Sharp Edges

What Is This?

Overview

Sharp Edges is a static analysis tool developed by Trail of Bits that identifies error-prone APIs, dangerous function calls, and risky configurations within codebases. It operates by scanning source code for patterns that commonly lead to security vulnerabilities, logic errors, or undefined behavior. Rather than waiting for a bug to surface in production or during a security audit, Sharp Edges surfaces these concerns early in the development lifecycle.

The tool draws on Trail of Bits' extensive experience in security research and software auditing. It encodes known dangerous patterns into detectors that run against your code automatically. This means developers benefit from institutional security knowledge without needing to memorize every pitfall associated with a given language or framework.

Sharp Edges integrates into standard development workflows, including CI/CD pipelines, making it practical for teams that want continuous feedback on code quality and security posture. It is designed to be low-noise and actionable, focusing on patterns that carry real risk rather than generating excessive false positives.

Who Should Use This

• Security engineers who want automated detection of risky API usage during code review
• Backend developers working with low-level languages such as C, C++, or Rust where unsafe patterns are common
• DevSecOps teams integrating security checks into automated build and deployment pipelines
• Open source maintainers who need to audit contributions for dangerous patterns before merging
• Software architects evaluating codebases for systemic misuse of cryptographic or memory management APIs
• QA engineers looking to supplement manual testing with static analysis focused on error-prone constructs

Why Use It?

Problems It Solves

• Developers frequently use APIs that appear safe but carry subtle preconditions that, when violated, cause security vulnerabilities or crashes. Sharp Edges flags these calls before they reach production.
• Dangerous configurations in build systems or runtime settings often go unnoticed until exploitation. The tool surfaces these misconfigurations early.
• Security knowledge is unevenly distributed across engineering teams. Sharp Edges codifies expert-level awareness into automated checks accessible to all team members.
• Manual code review is time-consuming and inconsistent. Automated detection of known bad patterns reduces reviewer burden and increases consistency.
• Catching risky patterns late in the development cycle is expensive. Early detection through static analysis reduces remediation cost significantly.

Core Highlights

• Detects misuse of cryptographic APIs including weak algorithm selection and incorrect parameter usage
• Identifies unsafe memory operations prone to buffer overflows or use-after-free conditions
• Flags integer arithmetic patterns that commonly lead to overflow or truncation errors
• Surfaces dangerous format string usages that can enable injection attacks
• Highlights deprecated or known-vulnerable function calls
• Integrates with CI/CD pipelines for continuous automated scanning
• Provides actionable output with context explaining why each finding is risky
• Backed by Trail of Bits' published security research and real-world audit findings

How to Use It?

Basic Usage

Install Sharp Edges and run it against a target directory or file:

pip install sharp-edges
sharp-edges scan ./src

To output findings in JSON format for integration with other tools:

sharp-edges scan ./src --output json > findings.json

Specific Scenarios

Scenario 1: Scanning a C codebase for unsafe memory functions

sharp-edges scan ./project --language c --ruleset memory-safety

This targets rules specifically related to functions like strcpy, gets, and sprintf that are known sources of buffer overflow vulnerabilities.

Scenario 2: Auditing cryptographic API usage

sharp-edges scan ./crypto_module --ruleset cryptography

This checks for weak algorithms such as MD5 or DES, incorrect IV reuse, and missing authentication in encryption routines.

Real-World Examples

A development team integrating Sharp Edges into a GitHub Actions workflow can add a step that fails the build if any high-severity findings are detected, preventing risky code from merging into the main branch.

A security consultant running Sharp Edges against a client codebase before a formal audit can quickly identify the highest-risk areas to prioritize during manual review, reducing overall audit time.

When to Use It?

Use Cases

• Pre-merge code review automation in security-sensitive projects
• Periodic audits of legacy codebases with unknown risk profiles
• Onboarding new contributors to projects with strict security requirements
• Compliance checks requiring evidence of static analysis in the development process
• Evaluating third-party dependencies before integration
• Post-incident analysis to determine whether similar patterns exist elsewhere in the codebase
• Security training exercises where developers learn to recognize dangerous patterns

Important Notes

Requirements

• Python 3.8 or higher is required for installation via pip
• Target codebases must be accessible locally or cloned before scanning
• Some rulesets require language-specific toolchains to be present on the scanning host