Skip to content

th3-v3ng34nc3/sandman

BranchesTags

Repository files navigation

Sandman

Sandman

One tool. Every scan. Linux and Windows.

Sandman is a unified security scanning CLI that wraps Trivy, Opengrep, OWASP ZAP, and ClamAV behind a single, consistent interface — with automatic JSON report generation for every scan.

What Sandman can scan

Command What it finds Engine Report
scan image CVEs in container images Trivy sandman-image-{ts}.json
scan secrets Hardcoded API keys, tokens, passwords Trivy sandman-secrets-{ts}.json
scan code Security flaws in source code (SAST) Opengrep sandman-code-{ts}.json
scan iac Misconfigurations in Terraform, K8s, Helm, Dockerfiles Trivy sandman-iac-{ts}.json
scan vuln OS and package CVEs on live Linux / Windows systems Trivy sandman-vuln-{ts}.json
scan malware Malware, viruses, and trojans ClamAV sandman-malware-{ts}.log
scan dast Vulnerabilities in running web applications OWASP ZAP sandman-dast-{ts}.json
scan all All of the above in one shot All engines Per-scan files, shared {ts}

Reports are always saved automatically. Every scan generates a timestamped file (e.g. sandman-image-20250401-150405.json) so nothing is lost. Use --output to override the file path.

Output example

Every scan prints a clear header before running and a footer confirming where the report was saved:

──────────────────────────────────────────────────────────
🌙 Sandman — Image Scan
   Target   : nginx:latest
   Severity : HIGH,CRITICAL
   Report   : sandman-image-20250401-150405.json
──────────────────────────────────────────────────────────

[trivy output...]

──────────────────────────────────────────────────────────
✅ Sandman image scan complete
   Report saved → sandman-image-20250401-150405.json
──────────────────────────────────────────────────────────

scan all runs every scan in sequence and prints a combined summary:

══════════════════════════════════════════════════════════
🌙 Sandman — Scan Summary
──────────────────────────────────────────────────────────
   image      ✅  sandman-image-20250401-150405.json
   secrets    ✅  sandman-secrets-20250401-150405.json
   code       ✅  sandman-code-20250401-150405.json
   iac        ✅  sandman-iac-20250401-150405.json
   vuln       ✅  sandman-vuln-20250401-150405.json
   malware    ⚠️   sandman-malware-20250401-150405.log
   dast       ✅  sandman-dast-20250401-150405.json
══════════════════════════════════════════════════════════

Installation

Option 1 — Docker (recommended, zero dependencies)

All scan engines are pre-installed in the image.

docker pull rajvanshi/sandman:latest
# or pin to a specific version
docker pull rajvanshi/sandman:v0.0.1

Option 2 — Pre-built binary

Download the binary for your platform from the Releases page.

Linux

# amd64
curl -LO https://github.com/th3-v3ng34nc3/sandman/releases/latest/download/sandman_linux_amd64.zip
unzip sandman_linux_amd64.zip && sudo mv sandman /usr/local/bin/

# .deb (Debian / Ubuntu)
curl -LO https://github.com/th3-v3ng34nc3/sandman/releases/latest/download/sandman_linux_amd64.deb
sudo dpkg -i sandman_linux_amd64.deb

# .rpm (RHEL / Fedora)
sudo rpm -i sandman_linux_amd64.rpm

Windows (PowerShell — run as Administrator)

# Automated — installs Sandman + all dependencies
.\windows-installer.ps1

# Manual download
Invoke-WebRequest -Uri "https://github.com/th3-v3ng34nc3/sandman/releases/latest/download/sandman_windows_amd64.zip" -OutFile sandman.zip
Expand-Archive sandman.zip -DestinationPath C:\tools\sandman
[Environment]::SetEnvironmentVariable("PATH", $env:PATH + ";C:\tools\sandman", "User")

Option 3 — Build from source

Requires Go 1.22+.

git clone https://github.com/th3-v3ng34nc3/sandman.git
cd sandman
go mod tidy
go build -o sandman .

