
- Trivy Scan - Scan for vulnerabilities in dependencies and container images
- Semgrep Scan - Static code analysis for security issues
- SonarQube Scan - Analyze code quality and security issues
📊 Output
All scan reports are saved in the reports/ directory in SARIF format:
reports/trivy.sarif- Results from Trivy scanreports/semgrep.sarif- Results from Semgrep scan- SonarQube results are available on your SonarQube server
🧪 Development
Project Structure
code_audit_23/
├── __init__.py
├── main.py # Main CLI entry point
├── sonarqube_cli.py # SonarQube scanner implementation
└── logger.py # Logging configuration
Dependencies
click- Command line interface creationrequests- HTTP requestspython-dotenv- Environment variable management
Building & Publishing to PyPI
- Update the version in
pyproject.toml(and optionally__init__.pyif you mirror it there). Commit the change. - Ensure you have the packaging tooling:
python -m pip install --upgrade build twine
- Clean any previous artifacts:
rm -rf dist build *.egg-info
- Build the source distribution and wheel:
python -m build
- (Optional but recommended) Validate the archives locally:
twine check dist/*
- (Optional) Publish to TestPyPI before the main release:
python -m twine upload --repository testpypi dist/*
- Once satisfied, publish to PyPI:
python -m twine upload dist/*
- Tag the release in git, e.g.:
git tag -a v0.1.0 -m "Release v0.1.0" git push origin v0.1.0
🤝 Contributing
Contributions are welcome! Please read our Contributing Guidelines for details on how to submit pull requests, report issues, or suggest new features.
📄 License
This project is licensed under the MIT License - see the LICENSE file for details.
🙏 Acknowledgments
- SonarQube - For the amazing code quality platform
- Semgrep - For static code analysis
- Trivy - For the vulnerability scanning
🔧 Troubleshooting
Windows: Microsoft Visual C++ 14.0+ Required
When installing on Windows, you might encounter the following error:
error: Microsoft Visual C++ 14.0 or greater is required. Get it with "Microsoft C++ Build Tools"
Solution:
-
Install Microsoft C++ Build Tools:
- Download the latest Visual Studio Build Tools installer from: https://visualstudio.microsoft.com/visual-cpp-build-tools/
- Run the installer and select "Desktop development with C++" workload
- Ensure the following components are selected:
- MSVC v143 - VS 2022 C++ x64/x86 build tools (or latest version)
- Windows 10/11 SDK (latest version)
- C++ CMake tools for Windows
- Click "Install" and wait for the installation to complete
-
Restart your computer to ensure all environment variables are properly set
-
Retry the installation:
pip install code-audit-23
-
If the issue persists, try installing the specific version of the Microsoft C++ Build Tools:
pip install --upgrade setuptools pip install --upgrade wheel pip install --upgrade pip
Unicode Encoding Error
On windows, you can get Unicode encoding error like
UnicodeEncodeError: 'charmap' codec can't encode character '\u202a' in position 1394761: character maps to <undefined>
Sending pseudonymous metrics since metrics are configured to AUTO, registry usage is True, and login status is False
Solution
If you want Semgrep and Python always to run UTF-8 on that system:
- Open Windows Settings → Time & Language → Language & Region
- Turn on “Beta: Use Unicode UTF-8 for worldwide language support”
- Reboot
This will prevent the issue globally for all Python tools (not just yours).
For Example
Common Issues
Python Version Compatibility
Ensure you're using Python 3.9 or higher, but not above 3.13. Check your Python version with:
python --version
Permission Issues
If you encounter permission errors, try running your command prompt as Administrator or use:
pip install --user code-audit-23
📧 Contact
For any questions or feedback, please contact Ahmad Al-Sajid.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file code_audit_23-0.1.19.tar.gz.
File metadata
- Download URL: code_audit_23-0.1.19.tar.gz
- Upload date:
- Size: 11.6 MB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
80adc3397eb0d13d5eb3f1e217db5ce1c70ae00e325adbe2ca5c1cff1909d312
|
|
| MD5 |
fb0041590ee2445e322976735ab698a9
|
|
| BLAKE2b-256 |
b0004979c9eaacb29d1ccbce25e6349368adb8ffabfd45f9832f1bc193b0b221
|
File details
Details for the file code_audit_23-0.1.19-py3-none-any.whl.
File metadata
- Download URL: code_audit_23-0.1.19-py3-none-any.whl
- Upload date:
- Size: 11.7 MB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
546bdb334f8c9894521a2444908443157bedb6d69a42cbaf5003b04c021eeb00
|
|
| MD5 |
357af4a405aafa38eb1c8a2edab74dee
|
|
| BLAKE2b-256 |
2dcfe12b106053e4ff23685dc1a72c3bfd602841fdf93289ff761afb798b9175
|
