One Command, Complete Security Analysis
SimpleSecCheck is a powerful, single-shot Docker-based security scanner that performs comprehensive analysis of your codebase or web applications. Simply run one command and get detailed security reports with no permanent monitoring or infrastructure required.
Important: SimpleSecCheck performs active security scans. Ensure you have proper authorization before scanning any target.
Germany:
- β Scanning your own systems/domains is legal
- β Authorized targets with written consent (e.g., contracted pen-testing)
- β Unauthorized scanning violates German law (Β§202a, Β§202b, Β§202c StGB - Data Protection Act)
EU General (GDPR):
- Requires explicit consent for automated vulnerability scanning
- May involve processing of personal data
- Ensure compliance with GDPR Article 6 (lawful basis for processing)
Federal Law (CFAA):
- Unauthorized access to computer systems is illegal (18 U.S.C. Β§ 1030)
- Scanning systems without permission may constitute a felony
- Legal only with explicit written authorization or ownership
State Variations:
- Some states have additional cybercrime laws
- Always obtain written authorization before scanning third-party systems
Always Legal:
- β Your own systems/domains
- β Systems you explicitly own or control
Requires Authorization:
- β Contracted penetration testing
- β Bug bounty programs (follow program rules)
- β Staging/test environments (verify ownership/authorization)
Never Scan Without Permission:
- β Third-party systems without explicit consent
- β Public websites/applications you don't own
- β Systems outside bug bounty scope
- Single-Shot Analysis: One command, complete security scan
- Dual Scan Modes: Code analysis OR web application scanning
- Comprehensive Code Analysis: Semgrep + Trivy for vulnerabilities and dependencies
- Web Application Scanning: OWASP ZAP for web vulnerabilities
- Unified Reporting: Consolidated HTML reports with all findings
- Zero Infrastructure: No databases, no persistent services, no monitoring
- Docker-Based: Isolated, secure scanning environment
- Easy Usage: Simple
./run-docker.shcommand for everything
- Docker and Docker Compose
- Target codebase or web application to scan
# Clone the repository
git clone https://github.com/fr4iser90/SimpleSecCheck.git
cd SimpleSecCheck
# Make the script executable (one-time setup)
chmod +x run-docker.sh
# Scan a local code project
./run-docker.sh /path/to/your/project
# Scan a website
./run-docker.sh https://example.comThat's it! Results will be available in the results/ directory.
Pull and run the pre-built image from Docker Hub:
# Pull the latest image
docker pull fr4iser/simpleseccheck:latest
# Scan a local code project
docker run --rm \
-v /path/to/your/project:/target:ro \
-v $(pwd)/results:/SimpleSecCheck/results \
-v $(pwd)/logs:/SimpleSecCheck/logs \
-v $(pwd)/conf:/SimpleSecCheck/conf \
-v $(pwd)/rules:/SimpleSecCheck/rules \
-v $(pwd)/trivy:/SimpleSecCheck/trivy \
-v $(pwd)/anchore:/SimpleSecCheck/anchore \
-v $(pwd)/zap:/SimpleSecCheck/zap \
-v $(pwd)/owasp-dependency-check-data:/SimpleSecCheck/owasp-dependency-check-data \
-v /var/run/docker.sock:/var/run/docker.sock \
-e SCAN_TYPE=code \
fr4iser/simpleseccheck:latest \
/SimpleSecCheck/scripts/security-check.sh
# Scan a website
docker run --rm \
-e SCAN_TYPE=website \
-e ZAP_TARGET=https://example.com \
-v $(pwd)/results:/SimpleSecCheck/results \
-v $(pwd)/logs:/SimpleSecCheck/logs \
-v $(pwd)/conf:/SimpleSecCheck/conf \
-v $(pwd)/rules:/SimpleSecCheck/rules \
-v $(pwd)/zap:/SimpleSecCheck/zap \
fr4iser/simpleseccheck:latest \
/SimpleSecCheck/scripts/security-check.sh
# Scan local network/Docker infrastructure
docker run --rm \
-e SCAN_TYPE=network \
-v $(pwd)/results:/SimpleSecCheck/results \
-v $(pwd)/logs:/SimpleSecCheck/logs \
-v $(pwd)/conf:/SimpleSecCheck/conf \
-v $(pwd)/rules:/SimpleSecCheck/rules \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
fr4iser/simpleseccheck:latest \
/SimpleSecCheck/scripts/security-check.shScan any public website or application:
./run-docker.sh https://example.com
Scan your local project for security issues:
./run-docker.sh /path/to/your/project
Scan applications in your local Docker network (e.g., http://host.docker.internal:8000):
./run-docker.sh network
Code Projects:
- Static code analysis with Semgrep (including React Native-specific security rules)
- Dependency vulnerabilities with Trivy
- Security rule violations
- Docker daemon compliance with Docker Bench
- React Native Support: Mobile app security patterns including AsyncStorage security, WebView vulnerabilities, deep linking issues, and more
Websites:
- Web application vulnerabilities with OWASP ZAP
- Security misconfigurations
- Common web attacks
Create a .env file for custom settings:
# For web scanning
TARGET_URL=https://your-website.com
# For code scanning (default: auto-detected)
SCAN_TYPE=codeSome tools can benefit from API tokens for enhanced functionality:
Copy the example file and add your tokens:
cp env.example .env
nano .env # Or use your favorite editorAvailable API Tokens:
| Token | Tool | Purpose | Get it from |
|---|---|---|---|
NVD_API_KEY |
OWASP Dependency Check | Higher rate limits for vulnerability database lookups | https://nvd.nist.gov/developers/request-an-api-key |
SNYK_TOKEN |
Snyk | Cloud-based vulnerability scanning with Snyk | https://snyk.io/user/api |
Note: All API tokens are optional. Tools will work in their basic modes without tokens. Tokens are stored locally in your .env file (which is git-ignored) and are never uploaded or shared.
