Static Application Security Testing (SAST) examines source code
to detect vulnerabilities without executing the application.
Gerion uses Opengrep
Run
# Scan the current directory
gerion sast-scan . --format sarif --output-file sast.sarif
# Send results to the Gerion API
gerion sast-scan . --api-url $GERION_API_URL --api-key $GERION_API_KEY
Supported languages
Language Extensions Python .pyJavaScript .js, .jsx, .mjsTypeScript .ts, .tsxJava .javaGo .goC .c, .hC++ .cpp, .cc, .cxx, .hppC# .csPHP .phpRuby .rbKotlin .ktScala .scalaRust .rsSwift .swiftDart .dartBash / Shell .sh, .bashDockerfile DockerfileTerraform .tfYAML .yml, .yamlJSON .json
Detected vulnerability types
Category Examples Injection SQL injection, command injection, LDAP injection XSS Reflected and stored cross-site scripting Authentication Hardcoded passwords, unsigned JWTs Cryptography Weak algorithms (MD5, SHA1, RC4), static IVs Deserialization Unsafe object deserialization Path traversal File access outside the allowed directory SSRF Server-side request forgery Logic Incorrect security comparisons
Options
Option Description --formatOutput format: json | markdown | sarif --output-fileSave results to a file (disables API submission) --api-urlGerion API Gateway URL --api-keyM2M API key --timeoutTimeout in seconds (default: 180) --log-leveldebug | info | warning | error
Reading results
┌──────────────┬───────────────────────────────┬────────────────┐
│ Severity │ Rule │ File:Line │
├──────────────┼───────────────────────────────┼────────────────┤
│ 🔴 High │ python.lang.security.sql-inj │ db.py:42 │
│ 🟡 Medium │ javascript.crypto.weak-hash │ auth.js:15 │
└──────────────┴───────────────────────────────┴────────────────┘
For full descriptions and recommended mitigations, see the Gerion Dashboard .
