SAST-AI-C-TOOL is a cutting-edge Static Application Security Testing (SAST) tool specifically designed for C++ development. Leveraging the powerful Clang LibTooling framework, the tool performs deterministic static analysis while providing optional AI-assisted reviews for complex findings. The goal is to elevate static analysis beyond mere pattern matching, ensuring more reliable and actionable results in the security landscape.

Key Features

• Deterministic and Comprehensive Analysis: The engine precisely extracts and evaluates facts from C++ source code, moving through a systematic process of candidate detection, validation of safety barriers, and conclusive judgments on the nature of each finding.
• Structured Reporting: Outcomes are explicitly categorized into five distinct classifications: confirmed_issue, likely_issue, needs_review, likely_safe, and safe_suppressed. This offers clear insight into the status of potential vulnerabilities.
• AI-Enhanced Review: An optional AI layer supplements findings that require additional scrutiny, delivering concise reasoning and remediation suggestions without overshadowing the deterministic capacities of the scanner.
• Interactive Terminal Experience: Users can engage with the tool through an intuitive command-line interface that commands features like guided demos and repository scans, making it accessible for both beginners and experts.

Detection Pipeline

1. Load the repository path and scan options via CLI.
2. Discover compilation commands or utilize synthetic alternatives.
3. Parse C++ translation units to extract critical programming facts.
4. Execute candidate detection and trace potential vulnerabilities.
5. Validate findings against established safety criteria.
6. Output determinations as JSON, SARIF, or human-readable text.
7. Facilitate AI-assisted reviews when necessary.

Supported Rule Families

The tool currently addresses specific security concerns within C++ applications, including but not limited to:

• Command execution misuse (e.g., system, exec*)
• Path traversal vulnerabilities
• Unsafe buffer and string handling techniques (e.g., strcpy, strcat)

Example Usage

A quick demonstration of the functionality includes running the demo CLI command:

./build/sast-cli demo

This will guide through the possible outcomes of the analysis process.

For a targeted scan with JSON reporting, one can use:

./build/sast-cli scan --repo tests/cases/demo --format json --out build/scan.json

SAST-AI-C-TOOL represents a forward-thinking approach to secure C++ programming, combining deterministic analysis with the capabilities of AI to enhance decision-making in code safety evaluations. This versatility ensures that development teams are equipped with a robust tool that not only identifies issues but also supports them in their remediation efforts.