Git Vuln Finder : Finding Potential Software Vulnerabilities From Git Commit Messages

Git Vuln Finder finds potential software vulnerabilities from git commit messages. The output format is a JSON with the associated commit which could contain a fix regarding a software vulnerability. The search is based on a set of regular expressions against the commit messages only. If CVE IDs are present, those are added automatically in the output.


jq (sudo apt install jq)

Also Read – Dsync : IDAPython Plugin That Synchronizes Disassembler & Decompiler Views


Use it as a library

git-vuln-finder can be install with poetry. If you don’t have poetry installed, you can do the following curl -sSL | python.

$ poetry install git-vuln-finder
$ poetry shell

Use it as a command line tool

$ pipx install git-vuln-finder
$ git-vuln-finder –help

You can also use pip. pipx installs scripts (system wide available) provided by Python packages into separate virtualenvs to shield them from your system and each other.



git-vuln-finder comes with 3 default patterns which can be selected to find the potential vulnerabilities described in the commit messages such as:

  • vulnpatterns is a generic vulnerability pattern especially targeting web application and generic security commit message. Based on an academic paper.
  • cryptopatterns is a vulnerability pattern for cryptographic errors mentioned in commit messages.
  • cpatterns is a set of standard vulnerability patterns see for C/C++-like languages.