Vectra Guard’s security scanner identifies risky code patterns, unsafe function calls, and deployment misconfigurations across Go, Python, C, and configuration files. It helps prevent common vulnerabilities like command injection, buffer overflows, and exposed control panels.
Quick Start # Scan all supported languages vg scan-security --path . # Scan specific languages vg scan-security --path . --languages go,python # Include config files (YAML/JSON) vg scan-security --path . --languages go,python,c,config
The scan-security command exits with code 2 when security issues are detected, making it ideal for CI/CD enforcement.
Language Support Vectra Guard scans code in multiple languages:
Language File Extensions Default Go .go✅ Yes Python .py✅ Yes C .c, .h✅ Yes Config .yaml, .yml, .json❌ No (must specify)
Default languages : If you don’t specify --languages, the scanner checks Go, Python, and C only.Include config files :vg scan-security --path . --languages go,python,c,config
What’s Detected Command Execution Risks Detects unsafe command execution patterns that could lead to command injection:
Go: // GO_EXEC_COMMAND (high) exec . Command ( "sh" , "-c" , userInput ) // Validate inputs! // GO_DANGEROUS_SHELL (critical) exec . Command ( "sh" , "-c" , "rm -rf /" ) // Dangerous pattern!
Python: # PY_SUBPROCESS (medium) import subprocess subprocess.call(user_input, shell = True ) # Validate! # PY_EVAL / PY_EXEC (high) eval (user_code) // Never use with untrusted input
C: // C_SHELL_EXEC (high) system (user_command); // Unsafe with untrusted input // C_SHELL_EXEC (high) popen ( "ls -la" , "r" ); // Validate inputs
Network and HTTP Risks Flags external HTTP requests and network operations:
Go: // GO_NET_HTTP (medium) import " net/http " // Ensure auth and sanitization // GO_EXTERNAL_HTTP (medium) http . Get ( "https://api.example.com" ) // SSRF risk with user input
Python: # PY_REMOTE_HTTP (medium) import requests requests.get(user_url) # Validate URLs to prevent SSRF # PY_EXTERNAL_HTTP (medium) url = "https://external.com/api" # Non-localhost URL
Deployment Security Detects risky deployment configurations (use --languages config):
Bind to All Interfaces (0.0.0.0) Config files: # BIND_ALL_INTERFACES (medium) server : host : 0.0.0.0 # Exposes service on all interfaces! port : 8080
Go code: // BIND_ALL_INTERFACES (medium) http . ListenAndServe ( "0.0.0.0:8080" , nil ) // Ensure auth + TLS
Python code: # BIND_ALL_INTERFACES (medium) app.run( host = "0.0.0.0" , port = 5000 ) # Ensure auth + TLS
Binding to 0.0.0.0 exposes your service to the internet if the machine has a public IP. Always:
Use authentication (API keys, OAuth, etc.)
Enable TLS/HTTPS
Consider binding to 127.0.0.1 instead for local-only access
Trust Proxy Misconfigurations # LOCALHOST_TRUST_PROXY (medium) server : trustProxy : true # Can treat remote clients as local! bypassAuthForLocalhost : true # Dangerous with trustProxy!
When trustProxy is enabled, the server trusts X-Forwarded-For headers. Attackers can forge these headers to appear as localhost and bypass authentication. See the Moltbot/Clawdbot security alert for real-world impact.
Unauthenticated Access # UNAUTHENTICATED_ACCESS (high) admin : authentication : false # Control panel without auth! secure : off # No TLS!
