log4jscanner is a filesystem scanner and Go package that helps organizations quickly identify vulnerable Log4j components inside JARs and shaded dependencies. Instead of probing networks, it walks directories and archives, including nested JARs, to find version fingerprints and risky classes associated with the Log4Shell family of issues. The focus on static analysis makes it suitable for container images, build artifacts, and offline systems where active scanning isn’t feasible. Clear, machine-readable output allows the tool to plug into CI/CD checks and fleet-wide inventory jobs. For responders, it reduces time-to-visibility by surfacing exactly which paths and bundles require patching or remediation. It’s a pragmatic addition to defense-in-depth programs that need verifiable evidence of exposure without deploying agents.
Features
- Recurses archives to detect vulnerable Log4j versions and classes
- Handles nested and shaded JARs common in Java build outputs
- Works offline on filesystems, images, and artifact stores
- CLI and library modes for integration into pipelines
- Machine-readable reports suitable for inventory and triage
- Minimal dependencies and easy distribution across platforms
Project Samples
