Lib.rs

Parser implementations
#rule-engine #qryon #rules #security-vulnerabilities #yaml #pattern-match #build-time #matcher #taint #monorepo

rma-rules

Rule engine for Qryon - loads and executes security rules from YAML (Semgrep-compatible)

by bumahkib7

6 releases (3 breaking)

0.20.0 Feb 10, 2026
0.19.0 Feb 7, 2026
0.18.2 Feb 6, 2026
0.17.0 Feb 3, 2026

#1077 in Parser implementations


Used in 5 crates (via rma-analyzer)

MIT license

3.5MB
80K SLoC

HCL 21K SLoC // 0.1% comments Solidity 12K SLoC // 0.3% comments Python 10K SLoC // 0.3% comments Rust 8K SLoC // 0.1% comments Java 7K SLoC // 0.2% comments JavaScript 5K SLoC // 0.1% comments Go 5K SLoC // 0.1% comments C# 2.5K SLoC // 0.1% comments Ruby 2K SLoC // 0.3% comments PHP 1.5K SLoC // 0.7% comments VB6/VBA 1K SLoC // 0.0% comments Scala 862 SLoC // 0.1% comments TSX 673 SLoC // 0.2% comments TypeScript 661 SLoC // 0.2% comments Kotlin 539 SLoC // 0.1% comments C 517 SLoC // 0.2% comments JSX 495 SLoC // 0.2% comments Mustache 235 SLoC // 0.0% comments OCaml 179 SLoC // 0.2% comments Clojure 141 SLoC Ruby HTML 100 SLoC // 0.2% comments Swift 89 SLoC // 0.3% comments Pug 85 SLoC // 0.2% comments BASH 76 SLoC // 0.5% comments Elixir 38 SLoC // 0.4% comments Razor 33 SLoC // 0.2% comments Bicep 5 SLoC // 0.4% comments Vue 4 SLoC // 0.3% comments

Qryon

Find security vulnerabilities in seconds, not minutes.

CI npm crates.io License

# Install in 10 seconds
npm install -g qryon

# Find vulnerabilities instantly
qryon scan .

Qryon scanning a codebase and finding vulnerabilities

Why Qryon?

Feature Qryon Semgrep OSS CodeQL
Scan 1M lines 45s 8+ min 15+ min
Languages 28 30+ 12
Setup npm i -g qryon Docker/pip Complex
Rules 647+ 2500+ Varies
Cross-file taint Yes Pro only Yes
Single binary Yes No No
Price Free Free/Paid Free

Qryon is 10x faster because it compiles Semgrep rules to native Rust matchers at build time - no interpreter overhead.

Quick Start

# Scan your project
qryon scan .

# Interactive TUI - browse findings with vim keys
qryon scan . --interactive

# CI/CD mode - SARIF output for GitHub Security tab
qryon scan . --output sarif -f results.sarif

# Watch mode - re-scan on file changes
qryon watch .

# AI-powered finding triage (triages static findings with AI)
export ANTHROPIC_API_KEY=sk-ant-...
qryon scan . --ai

# Use OpenAI instead
export OPENAI_API_KEY=sk-...
qryon scan . --ai --ai-provider openai

# Use local Ollama (free, no API key)
qryon scan . --ai --ai-provider local
More installation methods

Homebrew (macOS/Linux):

brew tap bumahkib7/tap && brew install qryon

Cargo (Rust):

cargo install qryon

Docker:

docker run -v $(pwd):/workspace ghcr.io/bumahkib7/qryon scan /workspace

Shell Script:

curl -fsSL https://raw.githubusercontent.com/bumahkib7/qryon/master/install.sh | bash

GitHub Actions:

- uses: bumahkib7/qryon@v0.19.1
  with:
    path: '.'
    upload-sarif: true

What It Finds

critical[QRYON-S005]: SQL query built with format! - use parameterized queries
  --> src/database.rs:42:9
40let user_input = get_input();
4142format!(^^^^^^^^ SQL query built from untrusted input
43"SELECT * FROM users WHERE name = '{}'",
44 │         user_input
   = note: rule: rust/sql-injection

Security Detection

  • Injection attacks - SQL, command, XSS, LDAP, template injection
  • Server-side vulnerabilities - SSRF, path traversal, deserialization
  • Hardcoded secrets - API keys, passwords, tokens
  • Cryptographic issues - Weak algorithms (MD5, SHA-1, DES), insecure modes
  • Dependency CVEs - Real-time OSV.dev integration for Cargo, npm, PyPI, Go, Maven

Supported Languages

Language Security Rules Frameworks
Rust unsafe, injection, crypto Actix, Axum, Rocket
JavaScript/TypeScript XSS, injection, secrets Express, React, Next.js
Python exec, injection, secrets Django, Flask, FastAPI
Go unsafe, SQL injection Gin, Echo, GORM
Java injection, crypto, deser Spring, Jakarta

Plus 23 more languages with parsing and metrics support.