Unsafe Functions and Buffer Overflows (C) // C_GETS (critical) gets (buffer); // Inherently unsafe - always remove! // C_UNSAFE_STRING (high) strcpy (dest, src); // Buffer overflow risk strcat (dest, src); // Buffer overflow risk // C_MEMCPY (medium) memcpy (dest, src, len); // Validate bounds
Environment and Secrets Access Go: // GO_ENV_READ (medium) token := os . Getenv ( "API_TOKEN" ) // Avoid leaking in logs // GO_SYSTEM_WRITE (high) os . WriteFile ( "/etc/config" , data , 0644 ) // Writing to system dir
Python: # PY_ENV_ACCESS (medium) api_key = os.environ.get( "API_KEY" ) // Don 't expose in responses # PY_ENV_ACCESS (medium) from dotenv import load_dotenv # .env access
Command Reference Basic Usage vectra-guard scan-security --path < director y > [--languages < lang1,lang 2> ]
Options Flag Description Default --pathDirectory or file to scan .--languagesComma-separated list: go,python,c,config go,python,c
Exit Codes
0 : No security issues found2 : Security issues detected (use in CI)
Rule Reference Go Rules Code Severity Description GO_EXEC_COMMANDhigh Use of exec.Command; validate and sandbox inputs GO_DANGEROUS_SHELLcritical Dangerous shell pattern (e.g., rm -rf /, curl | sh) GO_NET_HTTPmedium Use of net/http; ensure auth and sanitization GO_ENV_READmedium Environment variable access; avoid credential leaks GO_SYSTEM_WRITEhigh Writing to /etc, /var, /usr; review for safety GO_EXTERNAL_HTTPmedium Non-localhost HTTP(S) URL; SSRF risk with untrusted input BIND_ALL_INTERFACESmedium Binding to 0.0.0.0; ensure auth and TLS
Python Rules Code Severity Description PY_EVALhigh Use of eval(); avoid untrusted input PY_EXEChigh Use of exec(); avoid untrusted input PY_SUBPROCESSmedium Use of subprocess/os.system; validate commands PY_REMOTE_HTTPmedium Remote HTTP (requests); validate URLs/responses PY_ENV_ACCESSmedium Environment or .env access; avoid secret exposure PY_EXTERNAL_HTTPmedium Non-localhost HTTP(S) URL; SSRF risk BIND_ALL_INTERFACESmedium Binding to 0.0.0.0; ensure auth and TLS
C Rules Code Severity Description C_SHELL_EXEChigh Use of system/popen/exec*; avoid untrusted input C_GETScritical Use of gets(); inherently unsafe, remove immediately C_UNSAFE_STRINGhigh strcpy/strcat; buffer overflow risk C_MEMCPYmedium memcpy; validate bounds C_RAW_SOCKETmedium Raw socket use; review for abuse BIND_ALL_INTERFACESmedium Binding to 0.0.0.0; ensure auth and TLS
Config Rules Scans .yaml, .yml, .json when config is included:
Code Severity Description BIND_ALL_INTERFACESmedium Config binds to 0.0.0.0; control panels need auth/TLS LOCALHOST_TRUST_PROXYmedium trustProxy/X-Forwarded-For; ensure auth not bypassed UNAUTHENTICATED_ACCESShigh auth/secure set to false; require authentication
Findings are logged with full context:
{ "level" : "warn" , "msg" : "security finding" , "file" : "src/server.go" , "line" : 42 , "language" : "go" , "severity" : "medium" , "code" : "BIND_ALL_INTERFACES" , "description" : "Binding to 0.0.0.0 exposes the service on all interfaces; ensure auth and TLS are enabled." }
CI/CD Integration GitHub Actions name : Security Scan on : [ push , pull_request ] jobs : code-security : runs-on : ubuntu-latest steps : - uses : actions/checkout@v3 - name : Install Vectra Guard run : | curl -fsSL https://raw.githubusercontent.com/xadnavyaai/vectra-guard/main/install.sh | bash echo "$HOME/.local/bin" >> $GITHUB_PATH - name : Scan security (code + config) run : vg scan-security --path . --languages go,python,c,config
GitLab CI scan-security : stage : security image : ubuntu:latest before_script : - apt-get update && apt-get install -y curl - curl -fsSL https://raw.githubusercontent.com/xadnavyaai/vectra-guard/main/install.sh | bash - export PATH="$HOME/.local/bin:$PATH" script : - vg scan-security --path . --languages go,python,c,config only : - merge_requests - main
Combined Security Scan Scan for both secrets and code security issues:
- name : Full security scan run : | vg scan-secrets --path . vg scan-security --path . --languages go,python,c,config
Examples Example 1: Clean Codebase $ vg scan-security --path . { "level" : "info" , "msg" : "security scan completed (no findings)" , "path" : "." }
Example 2: Detected Issues $ vg scan-security --path ./src --languages go,python,config { "level" : "warn" , "msg" : "security finding" , "file" : "src/server.go" , "line" :15, "language" : "go" , "severity" : "medium" , "code" : "BIND_ALL_INTERFACES" , "description" : "Binding to 0.0.0.0..." } { "level" : "warn" , "msg" : "security finding" , "file" : "src/api.py" , "line" :42, "language" : "python" , "severity" : "high" , "code" : "PY_EVAL" , "description" : "Use of eval()..." } { "level" : "warn" , "msg" : "security finding" , "file" : "config/server.yaml" , "line" :8, "language" : "config" , "severity" : "high" , "code" : "UNAUTHENTICATED_ACCESS" , "description" : "Config disables auth..." }
