flutter_sast
flutter_sast is a lightweight static scanner for Flutter and Dart projects. It looks for common security misconfigurations and risky patterns in app code, platform files, and dependencies. One command prints a summary and writes flutter_sast_report.json and flutter_sast_report.html.
Requires Dart 3.3+ (Flutter 3.19+).
How it works: regex and line-based heuristics — not a full AST analyzer or penetration test. Review every finding in context.
Limitations
- Not semantic dataflow analysis; no guarantee a finding is exploitable
- Not runtime / dynamic (DAST) testing
- May report false positives; use
// flutter_sast:ignore RULE-IDor.flutter_sast.ymlto tune - Default scan skips
test/,build/, andexample/paths
What it checks
| Layer | Examples |
|---|---|
| Dart | Hardcoded secrets; cleartext HTTP / weak TLS; sensitive SharedPreferences / GetStorage; FlutterSecureStorage without Android encryption; patterns suggesting weak crypto, injection sinks, or unsafe paths; WebView and logging issues |
| Android | AndroidManifest.xml, strings.xml — debuggable builds, backup, cleartext, exported components, permissions |
| iOS | Info.plist — ATS, file sharing (--profile privacy focuses on usage-description strings) |
| Dependencies | Debug packages in production deps; secure-storage / pinning advisories (Flutter apps only) |
| Build & config | .env gitignore, release signing, ProGuard rules |
Install
dart pub global activate flutter_sast
export PATH="$PATH:$HOME/.pub-cache/bin" # add to ~/.zshrc to persist
flutter_sast -v
Or as a dev dependency:
dev_dependencies:
flutter_sast: ^0.1.1
dart pub get
dart run flutter_sast .
Quick start
From your project root (where pubspec.yaml lives):
flutter_sast .
The scan subcommand is optional — these are equivalent:
flutter_sast .
flutter_sast scan .
flutter_sast scan /path/to/app
Example output
Security Score : 72/100
Risk Level : HIGH
[HIGH] DART-002 Insecure HTTP URL
File : lib/api/client.dart:14
...
[MEDIUM] DART-003 SharedPreferences stores sensitive data in cleartext
File : lib/auth/storage.dart:22
...
CI
flutter_sast -q -f json # JSON only, no console
flutter_sast --fail-on-high # exit 1 on HIGH/CRITICAL
flutter_sast --fail-on-any # exit 1 on any finding
| Flag | Purpose |
|---|---|
--no-dart / --no-android / --no-ios / --no-pubspec |
Skip that area |
--no-env |
Skip .env files |
--profile privacy |
iOS Info.plist only (includes usage-description checks) |
--profile web |
Web CSP, dart:io guard, WebView allowlist (WEB-*, DART-010) |
--no-web |
Skip web/index.html (only used with --profile web) |
-r DART-001 |
Run specific rules only |
-e build/ |
Extra paths to skip |
-o ./reports/ |
Report output directory |
Exit codes: 0 ok, 1 policy/usage error, 2 scan error.
Optional config
Create .flutter_sast.yml in the project root only if you need tuning:
exclude:
glob:
- "**/*.g.dart"
rules:
AND-004:
exported_allowlist:
- com.example.YourOAuthActivity
profiles:
default: security
exported_allowlist skips AND-004 for named Android components (e.g. OAuth callback activities). Per-rule severity and exclude_globs override defaults for matching paths.
Suppress a line: // flutter_sast:ignore DART-004
More options: CHANGELOG.md.
Reports
Default: console + flutter_sast_report.json + flutter_sast_report.html in the scanned project directory.
flutter_sast -f json -o ./security/ # JSON under ./security/
Score (0–100) is a heuristic hygiene indicator (severity × confidence), not CVSS or exploitability. INFO and dependency Recommendation rows do not lower the score.
Rule IDs (summary)
Each finding includes a ruleId in console, JSON, and HTML reports.
| Area | IDs |
|---|---|
| Dart | DART-001–018 |
| Android | AND-001–015 |
| iOS | IOS-001–006 |
| Dependencies | DEPS-002, 003, 006 |
| Build | CONFIG-001, 003, 004 |
Web (--profile web) |
WEB-001, 002, DART-010 |
Pure Dart CLIs (no flutter in pubspec.yaml) skip DEPS-002 / DEPS-003 advisories.
API
import 'package:flutter_sast/flutter_sast.dart';
final report = await FlutterSastScanner().scan('/path/to/app');
ConsoleReporter().report(report);
See example/main.dart.
Links
- pub.dev package
- Publisher: umaraslam.dev
- Repository (contributing:
dart testin repo root) - Issues
- Changelog
MIT — see LICENSE.
Libraries
- flutter_sast
- flutter_sast — SAST and vulnerability assessment for Flutter / Dart.