Interactive TUI

Browse findings, call graphs, and taint flows with keyboard navigation:

qryon scan . --interactive

Interactive TUI showing findings

Keyboard shortcuts: j/k navigate, Tab switch tabs, s filter severity, / search, q quit

GitHub Actions

name: Security Scan
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write

    steps:
      - uses: actions/checkout@v4
      - uses: bumahkib7/qryon@v0.19.1
        with:
          path: '.'
          upload-sarif: true

Findings appear in the GitHub Security tab automatically.

Qryon Dashboard - Team Features

Love the CLI? Qryon Dashboard adds powerful team features:

Feature CLI Dashboard
Scan & detect Yes Yes
Historical trends - Yes
AI-powered explanations - Yes
Auto-fix suggestions - Yes
Team collaboration - Yes
Baseline diffs - Yes
PR integration - Yes
RBAC & audit logs - Yes

Try Qryon Dashboard free →

Advanced Features

Cross-File Taint Tracking

Track data flows across file and function boundaries:

qryon flows . --evidence --group-by sink-type
  • Forward taint propagation
  • Path-sensitive analysis
  • Sanitizer recognition
  • Symbolic path conditions
Dependency Vulnerability Scanning

Integrated with OSV.dev for real-time CVE detection:

qryon security .

Supports: Cargo, npm, PyPI, Go modules, Maven

HTTP API (Daemon Mode) 
qryon daemon --port 9876

REST API + WebSocket for IDE integration.

IDE Integrations
  • VS Code - Real-time diagnostics
  • Neovim - Native plugin
  • JetBrains - IntelliJ, WebStorm, PyCharm
WASM Plugins

Extend with custom analysis rules:

qryon plugin install ./my-plugin.wasm

How It Works

Qryon compiles Semgrep community rules at build time into optimized native matchers:

┌─────────────────────────────────────────────────────────┐
│                     BUILD TIME                          │
│  semgrep-rules/*.yaml  →  build.rs  →  compiled_rules  │
│                                           (embedded)    │
└─────────────────────────────────────────────────────────┘
                            ↓
┌─────────────────────────────────────────────────────────┐
│                      RUNTIME                            │
│  source.rs  →  tree-sitter  →  AST  →  pattern match  │
│                                               ↓         │
│                                           Findings      │
└─────────────────────────────────────────────────────────┘

Result: No interpreter overhead. No Semgrep dependency. Single binary.

Configuration

qryon init  # Creates qryon.toml

[scan]
include = ["src/**"]
exclude = ["node_modules/**", "target/**"]

[rules]
enable = ["*"]
disable = ["js/console-log"]

[profiles.strict]
max_function_lines = 50
max_complexity = 10

Inline suppression:

// qryon-ignore-next-line js/xss-sink reason="content is sanitized"
element.textContent = processedContent;

Benchmarks

hyperfine 'qryon scan /path/to/repo' 'semgrep --config auto /path/to/repo'

On a 500K LOC monorepo:

  • Qryon: 23 seconds
  • Semgrep: 4 minutes 12 seconds

Contributing

Contributions welcome! See CONTRIBUTING.md.

make build    # Build all crates
make test     # Run tests
make lint     # Run lints

License

MIT or Apache-2.0, at your option.

Documentation · Dashboard · Issues

Made with Rust

lib.rs:

Qryon Rule Engine - Semgrep-compatible rule loader and matcher

This crate provides:

  • YAML rule parsing (Semgrep format)
  • Pattern matching engine
  • Rule registry and loading from directories

Rule Format

Rules are defined in YAML files following the Semgrep format:

rules:
  - id: sql-injection
    pattern: $DB.query($USER_INPUT)
    message: Potential SQL injection
    severity: ERROR
    languages: [python, javascript]
    metadata:
      category: security
      cwe: "CWE-89"

Dependencies

~13–72MB
~2M SLoC