Installing scan engines

Skip this section if using Docker — all engines are bundled in rajvanshi/sandman.

Use the included installers to set up all dependencies automatically.

Linux

sudo bash install.sh

Windows (run as Administrator)

.\windows-installer.ps1

Both scripts present an interactive menu — select your scan use-case and only the required engines are installed.

Manual installation

Trivy — image, secrets, IaC, and vulnerability scanning

Linux

# Debian / Ubuntu
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee /etc/apt/sources.list.d/trivy.list
sudo apt-get update && sudo apt-get install -y trivy

Windows

winget install Aquasecurity.Trivy

ClamAV — malware and virus scanning

Linux

sudo apt-get install -y clamav && sudo freshclam

Windows

winget install ClamAV.ClamAV
freshclam   # update virus definitions

Opengrep — SAST

Linux

curl -sSL https://github.com/opengrep/opengrep/releases/latest/download/opengrep-linux-amd64 \
  -o /usr/local/bin/opengrep && chmod +x /usr/local/bin/opengrep

Windows

Invoke-WebRequest -Uri "https://github.com/opengrep/opengrep/releases/latest/download/opengrep-windows-amd64.exe" -OutFile C:\tools\sandman\opengrep.exe

OWASP ZAP — DAST

Linux

sudo snap install zaproxy --classic

Windows

winget install ZAProxy.ZAP

Usage

scan image

sandman scan image nginx:latest
sandman scan image myapp:1.2.3 --severity CRITICAL
sandman scan image alpine:3.18 --output my-report.json

scan secrets

sandman scan secrets ./
sandman scan secrets ./src --severity HIGH,CRITICAL,MEDIUM

scan code — SAST

sandman scan code ./src
sandman scan code ./src --format sarif --output results.sarif

scan iac

Supports Terraform, CloudFormation, Kubernetes manifests, Helm charts, and Dockerfiles.

sandman scan iac ./infra
sandman scan iac ./k8s --severity CRITICAL

scan vuln — OS / package CVEs

Works on live Linux and Windows filesystems.

# Linux root
sandman scan vuln /

# Windows system drive
sandman scan vuln C:\

# Specific directory
sandman scan vuln /opt/myapp --severity HIGH,CRITICAL

scan malware

sandman scan malware /home
sandman scan malware C:\Users --output malware-report.txt
sandman scan malware /uploads

ClamAV exits with code 1 when threats are found and 2 on error. Sandman handles these correctly — findings produce a ⚠️ result in scan all rather than a false failure.

scan dast

# Passive baseline scan (safe, no active attacks)
sandman scan dast https://staging.myapp.com

# Full active scan — only use against targets you own
sandman scan dast https://staging.myapp.com --full

# API scan with OpenAPI spec
sandman scan dast https://api.myapp.com --api-spec ./openapi.yaml

# Save as JSON
sandman scan dast https://staging.myapp.com --format json --output dast.json

scan all — full pipeline

All reports share a single timestamp so they're easy to correlate.

# Full pipeline
sandman scan all \
  --image myapp:latest \
  --path ./src \
  --target https://staging.myapp.com

# Filesystem only
sandman scan all --path ./src

# With active DAST
sandman scan all \
  --image myapp:latest \
  --path . \
  --target https://staging.myapp.com \
  --full

Flags reference

Persistent flags (all scan subcommands)

Flag Default Description
--severity HIGH,CRITICAL Severity filter: LOW, MEDIUM, HIGH, CRITICAL
--format json Output format: json, table, sarif. DAST also accepts html, xml
--output (auto-generated) Override the report file path

scan dast flags

Flag Default Description
--full false Full active scan (zap-full-scan.py) instead of passive baseline
--api-spec OpenAPI/Swagger spec path or URL — triggers zap-api-scan.py

scan all flags

Flag Description
--image Container image to scan
--path Filesystem path — runs secrets, code, IaC, vuln, and malware scans
--target Live URL — runs DAST scan
--full Use full active ZAP scan instead of baseline

