argus is a high-performance security scanner for detecting secrets and sensitive information. It utilizes Shannon entropy analysis and multi-pattern matching to identify both known and unknown credentials with high precision.
- Hybrid Engine: Combines Aho-Corasick keyword matching with Shannon Entropy analysis.
- AST-Aware Analysis: Precise control-flow and scope resolution for JavaScript, Python, Go, Rust, and Java.
- Attack Surface Mapping: HTTP request tracing (
fetch,axios,curl) to map application dependencies. - Git Integration: Diff-only scanning (
--diff) and baseline management for CI/CD workflows. - Machine-Readable Output: Exports to JSON, NDJSON, SARIF, CSV, and JUnit XML.
cargo install --path .argus -t <path_or_url> [OPTIONS]1. Entropy Scan
argus -t ./src --entropy --threshold 4.82. Keyword Audit
argus -t . -k API_KEY -k "Bearer "3. CI/CD Pipeline (JUnit)
argus -t . --entropy --output report.xml --output-format junit4. Deep Security Audit
argus -t . --deep-scan --flow-scan --request-trace| Format | Flag | Description |
|---|---|---|
| Human | (default) | Styled terminal output with risk heatmaps. |
| JSON | --json |
Pretty-printed JSON to stdout. |
| NDJSON | --output-format ndjson |
Streamed newline-delimited JSON. |
| SARIF | --output-format sarif |
Static Analysis Results Interchange Format. |
| CSV | --output-format csv |
Comma-separated values for spreadsheet analysis. |
| JUnit | --output-format junit |
XML report for CI/CD test integration. |
| Story | --output-format story |
Markdown-based narrative report. |
When using --deep-scan, the following analysis modules are activated:
- Story Mode: Natural language explanation of match risk.
- Sink Provenance: Identifies data flow to Network (
fetch), Disk (fs.write), or Log (console.log) sinks. - Leak Velocity: Estimates exposure speed based on surrounding code context.
- Credential Shadowing: Detects placeholder shadowing (e.g., TODO replaced by real key).
- Lateral Linkage: Identifies identical tokens across disparate source files.
- Surface Tension: Measures code complexity surrounding secrets to filter test data.
- Protocol Drift: Flags insecure protocol downgrades (https to http).
- Auth Drift: Detects requests lacking authentication headers relative to siblings.
- Capability Inference: Infers endpoint risk level (e.g.,
DELETEimplies destructive capability).
Provides lightweight control flow context:
- Scope: Current function/class/block.
- Control: Nearest
if,while,return. - Distance: Byte distance to assignments or returns.
Note
For high-precision analysis, enable AST-based parsing:
- JS/TS:
cargo build --features js-ast - Python:
cargo build --features py-ast - Go:
cargo build --features go-ast - Rust:
cargo build --features rust-ast - Java:
cargo build --features java-ast
- Language ASTs:
cargo build --features js-ast,py-ast,go-ast,rust-ast,java-ast - Syntax Highlighting:
cargo build --features highlighting
| Category | Flag | Description |
|---|---|---|
| Core | -t, --target <PATH> |
Target file, directory, or URL. |
-k, --keyword <STR> |
Literal keyword search. | |
--entropy |
Enable Shannon entropy scanning. | |
| Tuning | --threshold <FLOAT> |
Entropy threshold (default: 4.5). |
--diff |
Scan only lines added in git diff. | |
| Output | --output <PATH> |
Output path or directory. |
--output-format <FMT> |
single, ndjson, per-file, story, sarif, csv, junit. |
|
| Analysis | --deep-scan |
Enable heuristic analysis modules. |
--flow-scan |
Enable control-flow context. | |
--request-trace |
Enable HTTP traffic analysis. |
Author: Seuriin (SSL-ACTX)
v1.1.0