Cyscan — overview
Cyscan is the open-source SAST, secrets, and supply-chain scanner that powers the static-analysis layer of the Cybrium platform. It ships as a single ~15 MB Rust binary under Apache 2.0, with zero runtime dependencies.
The Cybrium platform runs this exact binary — same rules, same output, same exit codes. Anything you see working in cyscan on your laptop works identically when the platform orchestrates it.
What it does
| Capability | Details |
|---|---|
| SAST | 1,815 rules across 75+ languages. Tree-sitter AST for Python, JS/TS, Go. Regex for everything else. |
| Secrets | 296 provider-specific patterns (full GitLeaks set + AI providers), entropy detection, liveness verification (--verify). |
| IaC misconfig | 767 rules for Terraform, CloudFormation, ARM, GCP DM, Kubernetes, Docker. |
| Supply-chain | Lockfile parsing (Cargo, npm, yarn, go, pip, poetry). OSV + NVD + GHSA advisory matching. Typosquat detection. |
| License compliance | SPDX classifier (AGPL, GPL, LGPL, SSPL, BUSL). Compound expression support. |
| K8s cluster scan | Live cluster scanning via kubectl. Trivy-style summary table. Native container image CVE scanning. |
| Endpoint posture | macOS (23 checks) and Linux (12 checks). FileVault, Gatekeeper, SIP, firewall, SSH, updates. |
| Autofix | cyscan fix applies literal fix: blocks from rules, with dry-run + interactive modes. |
| Repo health | 14 security hygiene checks (score 0-100). |
| Framework detect | 35 frameworks across 9 languages. |
| Output | SARIF 2.1.0, JSON, human-readable text. |
What it doesn't do
Cyscan is deliberately local and offline:
- No phone-home, no telemetry, no account required.
- No reachability analysis — the platform adds that on top.
- No DAST, no runtime protection — those are Cybrium platform features.
- No rule-authoring wizard — rule files are plain YAML. See Writing rules.
When to use cyscan alone vs. the platform
| Situation | Reach for |
|---|---|
| Shift-left in a single repo's CI | cyscan alone |
| Local pre-commit / IDE integration | cyscan alone |
| Multi-repo dashboards, historical trend, triage workflows | Cybrium platform |
| Reachability — "does my code actually call the vulnerable symbol?" | Cybrium platform |
| SOC 2 / HIPAA / PCI evidence bundles | Cybrium platform |
| PR-ready AI remediation | Cybrium platform |
See the OSS vs platform comparison for the full delta.
Source
- Repo: github.com/cybrium-ai/cyscan
- License: Apache 2.0
- Homebrew tap: cybrium-ai/homebrew-cli