CodeRecon - Opengrep/Semgrep Rules
A static-analysis ruleset for Opengrep/Semgrep that surfaces what a codebase actually does: network, database, filesystem, crypto, auth, web, and AI usage, to support visibility, threat modeling, and security testing.
Knowing what software you’re running and what it does is essential to the software & security engineering process.
Before you can threat-model or pentest a codebase, you have to know what it touches. CodeRecon is a static-analysis ruleset for Opengrep / Semgrep that reads a project and reports on its security-relevant behavior: the capabilities that define its attack surface.
What it detects
The rules surface where and how a codebase uses:
- Network calls and databases
- the file system and command-line execution
- cryptography, authentication, and authorization
- web frameworks and AI integrations
The result is fast visibility into what an application can actually do: a map you can drive threat modeling and penetration / security testing from.
Usage
Point Opengrep at the ruleset and emit JSON or SARIF:
opengrep --config=js-ts/ --json --output=results.json /path/to/project
opengrep --config=js-ts/ --sarif --output=results.sarif /path/to/projectPairs naturally with Opengrep Action to run the same recon in CI.
Language support
JavaScript / TypeScript today, with Java, Python, C#, Go, Rust, C++, and PHP planned. Apache-2.0 licensed; see the repository for the current rule catalog.