Static Code Analysis:
- Semgrep: Static code analysis with security-focused rules
- CodeQL: Advanced code analysis and vulnerability detection
- ESLint: JavaScript/TypeScript security linting
- Brakeman: Ruby on Rails security scanning
- Bandit: Python security linting
Dependency & Container Scanning:
- Trivy: Container and dependency vulnerability scanning
- Clair: Container image vulnerability analysis
- Anchore: Container image security scanning
- OWASP Dependency Check: Dependency vulnerability analysis
- Safety: Python dependency security checker
- Snyk: Dependency and container vulnerability scanner
- npm audit: Node.js package vulnerability scanning
Infrastructure as Code:
- Checkov: Infrastructure security scanning (AWS, Azure, GCP)
- Terraform Security: Terraform-specific security checks
Secret Detection:
- TruffleHog: Secret and credential detection
- GitLeaks: Git repository secret scanning
- Detect-secrets: Yelp's secret detection tool
Code Quality:
- SonarQube: Code quality and security analysis
Mobile App Security:
- React Native Security: React Native-specific security rules for AsyncStorage, WebView, deep linking, and more
- Android Manifest Scanner: Automatically detects and scans AndroidManifest.xml files for dangerous permissions, cleartext traffic, backup settings, and debug configurations
- iOS Plist Scanner: Automatically detects and scans Info.plist files for App Transport Security (ATS) misconfigurations, arbitrary loads, and security settings
- JavaScript/TypeScript scanning works on React Native code
- CodeQL supports Kotlin, Swift, and Objective-C for native mobile code analysis
- npm audit for React Native dependencies
- OWASP ZAP: Web application vulnerability scanning
- Nuclei: Fast web vulnerability scanning with custom templates
- Wapiti: Web application security scanner
- Nikto: Web server security scanner
- Burp Suite: Web application security testing
- Kube-hunter: Kubernetes cluster security scanner
- Kube-bench: Kubernetes CIS benchmark compliance testing
- Docker Bench: Docker daemon CIS benchmark compliance testing
After scanning, results are available in the results/[project]_[timestamp]/ directory:
- Code scans:
results/[ProjectName]_[timestamp]/(e.g.,SimplePDFEditor_20251028_175751/) - Website scans:
results/[domain]_[timestamp]/ - Network scans:
results/network-infrastructure_[timestamp]/
Results files:
security-summary.html- Unified HTML report with all findingssemgrep.json- Detailed code analysis results (code scans only)trivy.json- Dependency and vulnerability scan results (code scans only)docker-bench.json- Docker daemon compliance results (network scans only)zap-report.xml- Web application vulnerability report (web scans only)security-check.log- Complete scan log
Open the HTML report in your browser for the best experience!
SimpleSecCheck includes comprehensive security rules:
- Code Bugs (
rules/code-bugs.yml) - Common programming errors - Secrets Detection (
rules/secrets.yml) - API keys, passwords, tokens - API Security (
rules/api-security.yml) - API vulnerabilities - LLM/AI Security (
rules/llm-ai-security.yml) - AI-specific vulnerabilities - Prompt Injection (
rules/prompt-injection.yml) - LLM prompt attacks - React Native Security (
rules/react-native-security.yml) - Mobile app security issues (AsyncStorage, WebView, deep linking, etc.)
Add your own Semgrep rules to the rules/ directory:
# Add custom rules
echo "rules:" >> rules/custom.yml
echo " - id: my-custom-rule" >> rules/custom.yml
echo " patterns:" >> rules/custom.yml
echo " - pattern: dangerous_function(...)" >> rules/custom.ymlFor advanced users who want more control:
# Code scan with custom settings
docker-compose run --rm -v /path/to/code:/target:ro scanner
# Web scan with custom URL
TARGET_URL=https://your-site.com docker-compose run --rm scanner- Single-Shot Execution: No persistent services or monitoring
- Isolated Environment: Docker containers are destroyed after scanning
- Read-Only Access: Target code is mounted read-only
- No Data Retention: All scan data is temporary and local
- Minimal Attack Surface: No web interfaces or persistent processes
- Add new security rules to
rules/ - Extend scanning capabilities in
scripts/tools/ - Improve report generation in
scripts/ - Submit issues and feature requests
SimpleSecCheck is Open Source, MIT-licensed.