Exit code: 2 (issues detected)
Example 3: Single Language # Scan only Python files $ vg scan-security --path . --languages python { "level" : "info" , "msg" : "security scan completed (no findings)" , "path" : "." }
Detection Behavior Lines that are only comments do not produce findings:
// This is NOT flagged: // Example: http.Get("https://api.example.com") // This IS flagged: http . Get ( "https://api.example.com" ) // Real code
Supported comment styles:
Python : #Go/C : //, /*Config : #
File and Directory Skipping The scanner automatically skips:
Directories:
.git/, node_modules/, vendor/.venv/, venv/, dist/, build/
Files:
Binary files (detected automatically)
Files not matching selected language extensions
Best Practices 1. Include Config Files Always scan configuration files for deployment issues:
vg scan-security --path . --languages go,python,c,config
2. Fix Critical Issues First Prioritize findings by severity:
Critical : Immediate fix required (e.g., C_GETS, GO_DANGEROUS_SHELL)High : Fix before deployment (e.g., PY_EVAL, UNAUTHENTICATED_ACCESS)Medium : Review and mitigate (e.g., BIND_ALL_INTERFACES, GO_NET_HTTP)
3. Secure Deployment Configs For services binding to 0.0.0.0:
# ✅ Good - with auth and TLS server : host : 0.0.0.0 port : 8443 tls : enabled : true cert : /path/to/cert.pem key : /path/to/key.pem auth : enabled : true type : bearer # ❌ Bad - exposed without protection server : host : 0.0.0.0 port : 8080 auth : false
For command execution findings:
# ❌ Bad - command injection risk import subprocess subprocess.call( f "ls { user_path } " , shell = True ) # ✅ Good - validated input import subprocess import shlex if user_path.startswith( "/safe/dir/" ): subprocess.call([ "ls" , user_path]) # Array form, no shell
5. Use Localhost for Development Bind to 127.0.0.1 instead of 0.0.0.0 for local development:
# Development app.run( host = "127.0.0.1" , port = 5000 ) # Local only # Production (with auth + TLS) app.run( host = "0.0.0.0" , port = 443 , ssl_context = context)
Real-World Use Case: Control Panel Security The Moltbot/Clawdbot security incident involved exposed AI control panels due to:
Binding to 0.0.0.0 without authenticationTrust proxy enabled (treating remote clients as localhost)Authentication bypassed for “localhost” requests
Vectra Guard detects all three issues:
$ vg scan-security --path . --languages go,python,config # Would have detected: # 1. BIND_ALL_INTERFACES (medium) # 2. LOCALHOST_TRUST_PROXY (medium) # 3. UNAUTHENTICATED_ACCESS (high)
Troubleshooting False Positives Problem : Legitimate code flagged as risky.Solution : If the code is actually safe:
Review the finding to understand the risk
Add code comments explaining the safety measures
Future versions will support per-repo allowlists
Problem : Scanning large codebases is slow.Solution :# Scan specific directories vg scan-security --path ./src --languages go # Or scan by language separately vg scan-security --path . --languages go vg scan-security --path . --languages python
Missing Findings Problem : Known risky code not detected.Possible causes :
Language not in scan list (add via --languages)
File in skipped directory (vendor/, .venv/, etc.)
Pattern not yet in ruleset
Solution : Report the pattern for inclusion in future releases.
vg scan-secretsvg audit repovg validatevg exec
Implementation Details
The security scanner (internal/secscan/secscan.go) uses:
Language detection : By file extension (.go, .py, .c, .yaml, .json)Line-by-line scanning : Regex-based pattern matchingComment filtering : Skips lines that are only commentsMulti-language support : Separate rule sets per languageSeverity classification : critical/high/medium based on risk Locations :
Command: /home/daytona/workspace/source/cmd/scan_security.go:12
Scanner: /home/daytona/workspace/source/internal/secscan/secscan.go:31
Security Considerations Limitations
Static analysis only : Cannot detect runtime behaviors or complex logicPattern-based : May miss obfuscated or unusual patternsNo data flow analysis : Doesn’t track where user input flowsConfiguration context : Cannot determine if other security controls exist Use as part of defense in depth:
Combine with dynamic testing (penetration testing)
Use web application firewalls (WAFs)
Implement proper authentication and authorization
Follow secure coding practices
Regular security audits