{"id":7366,"library":"libsast","title":"libsast - Generic SAST Library","description":"libsast is a Python library providing generic Static Application Security Testing (SAST) capabilities, built upon Semgrep and regex patterns. It allows users to define custom rules and scan codebases for security vulnerabilities. The library is actively maintained with frequent patch and minor releases, with the current version being 3.1.6.","status":"active","version":"3.1.6","language":"en","source_language":"en","source_url":"https://github.com/ajinabraham/libsast","tags":["security","sast","static analysis","semgrep","code analysis"],"install":[{"cmd":"pip install libsast","lang":"bash","label":"Standard install"},{"cmd":"pip install libsast[semgrep]","lang":"bash","label":"Install with Semgrep support"}],"dependencies":[{"reason":"Required for Semgrep-based rules. Optional if only using regex patterns.","package":"semgrep","optional":true}],"imports":[{"symbol":"Scan","correct":"from libsast.core.scan import Scan"},{"symbol":"Rule","correct":"from libsast.core.rule import Rule"}],"quickstart":{"code":"import os\nimport tempfile\nimport shutil\nfrom libsast.core.scan import Scan\nfrom libsast.core.rule import Rule\n\n# Create a dummy directory and file for scanning\ntemp_dir = tempfile.mkdtemp()\ntemp_file_path = os.path.join(temp_dir, \"test_code.py\")\ntry:\n with open(temp_file_path, \"w\") as f:\n f.write(\"password = 'mysecretpassword'\\n\")\n f.write(\"API_KEY = 'YOUR_API_KEY_HERE'\\n\")\n f.write(\"def my_func():\\n print('Hello')\\n\")\n\n # Define a simple regex rule\n my_rule = Rule(\n rule_id=\"HARDCODED_SECRET\",\n description=\"Detects hardcoded sensitive keywords like 'password' or 'API_KEY'\",\n severity=\"high\",\n patterns=[\n {\"regex\": r\"(password\\s*=|API_KEY\\s*=)\", \"confidence\": \"high\", \"message\": \"Hardcoded secret found.\"}\n ],\n metadata={\n \"cwe\": \"CWE-798\",\n \"owasp\": \"A07:2021-Identification and Authentication Failures\"\n }\n )\n\n # Initialize the scanner\n # In environments like AWS Lambda or Celery, consider `multiprocessing_executor=\"thread\"` or \"billiard\"\n scanner = Scan(\n target=temp_dir, # Scan the entire directory\n rules=[my_rule],\n enable_default_rules=False, # Set to True to include libsast's built-in rules\n multiprocessing_executor=\"process\" # Options: \"process\", \"thread\", \"billiard\"\n )\n\n # Run the scan\n results = scanner.run()\n\n # Process results\n if results:\n print(f\"Found {len(results)} vulnerabilities:\")\n for result in results:\n print(f\"- Rule ID: {result.rule_id}\")\n print(f\" File: {result.file_path}\")\n print(f\" Line: {result.line_number}\")\n print(f\" Match: '{result.match_string}'\")\n if result.message:\n print(f\" Message: {result.message}\")\n else:\n print(\"No vulnerabilities found.\")\n\nfinally:\n # Clean up the temporary directory\n shutil.rmtree(temp_dir)","lang":"python","description":"This quickstart demonstrates how to define a custom regex rule and use `libsast` to scan a temporary file. It initializes `Scan` with a target directory and a list of rules, then runs the scan and prints any found vulnerabilities. It also highlights the option to switch multiprocessing executors for compatibility."},"warnings":[{"fix":"Initialize `Scan` with `multiprocessing_executor='thread'` or `multiprocessing_executor='billiard'` to use ThreadPoolExecutor or the billiard library, respectively. Example: `Scan(..., multiprocessing_executor='thread')`.","message":"Multiprocessing (ProcessPoolExecutor) can cause issues in serverless environments (e.g., AWS Lambda) or task queues (e.g., Celery, Django-Q).","severity":"gotcha","affected_versions":">=3.1.2"},{"fix":"Ensure `semgrep` is installed if you intend to use Semgrep rules. Install with `pip install libsast[semgrep]` or `pip install semgrep` separately.","message":"The `semgrep` dependency is now optional. If you use Semgrep-based rules without installing `semgrep`, you will encounter runtime errors.","severity":"gotcha","affected_versions":">=3.1.4"},{"fix":"If you developed custom integrations or rules relying directly on `PatternMatcher` or `ChoiceMatcher` internals, you may need to review and update your code. Standard rule definitions via `libsast.core.rule.Rule` should remain compatible.","message":"Internal APIs for `PatternMatcher` and `ChoiceMatcher` were updated.","severity":"breaking","affected_versions":"3.1.3"},{"fix":"Ensure your project environment uses a Python version within the supported range (e.g., Python 3.8, 3.9, 3.10, 3.11, 3.12).","message":"libsast requires Python 3.8 or newer, but is not compatible with Python 4.0 or higher.","severity":"gotcha","affected_versions":"<4.0, >=3.8"}],"env_vars":null,"last_verified":"2026-04-16T00:00:00.000Z","next_check":"2026-07-15T00:00:00.000Z","problems":[{"fix":"Install `libsast` with the `semgrep` extra: `pip install libsast[semgrep]` or install `semgrep` separately: `pip install semgrep`.","cause":"Attempting to use `libsast` with Semgrep-based rules without having the `semgrep` package installed.","error":"ModuleNotFoundError: No module named 'semgrep'"},{"fix":"When initializing `Scan`, specify a different multiprocessing executor: `scanner = Scan(..., multiprocessing_executor='thread')` or `scanner = Scan(..., multiprocessing_executor='billiard')`.","cause":"This error or similar multiprocessing-related issues often occur when using the default `ProcessPoolExecutor` in environments like AWS Lambda or Celery, which might not correctly handle process forking or serialization.","error":"TypeError: Cannot pickle '_thread.RLock' object"},{"fix":"Ensure the `patterns` argument in your `Rule` definition is a list of dictionaries, where each dictionary contains at least a `regex` or `semgrep` key. Example: `patterns=[{'regex': r'bad_pattern', 'confidence': 'high'}]`.","cause":"A custom `Rule` object was defined without a valid `patterns` list or with an incorrectly structured pattern within the list.","error":"libsast.exceptions.InvalidRuleError: Rule 'MY_CUSTOM_RULE' is missing required patterns."}]}