• This repository has been archived on 04/Sep/2020
  • Stars
    star
    143
  • Rank 257,007 (Top 6 %)
  • Language
    Python
  • License
    MIT License
  • Created almost 5 years ago
  • Updated about 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Fully open-source SAST scanner supporting a range of languages and frameworks. Integrates with major CI pipelines and IDE such as Azure DevOps, Google CloudBuild, VS Code and Visual Studio. No server required!

Introduction

  ___            _____ _                    _
 / _ \          |_   _| |                  | |
/ /_\ \_ __  _ __ | | | |__  _ __ ___  __ _| |_
|  _  | '_ \| '_ \| | | '_ \| '__/ _ \/ _` | __|
| | | | |_) | |_) | | | | | | | |  __/ (_| | |_
\_| |_/ .__/| .__/\_/ |_| |_|_|  \___|\__,_|\__|
      | |   | |
      |_|   |_|

This repo builds appthreat/sast-scan (and quay.io/appthreat/sast-scan), a container image with a number of bundled open-source static analysis security testing (SAST) tools. This is like a Swiss Army knife for DevSecOps engineers.

Docker Repository on Quay

Features

  • No messy configuration and no server required
  • Scanning is performed directly in the CI and is extremely quick. Full scan often takes only couple of minutes
  • Gorgeous HTML reports that you can proudly share with your colleagues, and the security team
  • Automatic exit code 1 (build breaker) with critical and high vulnerabilities
  • There are a number of small things that will bring a smile to any DevOps team

Bundled tools

Programming Language Tools
ansible ansible-lint
apex pmd
aws cfn-lint, cfn_nag
bash shellcheck
bom cdxgen
credscan gitleaks
depscan dep-scan
go gosec, staticcheck
java cdxgen, gradle, find-sec-bugs, pmd
jsp pmd
json jq, jsondiff, jsonschema
kotlin detekt
kubernetes kube-score
nodejs cdxgen, NodeJsScan, eslint, yarn
puppet puppet-lint
plsql pmd
python bandit, cdxgen, pipenv
ruby cyclonedx-ruby
rust cdxgen, cargo-audit
terraform tfsec
Visual Force (vf) pmd
Apache Velocity (vm) pmd
yaml yamllint

Bundled languages/runtime

  • jq
  • Go 1.12
  • Python 3.6
  • OpenJDK 11 (jre)
  • Ruby 2.5.5
  • Rust
  • Node.js 10
  • Yarnpkg

Some reports get converted into an open-standard called SARIF. Please see the section on Viewing reports for various viewer options for this.

Tools enabled for SARIF conversion

  • Bash - shellcheck
  • Credscan - gitleaks
  • Python - bandit
  • Node.js - NodeJsScan
  • pmd, find-sec-bugs
  • Go - gosec, staticcheck
  • Terraform - tfsec

Usage

sast-scan is ideal for use with CI and also as a pre-commit hook for local development.

Integration with Azure DevOps

Refer to the document

Integration with GitHub action

This tool can be used with GitHub actions using this action. All the supported languages can be used.

This repo self-tests itself with sast-scan! Check the GitHub workflow file of this repo.

- name: Self sast-scan
  uses: AppThreat/[email protected]
  with:
    output: reports
    type: python,bash
- name: Upload scan reports
  uses: actions/[email protected]
  with:
    name: sast-scan-reports
    path: reports

Integration with Google CloudBuild

Use this custom builder to add sast-scan as a build step.

The full steps are reproduced below.

  1. Add the custom builder to your project
git clone https://github.com/CloudBuildr/google-custom-builders.git
cd google-custom-builders/sast-scan
gcloud builds submit --config cloudbuild.yaml .
  1. Use it in cloudbuild.yaml
steps:
  - name: "gcr.io/$PROJECT_ID/sast-scan"
    args: ["--type", "python"]

Integration with CircleCI

Refer to the document

Integration with GitLab CI

A sample project with config can be found here

sast:
  stage: test
  image: 
    name: appthreat/sast-scan
  script:
    - scan --src ${CI_PROJECT_DIR} --type nodejs --out_dir ${CI_PROJECT_DIR}/reports
  artifacts:
    paths:
      - $CI_PROJECT_DIR/reports/

Custom integration

SARIF reports produced by sast-scan can be integrated with other compatible tools. It can also be easily imported into databases such as BigQuery for visualization purposes. Refer to integration document for detailed explanation on the SARIF format.

Scanning projects locally

Scan python project

docker run --rm -e "WORKSPACE=${PWD}" -v "$PWD:/app:cached" quay.io/appthreat/sast-scan scan --src /app --type python

On Windows the command changes slightly depending on the terminal.

cmd

docker run --rm -e "WORKSPACE=%cd%" -e "GITHUB_TOKEN=%GITHUB_TOKEN%" -v "%cd%:/app:cached" quay.io/appthreat/sast-scan scan

powershell and powershell core

docker run --rm -e "WORKSPACE=$(pwd)" -e "GITHUB_TOKEN=$env:GITHUB_TOKEN" -v "$(pwd):/app:cached" quay.io/appthreat/sast-scan scan

WSL bash

docker run --rm -e "WORKSPACE=${PWD}" -e "GITHUB_TOKEN=${GITHUB_TOKEN}" -v "$PWD:/app:cached" quay.io/appthreat/sast-scan scan 

git-bash

docker run --rm -e "WORKSPACE=${PWD}" -e "GITHUB_TOKEN=${GITHUB_TOKEN}" -v "/$PWD:/app:cached" quay.io/appthreat/sast-scan scan 

Don't forget the slash (/) before $PWD for git-bash!

