Source Code Vulnerability Scanner

[tp9222]

Extension URL

https://github.com/tp9222/Source-Code-Vulnerability-Scanner-Burp-Extension

Version number

1.0.0

Select additional compatible products and features

• Community
• DAST
• Burp AI

Author display name

Tejas N Pingulkar

Contact details (optional)

Email: tp9222@gmail.com

Discord username (optional)

No response

I confirm that the following is true:

• I have permission from all relevant persons to submit this extension to the BApp Store for public use, under the terms and conditions of the EULA.
• I have read and understood the submission requirements for the BApp Store.

Extension overview

Source Code Vulnerability Scanner is a passive Burp Suite extension that automatically inspects every JavaScript, HTML, JSON, and text response flowing through Burp Proxy and flags security vulnerabilities and weak coding practices in real time no active scanning, no extra requests.
The extension contains 75 detection rules across 17 categories including hardcoded secrets and API keys, dangerous JavaScript sinks (eval, innerHTML, document.write), SQL and NoSQL injection patterns, OS command injection, path traversal, prototype pollution, insecure cookies, missing CSRF tokens, disabled TLS verification, weak cryptography, and client-side storage misuse.
Each finding is presented in a dedicated tab with a linter-style output showing the exact matched line of code, a caret pointer (^^^) to the precise column, surrounding context lines, and a count of all occurrences on the page not just the first hit.

Key features

75 passive detection rules across secrets, dangerous sinks, injection, crypto, cookies, DOM pitfalls, and JavaScript weak coding practices fires automatically on every response through the proxy, no manual trigger.

Burp scanner integration findings register in the Target site map and appear in scan report exports alongside everything else.

Live filtering filter the table by severity or search by keyword across rule name, URL, and matched code.

Usage instructions

Setup
Download the Jython standalone JAR from jython.org — you only need to do this once. In Burp go to Extender → Options → Python Environment and point it at the JAR. Then Extender → Extensions → Add → Python → select SourceCodeVulnerabilityScanner.py. If it loaded correctly you'll see this in the Output tab:

[SCVS] Source Code Vulnerability Scanner loaded -- 75 rules active.

Browse any page to start scanning. A Source Code Vulnerability Scanner tab will appear in the main Burp toolbar.

Scanning
Turn Intercept off and browse the target normally through the proxy. The extension scans every response in the background you don't need to do anything. As pages load, findings start appearing in the table automatically.

Reading the results
The table shows severity, confidence, the rule name, which line the match was found on, and the exact bad token in red.

Detail view
The panel splits into two sides.
The left side (dark background) shows the code. Each occurrence gets its own block with the line number, the matched token, and 2 lines of context above and below. The bad part gets a ^^^ pointer underneath it so you can see exactly what triggered it:

If there are more than 10 occurrences on one page it shows the first 10 and tells you how many more there are.
The right side explains the issue what the pattern is, why it's a problem, what an attacker could do with it, a bad-vs-good code example, how to fix it, and the CWE and OWASP reference at the bottom.

Burp scanner
Findings also show up in Target → Site map under Issues, and they come out in scan report exports. If you're generating a report at the end of an engagement these findings will be in there alongside everything else.

Adding your own rules
Open the file and find the RULES list near the top. Add a dict:

{
"name": "My Rule",
"severity": "High",
"confidence": "Firm",
"pattern": r'my_regex_here',
"description": "WHY INSECURE: ...",
"remediation": "SECURE ALTERNATIVE: ...",
"applies_to": ["js", "html"],
},
Remove the extension in Burp and re-add it. That's all.

Template identifier (Internal use only - please ignore)

• template:01-submit-extension

[tp9222]

https://github.com/tp9222/Source-Code-Vulnerability-Scanner-Burp-Extension/blob/main/Screenshots/SourceCodeVulnerabilityScanner%20Burp.png
https://github.com/tp9222/Source-Code-Vulnerability-Scanner-Burp-Extension/blob/main/Screenshots/SourceCodeVulnerabilityScanner%20Main.png

[github-actions]

Thank you for your BApp Store extension submission!

Your submission has been added to our review queue.

We will review your extension as soon as possible. You can track the progress of your submission in our Extension submissions project.

If you have any questions, please comment on this issue. For urgent matters, contact bapps@portswigger.net. We do not respond to status update requests via email.