It's a Rust-native CLI that scans ~100k LOC in under 0.5 seconds and now has:
- Cross-file taint propagation (input in handler → util → sink) - String concatenation & template taint (real SQLi, XSS, command injection, path traversal) - Basic type inference + nullability (null dereference detection) - Typestate/protocol rules (file/DB/lock/crypto leaks, use-after-close, double-lock, etc.) - Interactive TUI viewer (navigate findings, filter severity, search, preview code snippets) - SARIF output → GitHub Security tab - Dashboard with vuln tables, fix recommendations, health scores (in progress)
Repo: https://github.com/bumahkib7/rust-monorepo-analyzer Latest release: https://github.com/bumahkib7/rust-monorepo-analyzer/releases...
Try it: cargo install rma rma scan . --profile strict --ai rma scan . --interactive # launches the TUI
Still early — false positives exist in generated/test code (tunable via rma.toml). Feedback very welcome: too noisy? Missing rules? Happy to hear it.