Betterscan

Rewrote the Betterscan scanning orchestration tool in Go. It is only available as a command-line interface (CLI) and has additional functionality. The tool is currently packaged as a Go-based scanner runner that can execute scans sequentially or in parallel; it supports CPG (a unified multi-graph database combining three distinct paradigms - AST (Syntax), CFG (Pathways and Execution Order), DFG (Data Flow));, works on pure source code for CPG (no compile environment needed), it normalizes all findings; and it offers an optional LLM enrichment for JSON, SARIF, and HTML output formats.

Get Started go build -o checkmate-go .
🚀 Parallel Execution

Core-limited worker pool for concurrent scans. Supports OpenGrep, Trivy, Bandit, Brakeman, Gostaticcheck, Fraunhoffer CPG, Joern.

🤖 LLM Enrichment

Enhance security findings with AI context using OpenAI-compatible endpoints and swappable models.

📋 Normalized Output

Unified JSON/SARIF/HTML formats with smart deduplication and finding collapsing.

Usage Examples

# Run parallel scan with 8 jobs

./checkmate-go --code-dir ./src --strategy parallel --jobs 8

# Full report with LLM enrichment

./checkmate-go \ --code-dir ./project \ --llm-enrich \ --llm-model gpt-4o-mini \ --sarif-out results.sarif \ --html-out results.html

Strategies & Tools

  • ✓ Sequential: Predictable one-by-one execution.
  • ✓ Parallel: High-speed concurrent worker pool.
  • ✓ Auto-Install: Install missing tools via --install-missing.

Deployment Ready

Ready-to-use templates for cloud-scale scanning:

Cloud Run Jobs ECS/Fargate