Find security vulnerabilities in seconds, not minutes.
# Install in 10 seconds
npm install -g rma-cli
# Find vulnerabilities instantly
rma scan .
| Feature | RMA | Semgrep OSS | CodeQL |
|---|---|---|---|
| Scan 1M lines | 45s | 8+ min | 15+ min |
| Languages | 28 | 30+ | 12 |
| Setup | npm i -g rma-cli |
Docker/pip | Complex |
| Rules | 647+ | 2500+ | Varies |
| Cross-file taint | Yes | Pro only | Yes |
| Single binary | Yes | No | No |
| Price | Free | Free/Paid | Free |
RMA is 10x faster because it compiles Semgrep rules to native Rust matchers at build time – no interpreter overhead.
# Scan your project
rma scan .
# Interactive TUI - browse findings with vim keys
rma scan . --interactive
# CI/CD mode - SARIF output for GitHub Security tab
rma scan . --output sarif -f results.sarif
# Watch mode - re-scan on file changes
rma watch .
More installation methods
Homebrew (macOS/Linux):
brew tap bumahkib7/tap && brew install rma
Cargo (Rust):
Docker:
docker run -v $(pwd):/workspace ghcr.io/bumahkib7/rma scan /workspace
Shell Script:
curl -fsSL https://raw.githubusercontent.com/bumahkib7/rust-monorepo-analyzer/master/install.sh | bash
GitHub Actions:
- uses: bumahkib7/rust-monorepo-analyzer@v0.16.0
with:
path: '.'
upload-sarif: true
critical[RMA-S005]: SQL query built with format! - use parameterized queries
--> src/database.rs:42:9
40 │ let user_input = get_input();
41 │
42 │ format!(
│ ^^^^^^^^ SQL query built from untrusted input
43 │ "SELECT * FROM users WHERE name="{}"",
44 │ user_input
= note: rule: rust/sql-injection
- Injection attacks – SQL, command, XSS, LDAP, template injection
- Server-side vulnerabilities – SSRF, path traversal, deserialization
- Hardcoded secrets – API keys, passwords, tokens
- Cryptographic issues – Weak algorithms (MD5, SHA-1, DES), insecure modes
- Dependency CVEs – Real-time OSV.dev integration for Cargo, npm, PyPI, Go, Maven
| Language | Security Rules | Frameworks |
|---|---|---|
| Rust | unsafe, injection, crypto | Actix, Axum, Rocket |
| JavaScript/TypeScript | XSS, injection, secrets | Express, React, Next.js |
| Python | exec, injection, secrets | Django, Flask, FastAPI |
| Go | unsafe, SQL injection | Gin, Echo, GORM |
| Java | injection, crypto, deser | Spring, Jakarta |
Plus 23 more languages with parsing and metrics support.
Browse findings, call graphs, and taint flows with keyboard navigation:
Keyboard shortcuts: j/k navigate, Tab switch tabs, s filter severity, / search, q quit
name: Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- uses: bumahkib7/rust-monorepo-analyzer@v0.16.0
with:
path: '.'
upload-sarif: true
Findings appear in the GitHub Security tab automatically.
Love the CLI? RMA Dashboard adds powerful team features:
| Feature | CLI | Dashboard |
|---|---|---|
| Scan & detect | Yes | Yes |
| Historical trends | – | Yes |
| AI-powered explanations | – | Yes |
| Auto-fix suggestions | – | Yes |
| Team collaboration | – | Yes |
| Baseline diffs | – | Yes |
| PR integration | – | Yes |
| RBAC & audit logs | – | Yes |
Cross-File Taint Tracking
Track data flows across file and function boundaries:
rma flows . --evidence --group-by sink-type
- Forward taint propagation
- Path-sensitive analysis
- Sanitizer recognition
- Symbolic path conditions
Dependency Vulnerability Scanning
Integrated with OSV.dev for real-time CVE detection:
Supports: Cargo, npm, PyPI, Go modules, Maven
HTTP API (Daemon Mode)
REST API + WebSocket for IDE integration.
IDE Integrations
- VS Code – Real-time diagnostics
- Neovim – Native plugin
- JetBrains – IntelliJ, WebStorm, PyCharm
WASM Plugins
Extend with custom analysis rules:
rma plugin install ./my-plugin.wasm
RMA compiles Semgrep community rules at build time into optimized native matchers:
┌─────────────────────────────────────────────────────────┐
│ BUILD TIME │
│ semgrep-rules/*.yaml → build.rs → compiled_rules │
│ (embedded) │
└─────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────┐
│ RUNTIME │
│ source.rs → tree-sitter → AST → pattern match │
│ ↓ │
│ Findings │
└─────────────────────────────────────────────────────────┘
Result: No interpreter overhead. No Semgrep dependency. Single binary.
rma init # Creates rma.toml
[scan]
include = ["src/**"]
exclude = ["node_modules/**", "target/**"]
[rules]
enable = ["*"]
disable = ["js/console-log"]
[profiles.strict]
max_function_lines = 50
max_complexity = 10
Inline suppression:
// rma-ignore-next-line js/xss-sink reason="content is sanitized"
element.textContent = processedContent;
hyperfine 'rma scan /path/to/repo' 'semgrep --config auto /path/to/repo'
On a 500K LOC monorepo:
- RMA: 23 seconds
- Semgrep: 4 minutes 12 seconds
Contributions welcome! See CONTRIBUTING.md.
make build # Build all crates
make test # Run tests
make lint # Run lints
MIT or Apache-2.0, at your option.