Keywords: SAST, static analysis, security scanner, vulnerability scanner, SCA, software composition analysis, secret scanning, secret detection, taint analysis, SARIF, DevSecOps, AppSec, CI/CD security, code scanning, npm audit alternative, Semgrep alternative, Snyk alternative, dependency CVE scanner, IaC scanning.

Install

npm install -g sastai
# or, if your global npm prefix is root-owned:
sudo npm install -g sastai

sastai .                                   # scan the current directory
sastai ./src --fail-on high                # gate CI on high+ findings
npx sastai .                               # no global install

On first use, sastai detects your OS + CPU architecture (Windows / Linux / macOS, x64 & arm64), downloads the matching native engine from insom.ai, verifies it with SHA-256, caches it under ~/.insom/engine, and auto-updates once a day. All arguments pass straight through to the engine — the same engine as the sast package on PyPI, the Docker image, the IDE plugins, and the CI Action.

What it scans

A single self-contained engine — no external tools shelled out (no Semgrep / Trivy / Bandit):

• Code vulnerabilities — native AST + cross-file taint across 16 languages (JavaScript, TypeScript, Python, Java, Go, Ruby, PHP, C, C++, C#, Rust, Kotlin, Scala, Swift, Lua, Shell): SQL injection, command injection, SSRF, XSS, path traversal, insecure deserialization.
• Secrets & API keys — 230+ vendor rule packs with live key validation (is the leaked key still active?).
• Vulnerable dependencies (SCA) — CVE matching across npm, pip, Maven, Go, Composer, Cargo (an npm audit superset).
• Vulnerable JS libraries — RetireJS-style detection of bundled jQuery / AngularJS / lodash / Bootstrap with known CVEs.
• CMS vulnerabilities — WordPress / Joomla / Drupal / Magento plugins, themes & core (~24,000 advisories).
• Web shells & malware — c99 / r57 / WSO / China Chopper signatures, obfuscated payloads, reverse shells.
• IaC misconfiguration — Terraform, Kubernetes, Docker, CloudFormation.
• Output: HTML, JSON, TXT, SARIF 2.1.0 (drops straight into GitHub code scanning), CI gating via --fail-on.

Commands

| Command | Description | |---|---| | sastai . | Scan the current directory | | sastai <path> | Scan a specific path | | sastai <git-url> | Clone + scan a remote repo (no manual clone) | | sastai . -f sarif -o out | Write a SARIF report into ./out | | sastai . --fail-on high | Exit non-zero on high+ findings (CI gating) | | sastai --version | Print the engine version | | sastai help | Show launcher help |

Use in CI (GitHub Actions)

- run: npm install -g sastai
- run: sastai . -f sarif -o out --fail-on high
- uses: github/codeql-action/upload-sarif@v3
  with: { sarif_file: out }

Also available as

• pip: pip install sast (PyPI)
• Homebrew: brew tap vulnz/sast && brew install sast
• Docker: docker run --rm -v "$PWD:/src" dominators/sast /src --fail-on high (Docker Hub · GHCR)
• VS Code / JetBrains / GitHub Action: insom.ai/en/plugin · SDLC pipeline

sastai is the npm twin of sast on PyPI — sastai . and sast . run the identical engine and flags.

License

UNLICENSED — proprietary. © CQR Cybersecurity LLC / insom.ai.