code-audit-23 0.1.5

A simple local scanner for code audits (Trivy, Semgrep, SonarQube, for Brain Station 23)

Code Audit 23

Code Audit 23 is a comprehensive command-line interface (CLI) tool that unifies multiple code quality and security scanning tools into a single, easy-to-use interface. It's designed to help developers maintain high code quality and security standards across their projects.

📑 Table of Contents

• ✨ Features
• 🚀 Installation
  • Prerequisites
  • Install from PyPI
  • Install from Source
• 🔧 Configuration
• 🛠 Usage
  • Basic Usage
  • Command Line Options
  • Menu Options
• 📊 Output
• 🧪 Development
  • Project Structure
  • Dependencies
  • Building & Publishing to PyPI
• 🤝 Contributing
• 📄 License
• 🙏 Acknowledgments
• 🔧 Troubleshooting
  • Windows: Microsoft Visual C++ 14.0+ Required
  • Common Issues
• 📧 Contact

✨ Features

• Unified Interface: Single command to run multiple code quality and security scans
• Multiple Tools Integration:
  • SonarQube - Code quality and security analysis
  • Semgrep - Static code analysis for security issues
  • Trivy - Vulnerability scanning for dependencies and container images
• Interactive Menu: User-friendly command-line interface
• Cross-Platform: Works on Windows, macOS, and Linux
• SARIF Reports: Standardized output format for all scan results
• No Installation Required: Self-contained executable available

🚀 Installation

Prerequisites

• Python 3.9 or higher
• Java 11+ (for SonarQube Scanner)
• Git (for Gitleaks)

Install from PyPI

pip install code-audit-23

Install from Source

1. Clone the repository:

   git clone https://github.com/BrainStation-23/CodeAudit23.git
   cd CodeAudit23
   

2. Create and activate a virtual environment:

   # Linux/macOS
   python -m venv venv
   source venv/bin/activate
   
   # Windows
   python -m venv venv
   .\venv\Scripts\activate
   

3. Install dependencies:

   pip install -e .
   

🔧 Configuration

1. Create a .env file in your project root with the following variables:

   SONAR_HOST_URL=https://your-sonarqube-instance.com
   SONAR_LOGIN=your_sonarqube_token
   

2. The first time you run a scan, the tool will prompt you for SonarQube credentials if they're not in the .env file.

🛠 Usage

Basic Usage

Run the interactive menu:

code-audit-23

Command Line Options

Usage: code-audit-23 [OPTIONS]

  Interactive entrypoint for Audit Scanner

Options:
  --help  Show this message and exit.

Menu Options

1. Quick Scan - Run all security scans in sequence (Trivy + Semgrep + SonarQube)
2. Trivy Scan - Scan for vulnerabilities in dependencies and container images
3. Semgrep Scan - Static code analysis for security issues
4. SonarQube Scan - Analyze code quality and security issues

📊 Output

All scan reports are saved in the reports/ directory in SARIF format:

• reports/trivy.sarif - Results from Trivy scan
• reports/semgrep.sarif - Results from Semgrep scan
• SonarQube results are available on your SonarQube server

🧪 Development

Project Structure

code_audit_23/
├── __init__.py
├── main.py           # Main CLI entry point
├── sonarqube_cli.py  # SonarQube scanner implementation
└── logger.py         # Logging configuration

Dependencies

• click - Command line interface creation
• requests - HTTP requests
• python-dotenv - Environment variable management

Building & Publishing to PyPI

1. Update the version in pyproject.toml (and optionally __init__.py if you mirror it there). Commit the change.
2. Ensure you have the packaging tooling:

   python -m pip install --upgrade build twine
   

3. Clean any previous artifacts:

   rm -rf dist build *.egg-info
   

4. Build the source distribution and wheel:

   python -m build
   

5. (Optional but recommended) Validate the archives locally:

   twine check dist/*
   

6. (Optional) Publish to TestPyPI before the main release:

   python -m twine upload --repository testpypi dist/*
   

7. Once satisfied, publish to PyPI:

   python -m twine upload dist/*
   

8. Tag the release in git, e.g.:

   git tag -a v0.1.0 -m "Release v0.1.0"
   git push origin v0.1.0
   

🤝 Contributing

Contributions are welcome! Please read our Contributing Guidelines for details on how to submit pull requests, report issues, or suggest new features.

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

🙏 Acknowledgments

• SonarQube - For the amazing code quality platform
• Semgrep - For static code analysis
• Trivy - For the vulnerability scanning

🔧 Troubleshooting

Windows: Microsoft Visual C++ 14.0+ Required

When installing on Windows, you might encounter the following error:

error: Microsoft Visual C++ 14.0 or greater is required. Get it with "Microsoft C++ Build Tools"

Solution:

1. Install Microsoft C++ Build Tools:

   • Download the latest Visual Studio Build Tools installer from: https://visualstudio.microsoft.com/visual-cpp-build-tools/
   • Run the installer and select "Desktop development with C++" workload
   • Ensure the following components are selected:
     • MSVC v143 - VS 2022 C++ x64/x86 build tools (or latest version)
     • Windows 10/11 SDK (latest version)
     • C++ CMake tools for Windows
   • Click "Install" and wait for the installation to complete

2. Restart your computer to ensure all environment variables are properly set

3. Retry the installation:

   pip install code-audit-23
   

4. If the issue persists, try installing the specific version of the Microsoft C++ Build Tools:

   pip install --upgrade setuptools
   pip install --upgrade wheel
   pip install --upgrade pip
   

Common Issues

Python Version Compatibility

Ensure you're using Python 3.9 or higher. Check your Python version with:

python --version

Permission Issues

If you encounter permission errors, try running your command prompt as Administrator or use:

pip install --user code-audit-23

📧 Contact

For any questions or feedback, please contact Ahmad Al-Sajid.