bumahkib7/rust-monorepo-analyzer: Find security vulnerabilities in seconds. 647+ rules, 28 languages, 10x faster than Semgrep. Free & open source CLI.

# Install in 10 seconds
npm install -g rma-cli

# Find vulnerabilities instantly
rma scan .

RMA is 10x faster because it compiles Semgrep rules to native Rust matchers at build time – no interpreter overhead.

# Scan your project
rma scan .

# Interactive TUI - browse findings with vim keys
rma scan . --interactive

# CI/CD mode - SARIF output for GitHub Security tab
rma scan . --output sarif -f results.sarif

# Watch mode - re-scan on file changes
rma watch .

brew tap bumahkib7/tap && brew install rma

docker run -v $(pwd):/workspace ghcr.io/bumahkib7/rma scan /workspace

curl -fsSL https://raw.githubusercontent.com/bumahkib7/rust-monorepo-analyzer/master/install.sh | bash

- uses: bumahkib7/rust-monorepo-analyzer@v0.16.0
  with:
    path: '.'
    upload-sarif: true

critical[RMA-S005]: SQL query built with format! - use parameterized queries
  --> src/database.rs:42:9
40 │     let user_input = get_input();
41 │
42 │     format!(
   │     ^^^^^^^^ SQL query built from untrusted input
43 │         "SELECT * FROM users WHERE name="{}"",
44 │         user_input
   = note: rule: rust/sql-injection

• Injection attacks – SQL, command, XSS, LDAP, template injection
• Server-side vulnerabilities – SSRF, path traversal, deserialization
• Hardcoded secrets – API keys, passwords, tokens
• Cryptographic issues – Weak algorithms (MD5, SHA-1, DES), insecure modes
• Dependency CVEs – Real-time OSV.dev integration for Cargo, npm, PyPI, Go, Maven

Plus 23 more languages with parsing and metrics support.

Browse findings, call graphs, and taint flows with keyboard navigation:

Keyboard shortcuts: j/k navigate, Tab switch tabs, s filter severity, / search, q quit

name: Security Scan
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write

    steps:
      - uses: actions/checkout@v4
      - uses: bumahkib7/rust-monorepo-analyzer@v0.16.0
        with:
          path: '.'
          upload-sarif: true

Findings appear in the GitHub Security tab automatically.

Love the CLI? RMA Dashboard adds powerful team features:

Try RMA Dashboard free →

rma flows . --evidence --group-by sink-type

rma plugin install ./my-plugin.wasm

RMA compiles Semgrep community rules at build time into optimized native matchers:

┌─────────────────────────────────────────────────────────┐
│                     BUILD TIME                          │
│  semgrep-rules/*.yaml  →  build.rs  →  compiled_rules  │
│                                           (embedded)    │
└─────────────────────────────────────────────────────────┘
                            ↓
┌─────────────────────────────────────────────────────────┐
│                      RUNTIME                            │
│  source.rs  →  tree-sitter  →  AST  →  pattern match  │
│                                               ↓         │
│                                           Findings      │
└─────────────────────────────────────────────────────────┘

Result: No interpreter overhead. No Semgrep dependency. Single binary.

rma init  # Creates rma.toml

[scan]
include = ["src/**"]
exclude = ["node_modules/**", "target/**"]

[rules]
enable = ["*"]
disable = ["js/console-log"]

[profiles.strict]
max_function_lines = 50
max_complexity = 10

Inline suppression:

// rma-ignore-next-line js/xss-sink reason="content is sanitized"
element.textContent = processedContent;

hyperfine 'rma scan /path/to/repo' 'semgrep --config auto /path/to/repo'

On a 500K LOC monorepo:

• RMA: 23 seconds
• Semgrep: 4 minutes 12 seconds

Contributions welcome! See CONTRIBUTING.md.

make build    # Build all crates
make test     # Run tests
make lint     # Run lints

MIT or Apache-2.0, at your option.