code-audit-23 0.1.4

A simple local scanner for code audits (Trivy, Semgrep, SonarQube, for Brain Station 23)

Code Audit 23

Code Audit 23 is a comprehensive command-line interface (CLI) tool that unifies multiple code quality and security scanning tools into a single, easy-to-use interface. It's designed to help developers maintain high code quality and security standards across their projects.

✨ Features

• Unified Interface: Single command to run multiple code quality and security scans
• Multiple Tools Integration:
  • SonarQube - Code quality and security analysis
  • Semgrep - Static code analysis for security issues
  • Trivy - Vulnerability scanning for dependencies and container images
• Interactive Menu: User-friendly command-line interface
• Cross-Platform: Works on Windows, macOS, and Linux
• SARIF Reports: Standardized output format for all scan results
• No Installation Required: Self-contained executable available

🚀 Installation

Prerequisites

• Python 3.9 or higher
• Java 11+ (for SonarQube Scanner)
• Git (for Gitleaks)

Install from PyPI

pip install code-audit-23

Install from Source

1. Clone the repository:

   git clone https://github.com/BrainStation-23/CodeAudit23.git
   cd CodeAudit23
   

2. Create and activate a virtual environment:

   # Linux/macOS
   python -m venv venv
   source venv/bin/activate
   
   # Windows
   python -m venv venv
   .\venv\Scripts\activate
   

3. Install dependencies:

   pip install -e .
   

🔧 Configuration

1. Create a .env file in your project root with the following variables:

   SONAR_HOST_URL=https://your-sonarqube-instance.com
   SONAR_LOGIN=your_sonarqube_token
   

2. The first time you run a scan, the tool will prompt you for SonarQube credentials if they're not in the .env file.

🛠 Usage

Basic Usage

Run the interactive menu:

code-audit-23

Command Line Options

Usage: code-audit-23 [OPTIONS]

  Interactive entrypoint for Audit Scanner

Options:
  --help  Show this message and exit.

Menu Options

1. Quick Scan - Run all security scans in sequence (Trivy + Semgrep + SonarQube)
2. Trivy Scan - Scan for vulnerabilities in dependencies and container images
3. Semgrep Scan - Static code analysis for security issues
4. SonarQube Scan - Analyze code quality and security issues

📊 Output

All scan reports are saved in the reports/ directory in SARIF format:

• reports/trivy.sarif - Results from Trivy scan
• reports/semgrep.sarif - Results from Semgrep scan
• SonarQube results are available on your SonarQube server

🧪 Development

Project Structure

code_audit_23/
├── __init__.py
├── main.py           # Main CLI entry point
├── sonarqube_cli.py  # SonarQube scanner implementation
└── logger.py         # Logging configuration

Dependencies

• click - Command line interface creation
• requests - HTTP requests
• python-dotenv - Environment variable management

Building & Publishing to PyPI

1. Update the version in pyproject.toml (and optionally __init__.py if you mirror it there). Commit the change.
2. Ensure you have the packaging tooling:

   python -m pip install --upgrade build twine
   

3. Clean any previous artifacts:

   rm -rf dist build *.egg-info
   

4. Build the source distribution and wheel:

   python -m build
   

5. (Optional but recommended) Validate the archives locally:

   twine check dist/*
   

6. (Optional) Publish to TestPyPI before the main release:

   python -m twine upload --repository testpypi dist/*
   

7. Once satisfied, publish to PyPI:

   python -m twine upload dist/*
   

8. Tag the release in git, e.g.:

   git tag -a v0.1.0 -m "Release v0.1.0"
   git push origin v0.1.0
   

🤝 Contributing

Contributions are welcome! Please read our Contributing Guidelines for details on how to submit pull requests, report issues, or suggest new features.

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

🙏 Acknowledgments

• SonarQube - For the amazing code quality platform
• Semgrep - For static code analysis
• Trivy - For the vulnerability scanning

📧 Contact

For any questions or feedback, please contact Ahmad Al-Sajid.