Lib.rs

Database interfaces
#taint #qryon #security-vulnerabilities #static-analysis #security-scanning #metrics #findings #pattern-match #dangerous #github-actions

rma-analyzer

Code analysis and security scanning for Qryon

by bumahkib7

22 releases (14 breaking)

Uses new Rust 2024

0.20.1 Feb 11, 2026
0.19.0 Feb 7, 2026

#585 in Database interfaces


Used in 4 crates

MIT/Apache

9.5MB
202K SLoC

Rust 130K SLoC // 0.0% comments HCL 21K SLoC // 0.1% comments Solidity 12K SLoC // 0.3% comments Python 10K SLoC // 0.3% comments Java 7K SLoC // 0.2% comments JavaScript 5K SLoC // 0.1% comments Go 5K SLoC // 0.1% comments C# 2.5K SLoC // 0.1% comments Ruby 2K SLoC // 0.3% comments PHP 1.5K SLoC // 0.7% comments VB6/VBA 1K SLoC // 0.0% comments Scala 861 SLoC // 0.1% comments TSX 672 SLoC // 0.2% comments TypeScript 660 SLoC // 0.2% comments Kotlin 538 SLoC // 0.1% comments C 516 SLoC // 0.2% comments JSX 494 SLoC // 0.2% comments Mustache 234 SLoC // 0.0% comments OCaml 178 SLoC // 0.2% comments Clojure 140 SLoC Ruby HTML 99 SLoC // 0.2% comments Swift 88 SLoC // 0.3% comments Pug 84 SLoC // 0.2% comments BASH 75 SLoC // 0.5% comments Elixir 37 SLoC // 0.4% comments Razor 32 SLoC // 0.2% comments Bicep 4 SLoC // 0.4% comments Vue 3 SLoC

Qryon

Find security vulnerabilities in seconds, not minutes.

CI npm crates.io License

# Install in 10 seconds
npm install -g qryon

# Find vulnerabilities instantly
qryon scan .

Qryon scanning a codebase and finding vulnerabilities

Why Qryon?

Feature Qryon Semgrep OSS CodeQL
Scan 1M lines 45s 8+ min 15+ min
Languages 28 30+ 12
Setup npm i -g qryon Docker/pip Complex
Rules 647+ 2500+ Varies
Cross-file taint Yes Pro only Yes
Single binary Yes No No
Price Free Free/Paid Free

Qryon is 10x faster because it compiles Semgrep rules to native Rust matchers at build time - no interpreter overhead.

Quick Start

# Scan your project
qryon scan .

# Interactive TUI - browse findings with vim keys
qryon scan . --interactive

# CI/CD mode - SARIF output for GitHub Security tab
qryon scan . --output sarif -f results.sarif

# Watch mode - re-scan on file changes
qryon watch .

# AI-powered finding triage (triages static findings with AI)
export ANTHROPIC_API_KEY=sk-ant-...
qryon scan . --ai

# Use OpenAI instead
export OPENAI_API_KEY=sk-...
qryon scan . --ai --ai-provider openai

# Use local Ollama (free, no API key)
qryon scan . --ai --ai-provider local
More installation methods

Homebrew (macOS/Linux):

brew tap bumahkib7/tap && brew install qryon

Cargo (Rust):

cargo install qryon

Docker:

docker run -v $(pwd):/workspace ghcr.io/bumahkib7/qryon scan /workspace

Shell Script:

curl -fsSL https://raw.githubusercontent.com/bumahkib7/qryon/master/install.sh | bash

GitHub Actions:

- uses: bumahkib7/qryon@v0.19.1
  with:
    path: '.'
    upload-sarif: true

What It Finds

critical[QRYON-S005]: SQL query built with format! - use parameterized queries
  --> src/database.rs:42:9
40let user_input = get_input();
4142format!(^^^^^^^^ SQL query built from untrusted input
43"SELECT * FROM users WHERE name = '{}'",
44 │         user_input
   = note: rule: rust/sql-injection

Security Detection

  • Injection attacks - SQL, command, XSS, LDAP, template injection
  • Server-side vulnerabilities - SSRF, path traversal, deserialization
  • Hardcoded secrets - API keys, passwords, tokens
  • Cryptographic issues - Weak algorithms (MD5, SHA-1, DES), insecure modes
  • Dependency CVEs - Real-time OSV.dev integration for Cargo, npm, PyPI, Go, Maven

Supported Languages

Language Security Rules Frameworks
Rust unsafe, injection, crypto Actix, Axum, Rocket
JavaScript/TypeScript XSS, injection, secrets Express, React, Next.js
Python exec, injection, secrets Django, Flask, FastAPI
Go unsafe, SQL injection Gin, Echo, GORM
Java injection, crypto, deser Spring, Jakarta

Plus 23 more languages with parsing and metrics support.

