Metadata-Version: 2.4
Name: sast
Version: 0.1.0
Summary: sast — free, fast static application security testing for CI/CD. Installs a self-contained SAST engine (17+ languages, taint tracking, secrets, IaC, SCA; HTML/JSON/SARIF) on first run.
Author: CQR Cybersecurity LLC
License: Proprietary
Project-URL: Homepage, https://insom.ai
Keywords: sast,security,static-analysis,sca,sarif,ci,devsecops
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Quality Assurance
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Requires-Python: >=3.8
Description-Content-Type: text/markdown
License-File: LICENSE
Dynamic: license-file

# sast

**Free, fast static application security testing for CI/CD.**

`sast` is a tiny launcher. Installing it is instant; the first time you run it,
it downloads a self-contained SAST engine binary that matches your operating
system, verifies its checksum, and caches it. Every run after that is native
speed with no Python dependencies.

```bash
pip install sast
sast .                 # scan the current directory
sast ./src --sarif report.sarif
sast --help            # full engine options
```

> Supports Linux, macOS and Windows (x86-64). On Apple Silicon the macOS
> binary runs under Rosetta.

## What it scans

- **SAST** across 17+ languages with taint tracking
- **Secrets** detection (entropy + vendor rule packs)
- **IaC / cloud misconfiguration** (Terraform, K8s, Docker, …)
- **SCA** — known-vulnerable dependencies
- Output as **HTML**, **JSON**, or **SARIF** (drops straight into GitHub code scanning)

## How it works

`pip install sast` lays down only a few KB of pure-Python launcher — **no
download happens at install time** (that keeps offline/CI installs reliable).
On first invocation the launcher:

1. Detects your OS → `linux` / `macos` / `windows`.
2. Fetches the manifest from `https://insom.ai/static/downloads/sast/manifest.json`.
3. Downloads the matching binary and verifies its `sha256`.
4. Caches it under your per-user cache directory and `exec`s it.

Because the engine lives on the server, new engine releases reach users
without republishing the pip package.

### Staying on the latest engine

After the first download the cached binary is reused for speed. At most once
per day (`SAST_UPDATE_INTERVAL`, default `86400` seconds) `sast` also asks
insom.ai whether a newer engine is published and, if so, upgrades itself
automatically. Update checks **fail open** — if you're offline or the server
is unreachable, the cached binary keeps working. Set `SAST_UPDATE_INTERVAL=0`
to pin the cached version, or run `sast self-update` to force the latest at
any time.

## Launcher commands

| Command             | What it does                                  |
|---------------------|-----------------------------------------------|
| `sast …`            | Forward all args to the SAST engine           |
| `sast self-update`  | Re-download the latest engine binary          |
| `sast self-version` | Show launcher + cached-engine versions        |
| `sast self-where`   | Print the cached binary path                  |

## Environment variables

| Variable                | Purpose                                                    |
|-------------------------|------------------------------------------------------------|
| `SAST_MANIFEST_URL`     | Override the manifest URL (staging / self-hosting)         |
| `SAST_CACHE_DIR`        | Override where the binary is cached                        |
| `SAST_UPDATE_INTERVAL`  | Seconds between auto-update checks (default `86400`; `0` disables) |

Default cache locations:

- **Linux:** `~/.cache/sast/bin`
- **macOS:** `~/Library/Application Support/sast/bin`
- **Windows:** `%LOCALAPPDATA%\sast\bin`

## Use in CI (GitHub Actions)

```yaml
- run: pip install sast
- run: sast . --sarif results.sarif --fail-on high
- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif
```

`sast` exits non-zero when findings meet your `--fail-on` threshold, failing
the build.

## Server-side manifest format

The launcher expects this JSON at `SAST_MANIFEST_URL`:

```json
{
  "version": "2026.06.04-abc1234",
  "platforms": {
    "linux":   { "url": "sast-linux-x64",       "sha256": "<hex>" },
    "macos":   { "url": "sast-macos-x64",        "sha256": "<hex>" },
    "windows": { "url": "sast-windows-x64.exe",  "sha256": "<hex>" }
  }
}
```

`url` may be relative to the manifest URL or absolute. `sha256` is optional but
enforced when present.

---

© CQR Cybersecurity LLC. The `sast` launcher is open source; the SAST engine
binary it downloads is proprietary. See <https://insom.ai>.
