Our inspiration comes from the fact that many static analyzers are not used by open source programmer because they are really hard to setup and often result in requiring significant changes to code. To bridge this gap and bring much more sense of security to open source projects, we build RepoDoctor. With RepoDoctor you can check repositories for a myriad of common vulnerabilities and get the findings delivered in a responsible and private manner to your inbox - all for free.

What it does

Under the hood, RepDoctor is a GUI interface to run Pysa. It shallow clones the given repository, sets up an environment for Pysa, builds type information from pyre-check, and feeds that information into Pysa, which is used to detect the vulnerabilities in the project. Currently, it can only detect vulnerabilities in Python projects (both statically and non-statically typed), but we plan to expand the list using similar tools.

How we built it

The app is build centered around Pysa, virtual environments, and making use of flask. Pysa is run on a separate process in a background thread so that the main application and continue to serve users. We used flask_executor library to achieve this process independence and made use of the inbuilt python SMTP client to send emails.

Challenges we ran into

Confining and efficiently running a static analysis tool in any environment is a difficult task. We did something more, we scaled the app carefully so that the running of the tool doesn't hinder other users or introduce a server bottleneck. Further, Pysa has been configured to run with minimal memory utilization and worker threads when the load is high and scale up when there is lower load. This gives us the freedom to play around with things a bit and deliver a responsible and fast app to the user.

What we learned

Through this hackathon, we learned more about multithreading and multiprocessing. We were also proud to learn more about Pysa, static analysis, and security in general.

What's next for RepoDoctor

We would like to add in support for more languages and support the broad open source communities out there. Another improvement we can think of would be to provide the user with recurrent jobs so that we could mail them results after each commit is made in the repository or PR.

Built With

Share this project: