DeepseekScanner deepseek+python实现代码审计实战

一、功能概述

DeepseekScanner实现了扫描源代码项目中的所有代码文件发送给deepseek进行安全审计的功能。具体细节包括扫描所有子目录中的代码文件，然后依次将代码文件切片发送到deepseek api进行智能代码审计。审计结果包含存在安全问题的代码文件、代码位置行数、安全漏洞问题名称、存在安全漏洞的代码块。最后将审计结果保存到文件中方便查阅。

二、具体功能介绍

扫描指定的代码项目目录

//支持只扫描指定的文件后缀比如.php 只扫描.php文件 也可以扫描全部的文件类型
def scan_directory(directory, file_types=None, scan_all=False):
    try:
        if scan_all:
            files_to_scan = [os.path.join(root, file) for root, _, files in os.walk(directory) for file in files]
        else:
            files_to_scan = [os.path.join(root, file) for root, _, files in os.walk(directory) for file in files if
                             any(file.endswith(ft) for ft in file_types)]
        # Saving results to file
        scan_results = []
        filename = f"scan_results.txt"
        directory = "./"
        filepath = os.path.join(directory, filename)
        for file_path in tqdm(files_to_scan, desc="Scanning files"):
            file_scan_results = scan_file(file_path, scan_results, directory)
            if file_scan_results is not None and len(file_scan_results) > 0:
                save_results_to_file(filepath, file_scan_results)
    except Exception as e:
        print(e)

2.代码文件切片发送给deepseek做安全审计

//从项目中的各个目录提取代码文件后，开始对代码进行切片发送给deepseek做安全审计
def scan_file(file_path, scan_results, directory):
    try:
        with open(file_path, 'r') as file:
            content = file.readlines()

        total_chunks = (len(content) - 1) // 100 + 100
        file_scan_results = []

        for chunk_start in range(0, len(content), 100):
            chunk_end = min(chunk_start + 100, len(content))
            code_chunk = ''.join(content[chunk_start:chunk_end])
            response = analyze_security(code_chunk)

            if hasattr(response, 'content'):
                results = response.content
            elif isinstance(response, dict) and 'content' in response:
                results = response['content']
            else:
                results = response

            if results:
                # Split the result into individual issues using "@@@@", it can be unreliable depending on the output of the model
                individual_results = results.split('@@@@')
                for result in individual_results:
                    if "存在风险" in result:
                        try:
                            _, line_numbers, issue_description, code_snippet = result.split(' | ', 3)
                            adjusted_line_numbers = line_numbers.strip()
                            issue_description = issue_description.strip()
                            code_snippet = code_snippet.strip()
                            file_scan_results.append(
                                (file_path, adjusted_line_numbers, issue_description, code_snippet))
                        except ValueError:
                            continue

        # Append this file's results to the main scan_results
        # scan_results.extend(file_scan_results)
        return file_scan_results
    except Exception as e:
        print(e)
    return None

3.deepseek代码审计功能

//严格定义prompt为资深安全专家实现代码安全审计
def analyze_security(content):
    try:
        completion = client.chat.completions.create(
            model="deepseek-chat",  # field is not currently used in LM studio
            messages=[
                {"role": "system", "content": '''你是一个安全专家严格分析以下代码片段，检查其中是否存在安全漏洞，请详细分析'''},
                {"role": "user", "content": content}
            ],
            temperature=0.7,
        )
        return completion.choices[0].message
    except Exception as e:
        print(e)
    return None

三、测试结果

1.命令执行

//对项目中的所有代码进行安全审计
python scanner.py E:\work\sqli-secound-order --all

2.结果展示

四、总结

DeepseekScanner通过python+deepseek实现了python、php、java等语言项目代码审计，测试效果对于常见的安全问题甄别效果还是可以的，但可能也存在误报、错报等问题，需要再逐一帧对，不断完善。感兴趣的朋友可以在公众号回复"deepseekscanner"下载完整项目进行测试，包含代码项目和提供测试的漏洞代码项目。