One static analysis tool to rule them all.

• Added support for Snyk
• GitHub OAuth
• Settings GUI w/ admin-only access control
• Re-designed burn submission process searches repositories via GitHub API
• lots of UI tweaks/improvements

Codeburner is a tool to help security (and dev!) teams manage the chaos of static code analysis. Sure, you can fire off a bunch of scripts at the end of every CI build... but what do you actually DO with all those results?

Codeburner uses the OWASP Glue project to run multiple open source and commercial static analysis tools against your code, and provides a unified (and we think rather attractive) interface to sort and act on the issues it finds.

• Asynchronous scanning (via sidekiq) that scales
• Advanced false positive filtering
• Publish issues via GitHub or JIRA
• Track statistics and graph security trends in your applications
• Integrates with a variety of open source and commercial scanning tools
• Full REST API for extension and integration with other tools, CI processes, etc.

• Brakeman
• Bundler-Audit
• Checkmarx**
• Dawnscanner
• FindSecurityBugs
• NodeSecurityProject
• PMD
• Retire.js
• Snyk

** commercial license required

You can find full documentation for Codeburner at http://groupon.github.io/codeburner

See our Quick Start Guide if you want to try out Codeburner as quickly as possible using Docker Compose.

See our Installation Guide for complete manual install instructions.

The User Guide will give you an overview of how to use Codeburner once you have things up and running.

If you'd like to contribute, fork us on GitHub and check out the Developer Guide.