If you find a vulnerability in sastsweep and would like to report it (thank you 🙏), please DM me on Twitter @_chebuya

Also consider sumbitting a security report here: it will prevent a lot of the initial back and forth

The main security concern I have with this tool are malicious repositories.

Since sastsweep is designed to be fed in a bunch of repos and scan them, this involves downloading the .zip file containing all the code and unzipping it on the system running sastsweep.

I have taken some measures to prevent people from using zip slip, a zip bomb, or just generally writing files where they should not be written - however, I doubt this implementation is perfect:

The unzipping routine is located here:

https://github.com/chebuya/sastsweep/blob/main/common/util.go#L57-L129

https://github.com/chebuya/sastsweep/blob/main/common/util.go#27-L55