Skip to content
/ dart_shield Public

Security CLI tool (SAST) to detect security issues in your Dart and Flutter code.

License

MIT license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

yardexx/dart_shield

BranchesTags

Repository files navigation

dart_shield

Dart Shield

Dart-based security-focused code analyzer which analyzes your Dart code for potential security flaws.

Pipelines: GitHub Actions Style: Very Good Analysis License: MIT

🚧 UNDER CONSTRUCTION 🚧

Please note that this project is still under construction and **not yet ready for production use **.

Full documentation will be available once the project is ready for production use. If you have any questions, feel free to open an issue.

Overview

dart_shield CLI is heavily inspired by other Dart and Flutter CLI, so commands and their behaviour is similar to what you might expect.

Features

dart_shield can detect the following security issues:

  • Hardcoded API keys
  • Hardcoded URLs
  • Weak hashing algorithms
  • Usage of non-secure random number generators
  • Usage of insecure HTTP connections

Installation

Note: dart_shield is not yet available on pub.dev.

To install dart_shield, run the following command:

dart pub global activate -s git https://github.com/yardexx/dart_shield

Usage

dart_shield contains two crucial commands:

  • init - Initializes dart_shield in your project.
  • analyze - Analyzes your Dart code for potential security flaws.

To initialize dart_shield in your project, run the following command:

dart_shield init

This command creates a shield_options.yaml file in the root of your project. This file contains the configuration for dart_shield, which will be used during the analysis (similar to analysis_options.yaml).

If a shield_options.yaml file already exists in your project and you want to recreate it, use the -f or --force flag:

dart_shield init -f
# or
dart_shield init --force

To analyze your Dart code for potential security flaws, run the following command, specifying the directory:

dart_shield analyze .

Note: The . at the end of the command specifies the directory to be analyzed and must always be included. The command does not automatically add it.

This command analyzes your Dart code based on the configuration in the shield_options.yaml file. If the configuration file is not found, the command will fail.

Configuration

The shield_options.yaml file contains configuration options, primarily rules, for dart_shield. The configuration is similar to the analysis_options.yaml file, making it familiar to those who have used Dart analysis tools.

Example of the shield_options.yaml file:

# This is a sample configuration file for dart_shield.
# ⚠️ Configuration file must be named `shield_options.yaml` and placed in the root of the project.

# shield_options.yaml is file with structure similar to analysis_options.yaml and it defines the
#  rules that dart_shield will use to analyze your code.

# The `shield` key is required.
shield:

  # List of excluded files or directories from being analyzed
  exclude:
    # Exclude a file using path (path begins at the root of the project):
    - 'lib/ignored.dart'
    # Globs are also supported
    - '**.g.dart'

  # List of rules that dart_shield will use to analyze your code
  rules:
    - prefer-https-over-http
    - avoid-hardcoded-secrets

  # Some rules need more fine-tuning and are marked as experimental.
  # You can enable them by setting `enable-experimental` to `true`.
  enable-experimental: true

  # List of experimental rules that dart_shield will use to analyze your code
  # ⚠️ Experimental rules are subject to change and may not be as stable as regular rules.
  # ⚠️ Using "experimental-rules" without setting "enable-experimental" to "true" will cause an error.
  experimental-rules:
    - avoid-hardcoded-urls
    - avoid-weak-hashing
    - prefer-secure-random

Rules

dart_shield includes a set of predefined rules to analyze Dart code for potential security flaws, similar to how linter rules enforce code style.

List of rules

  • avoid-hardcoded-secrets: Detects hardcoded secrets, such as API keys and passwords.
  • avoid-hardcoded-urls: Detects hardcoded URLs.
  • prefer-https-over-http: Detects the use of insecure HTTP connections.
  • avoid-weak-hashing: Detects the use of weak hashing algorithms, such as MD5 and SHA-1.
  • prefer-secure-random: Detects the use of non-secure random number generators.

Contributing

This project is still under construction, so contributions might be limited. However, one of the main goals of this project is to provide a free, open-source tool for the community, emphasizing the importance of security accessibility.

Once the project is production-ready, contributions will be welcome.

If you have any ideas, suggestions, or wish to contribute, feel free to open an issue.

License

This project is licensed under the MIT License. See the LICENSE file for details.

About

Security CLI tool (SAST) to detect security issues in your Dart and Flutter code.

Topics

dart security static-code-analysis static-analysis vulnerability flutter appsec security-scanner security-tools sast

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

1 tags

Languages