Codyze: Automated Code Compliance
Codyze is a software analysis tool developed by Fraunhofer AISEC. The original aim of the project, initiated by the Federal Office for Information Security (BSI), was to develop an analysis tool that supports auditors in evaluating security-critical software, i.e. in regard to the usage of cryptography. Since Codyze can also be used during the development process, it also facilitates the work of software developers. The increasing trend towards guidelines and regulations, i.e. by the EU Cyber Security Act is forcing developers to address more and more security requirements in the implementation phase. Furthermore, there is the pressing need to document compliance with the requirements accordingly afterwards.
Codyze supports this process by checking source code against a set of requirements, modelled in a domain specific language, called MARK. For the widely used crypto libraries Bouncycastle (Java) and Botan2 (C++) the requirements of the technical guideline TR 2102-1 by the BSI have already been mapped in MARK rules, further use cases are planned.
Codyze is available as an open source project under the Apache 2.0 license and is continuously developed in cooperation with the software industry.