Ragex.Analysis.Security (Ragex v0.8.0)

View Source

Security vulnerability analysis using Metastatic.

Detects security vulnerabilities including:

  • Injection attacks (SQL, command, code injection)
  • Unsafe deserialization (eval, exec, pickle.loads)
  • Hardcoded secrets (API keys, passwords)
  • Weak cryptography (MD5, SHA1, DES)
  • Insecure protocols (HTTP URLs)

Usage

alias Ragex.Analysis.Security

# Analyze single file
{:ok, result} = Security.analyze_file("lib/my_module.ex")

# Check for vulnerabilities
result.has_vulnerabilities?  # => true/false
result.total_vulnerabilities # => 3
result.critical_count        # => 1

# Analyze directory
{:ok, results} = Security.analyze_directory("lib/")

# Generate audit report
report = Security.audit_report(results)

Summary

Types

analysis_result()
vulnerability()

Functions

analyze_directory(path, opts \\ [])

Analyzes all files in a directory for security vulnerabilities.

analyze_file(path, opts \\ [])

Analyzes a single file for security vulnerabilities.

audit_report(results)

Generates a comprehensive security audit report.

scan_directory(path, opts \\ [])

Scans a directory for security vulnerabilities.

Types

analysis_result()

@type analysis_result() :: %{
  file: String.t(),
  language: atom(),
  vulnerabilities: [vulnerability()],
  has_vulnerabilities?: boolean(),
  total_vulnerabilities: non_neg_integer(),
  critical_count: non_neg_integer(),
  high_count: non_neg_integer(),
  medium_count: non_neg_integer(),
  low_count: non_neg_integer(),
  timestamp: DateTime.t()
}

vulnerability()

@type vulnerability() :: %{
  category: atom(),
  severity: :critical | :high | :medium | :low,
  description: String.t(),
  recommendation: String.t(),
  cwe: non_neg_integer() | nil,
  context: map(),
  file: String.t(),
  language: atom()
}

Functions

analyze_directory(path, opts \\ [])

@spec analyze_directory(
  String.t(),
  keyword()
) :: {:ok, [analysis_result()]} | {:error, term()}

Analyzes all files in a directory for security vulnerabilities.

Options

  • :recursive - Recursively analyze subdirectories (default: true)
  • :parallel - Use parallel processing (default: true)
  • :max_concurrency - Maximum concurrent analyses (default: System.schedulers_online())
  • Plus all options from analyze_file/2

Examples

{:ok, results} = Security.analyze_directory("lib/")
total_vulns = Enum.sum(Enum.map(results, & &1.total_vulnerabilities))

analyze_file(path, opts \\ [])

@spec analyze_file(
  String.t(),
  keyword()
) :: {:ok, analysis_result()} | {:error, term()}

Analyzes a single file for security vulnerabilities.

Options

  • :categories - List of vulnerability categories to check (default: all)
  • :min_severity - Minimum severity to report (default: :low)
  • :language - Explicit language (default: auto-detect)

Examples

{:ok, result} = Security.analyze_file("lib/my_module.ex")
result.has_vulnerabilities?  # => false

audit_report(results)

@spec audit_report([analysis_result()]) :: map()

Generates a comprehensive security audit report.

Returns a formatted map with:

  • Summary statistics
  • Vulnerabilities grouped by severity
  • Vulnerabilities grouped by category
  • Recommendations

Examples

{:ok, results} = Security.analyze_directory("lib/")
report = Security.audit_report(results)
IO.puts(report.summary)

scan_directory(path, opts \\ [])

@spec scan_directory(
  String.t(),
  keyword()
) :: {:ok, [analysis_result()]} | {:error, term()}

Scans a directory for security vulnerabilities.

Alias for analyze_directory/2. Provided for API consistency.

Examples

{:ok, results} = Security.scan_directory("lib/", severity: [:high, :critical])