Running in Docker

# Container image scan
docker run --rm rajvanshi/sandman:v0.0.1 scan image nginx:latest

# Scan local source code — mount the directory
docker run --rm -v $(pwd):/src rajvanshi/sandman:v0.0.1 scan code /src

# IaC scan
docker run --rm -v $(pwd)/infra:/infra rajvanshi/sandman:v0.0.1 scan iac /infra

# OS vulnerability scan (mount root read-only)
docker run --rm -v /:/host:ro rajvanshi/sandman:v0.0.1 scan vuln /host

# Malware scan with persistent ClamAV definitions
docker run --rm \
  -v /var/lib/clamav:/var/lib/clamav \
  -v $(pwd):/scan \
  rajvanshi/sandman:v0.0.1 scan malware /scan

# DAST
docker run --rm rajvanshi/sandman:v0.0.1 scan dast https://example.com

# Full pipeline — save reports to host
docker run --rm \
  -v $(pwd):/src \
  -v $(pwd)/reports:/reports \
  rajvanshi/sandman:v0.0.1 scan all \
    --image nginx:latest \
    --path /src \
    --target https://example.com

Kubernetes

A sample Job manifest is included at k8s/job.yaml.

apiVersion: batch/v1
kind: Job
metadata:
  name: sandman-scan-nginx
spec:
  template:
    spec:
      containers:
      - name: sandman
        image: rajvanshi/sandman:v0.0.1
        args: ["scan", "image", "nginx:latest"]
      restartPolicy: Never
kubectl apply -f k8s/job.yaml
kubectl logs job/sandman-scan-nginx

CI/CD integration

Sandman exits non-zero when any scan finds issues, making it a natural pipeline gate.

GitHub Actions

- name: Sandman security scan
  run: |
    docker run --rm \
      -v ${{ github.workspace }}:/src \
      rajvanshi/sandman:v0.0.1 scan all \
        --image ${{ env.IMAGE }}:${{ github.sha }} \
        --path /src \
        --severity HIGH,CRITICAL

GitLab CI

security-scan:
  image: rajvanshi/sandman:v0.0.1
  script:
    - scan image $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
    - scan code /src --format sarif --output gl-sast-report.json
  artifacts:
    reports:
      sast: gl-sast-report.json

How it works

Sandman translates a unified flag set into the correct invocation per engine, streams output to the terminal, saves a JSON report, and exits non-zero when issues are found.

sandman scan image nginx:latest
  └─▶  trivy image --severity HIGH,CRITICAL --format json
                   --output sandman-image-20250401-150405.json nginx:latest

sandman scan secrets ./src
  └─▶  trivy fs --scanners secret --severity HIGH,CRITICAL --format json
                --output sandman-secrets-20250401-150405.json ./src

sandman scan code ./src
  └─▶  opengrep scan --config p/default --json
                     --output sandman-code-20250401-150405.json ./src

sandman scan iac ./infra
  └─▶  trivy config --severity HIGH,CRITICAL --format json
                    --output sandman-iac-20250401-150405.json ./infra

sandman scan vuln /
  └─▶  trivy fs --scanners vuln --severity HIGH,CRITICAL --format json
                --output sandman-vuln-20250401-150405.json /

sandman scan malware /app
  └─▶  clamscan --recursive --infected
                --log=sandman-malware-20250401-150405.log /app

sandman scan dast https://example.com
  └─▶  zap-baseline.py -t https://example.com
                       -J sandman-dast-20250401-150405.json

Built with

Tool Purpose
Trivy Container image, secrets, IaC, and vulnerability scanning
Opengrep SAST — static source code analysis
OWASP ZAP DAST — dynamic application security testing
ClamAV Malware and virus detection
Cobra CLI framework
GoReleaser Cross-platform builds and packaging

License

MIT © th3-v3ng34nc3

About

A unified security scanning CLI for containers, code, IaC, malware, and live web apps

github.com/th3-v3ng34nc3/sandman/

Topics

container cve-scanning vulnerability-scanners malware-detection code-security container-scanning iac-scanner

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 1

v0.0.1 Latest
Apr 1, 2026

Packages

 
 
 

Contributors

Languages