The Ruso Book

Ruso is a vulnerability scanner driven by a library of small, shareable checks. Point it at a target and scan against community checks straight from the registry — no setup, no plugins to compile:

ruso scan --family web --target https://target.example.com

Need something bespoke? Write your own check in the Ruso Scripting Language (RSL) — a few readable lines describing a probe and what a positive result looks like. Either way, scanning for a known issue is usually a one-liner.

Development status: Ruso is under active development. The language, bytecode format, CLI, and APIs may change without notice. Not recommended for production use yet.

How it fits together

Ruso is intentionally not a monorepo. Each piece does one job and has a stable contract with its neighbours:

Component	What it does
RSL (`ruso-script`)	Parses `.rsl` source and compiles it to bytecode
Runtime (`ruso-runtime`)	A small VM that executes the bytecode, runs probes, and emits findings
CLI (`ruso-cli`)	The `ruso` binary — the driver you actually run
Ruso registry	The service you publish, install, and search shared checks against (hosted at `ruso.hopeless-labs.com`)

Shared checks live in the registry — a growing library of ready-made .rsl checks you can install and scan with, no authoring required.

The flow is a short pipeline:

check.rsl ──[ruso-script: parse + compile]──▶ bytecode (.rbc)
                                                  │
                                  [ruso-runtime: VM executes]
                                                  │
                                                  ▼
                                    probes ⇄ target   →   finding

A source check (.rsl) compiles to bytecode (.rbc) — a compact, validated binary that the runtime executes. You can run a check in one step (scan compiles and runs), or split the steps (compile then exec) and ship the .rbc without the source.

Who this book is for

Want to run or write checks? Start with the User Guide and Writing Checks.
Want to share checks? See The Registry.
Want to hack on Ruso itself? Jump to Internals & Contributing.

A taste of RSL

metadata {
    name "Exposed Redis (no auth)"
    severity high
    family "database"
    version "1.0.0"
}

tcp redis {
    host "{{scan_host}}"
    port 6379
    payload "PING\r\n"
}

send redis
match redis.response contains "PONG"

evidence redis regex 'redis_version:[0-9.]+'

Eight lines: declare what you're looking for, send a probe, decide what a hit looks like, and capture proof. The next chapters take you from install to your first real check.