Interactive TUI

Browse findings, call graphs, and taint flows with keyboard navigation:

qryon scan . --interactive

Interactive TUI showing findings

Keyboard shortcuts: j/k navigate, Tab switch tabs, s filter severity, / search, q quit

GitHub Actions

name: Security Scan
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write

    steps:
      - uses: actions/checkout@v4
      - uses: bumahkib7/qryon@v0.19.1
        with:
          path: '.'
          upload-sarif: true

Findings appear in the GitHub Security tab automatically.

Qryon Dashboard - Team Features

Love the CLI? Qryon Dashboard adds powerful team features:

Feature CLI Dashboard
Scan & detect Yes Yes
Historical trends - Yes
AI-powered explanations - Yes
Auto-fix suggestions - Yes
Team collaboration - Yes
Baseline diffs - Yes
PR integration - Yes
RBAC & audit logs - Yes

Try Qryon Dashboard free →

Advanced Features

Cross-File Taint Tracking

Track data flows across file and function boundaries:

qryon flows . --evidence --group-by sink-type
  • Forward taint propagation
  • Path-sensitive analysis
  • Sanitizer recognition
  • Symbolic path conditions
Dependency Vulnerability Scanning

Integrated with OSV.dev for real-time CVE detection:

qryon security .

Supports: Cargo, npm, PyPI, Go modules, Maven

HTTP API (Daemon Mode) 
qryon daemon --port 9876

REST API + WebSocket for IDE integration.

IDE Integrations
  • VS Code - Real-time diagnostics
  • Neovim - Native plugin
  • JetBrains - IntelliJ, WebStorm, PyCharm
WASM Plugins

Extend with custom analysis rules:

qryon plugin install ./my-plugin.wasm

How It Works

Qryon compiles Semgrep community rules at build time into optimized native matchers:

┌─────────────────────────────────────────────────────────┐
│                     BUILD TIME                          │
│  semgrep-rules/*.yaml  →  build.rs  →  compiled_rules  │
│                                           (embedded)    │
└─────────────────────────────────────────────────────────┘
                            ↓
┌─────────────────────────────────────────────────────────┐
│                      RUNTIME                            │
│  source.rs  →  tree-sitter  →  AST  →  pattern match  │
│                                               ↓         │
│                                           Findings      │
└─────────────────────────────────────────────────────────┘

Result: No interpreter overhead. No Semgrep dependency. Single binary.

Configuration

qryon init  # Creates qryon.toml

[scan]
include = ["src/**"]
exclude = ["node_modules/**", "target/**"]

[rules]
enable = ["*"]
disable = ["js/console-log"]

[profiles.strict]
max_function_lines = 50
max_complexity = 10

Inline suppression:

// qryon-ignore-next-line js/xss-sink reason="content is sanitized"
element.textContent = processedContent;

Benchmarks

hyperfine 'qryon scan /path/to/repo' 'semgrep --config auto /path/to/repo'

On a 500K LOC monorepo:

  • Qryon: 23 seconds
  • Semgrep: 4 minutes 12 seconds

Contributing

Contributions welcome! See CONTRIBUTING.md.

make build    # Build all crates
make test     # Run tests
make lint     # Run lints

License

MIT or Apache-2.0, at your option.

Documentation · Dashboard · Issues

Made with Rust

lib.rs:

Code analysis and security scanning for Qryon

This crate provides metrics computation, vulnerability detection, and pattern-based analysis on parsed ASTs.

NOTE: This crate DETECTS security vulnerabilities - it does not contain them. The security rules detect dangerous patterns like unsafe code, code injection, etc.

Modules

  • flow: Control flow and data flow analysis (CFG, taint tracking)
  • knowledge: Framework-specific security knowledge base
  • metrics: Code metrics computation (complexity, LOC, etc.)
  • providers: External analysis tool integrations (PMD, Oxlint, etc.)
  • rules: Analysis rule trait and implementations
  • security: Security rules organized by language
  • semantics: Language adapter layer for tree-sitter AST mapping

Dependencies

~379MB
~11M SLoC