Scan multiple projects

docker run --rm -e "WORKSPACE=${PWD}" -v "$PWD:/app:cached" quay.io/appthreat/sast-scan scan --src /app --type credscan,nodejs,python,yaml --out_dir /app/reports

Scan java project

For java and jvm language based projects, it is important to compile the projects before invoking sast-scan in the dev and CI workflow.

docker run --rm -e "WORKSPACE=${PWD}" -v ~/.m2:/.m2 -v <source path>:/app quay.io/appthreat/sast-scan scan --src /app --type java

# For gradle project
docker run --rm -e "WORKSPACE=${PWD}" -v ~/.gradle:/.gradle -v <source path>:/app quay.io/appthreat/sast-scan scan --src /app --type java

Scan python project (Without any telemetry)

docker run --rm -e "WORKSPACE=${PWD}" -e "DISABLE_TELEMETRY=true" -v $PWD:/app quay.io/appthreat/sast-scan scan --src /app --type python

Automatic project detection

Feel free to skip --type to enable auto-detection. Or pass comma-separated values if the project has multiple types.

Invoking built-in tools

Bandit

docker run --rm -v <source path>:/app quay.io/appthreat/sast-scan bandit -r /app

Viewing reports

Reports would be produced in the directory specified for --out_dir. In the above examples, it is set to reports which will be a directory under the source code root directory.

Some of the reports would be converted to a standard called SARIF. Such reports would end with the extension .sarif. To open and view the sarif files require a viewer such as:

Example reports:

Online viewer can be used to manually upload the .sarif files as shown.

Online viewer

Azure DevOps SARIF plugin can be integrated to show the analysis integrated with the build run as shown.

Azure DevOps integration

Build breaker

Alternatives

GitLab SAST uses numerous single purpose analyzers and Go based converters to produce a custom json format. This model has the downside of increasing build times since multiple container images should get downloaded and hence is not suitable for CI environments such as Azure Pipelines, CodeBuild and Google CloudBuild. Plus the license used by GitLab is not opensource even though the analyzers merely wrap existing oss tools!

MIR SWAMP is a free online service for running both oss and commercial static analysis for a number of languages simillar to sast-scan. There is a free SWAMP-in-a-box offering but the setup is a bit cumbersome. They use a xml format called SCARF with a number of perl based converters. SARIF, in contrast, is json based and is much easier to work with for integration and UI purposes. By adopting python, sast-scan is a bit easy to work with for customisation.

Sponsors

AppThreat is funded and supported by ShiftLeft. For general discussions and suggestions, please feel free to use either the GitHub issues or ShiftLeft discussion forum

More Repositories

1

dep-scan

Fully open-source security audit for project dependencies based on known vulnerabilities and advisories. Supports both local repos and container images. Integrates with various CI environments such as Azure Pipelines, CircleCI and Google CloudBuild. No server required!
Python
391
star
2

vulnerability-db

Vulnerability database and package search for sources such as Linux, OSV, NVD, GitHub and npm.
Python
57
star
3

atom

Atom is a novel intermediate representation for applications and a standalone tool that is powered by chen.
Rust
48
star
4

joern-lib

Python library for code analysis with CPG and Joern
Jupyter Notebook
13
star
5

blint

BLint is a Binary Linter to check the security properties, and capabilities in your executables. It is powered by lief.
Python
10
star
6

sast-scan-action

GitHub action for performing SAST scanning using various oss tools such as gitleaks, bandit, findsecbugs etc
8
star
7

cpggen

Generate CPG for multiple languages for code and threat analysis
C#
8
star
8

dep-scan-action

Fully open-source security audit for project dependencies based on known vulnerabilities and advisories. No server required!
7
star
9

vuln-list

Subset of https://github.com/aquasecurity/vuln-list suitable for dep-scan
7
star
10

threat-db

A graph database for components, vulnerabilities and threats powered by dgraph
Python
5
star
11

hub_scan

Scan reports for popular docker hub and gcr images
Shell
4
star
12

atom-tools

Collection of tools for use with AppThreat/atom.
Python
3
star
13

atom-samples

Collection of atom, data-flow, and usage slices for appthreat/atom.
2
star
14

docs

Docs that are published at https://appthreat.io
2
star
15

cdxgen-docs

Documentation repo for CycloneDX Generator (cdxgen)
1
star
16

blint-action

Action to run BLint, the binary linter.
1
star
17

scan-reports

Library for producing gorgeous html reports from AppThreat scan results. Compatible with SARIF and grafeas format.
HTML
1
star
18

cve-annotations

UNUSED: Community powered annotations for CVE to identify source, sink, exploits and other information.
1
star
19

rosa

An experiment that looks very promising so far.
Python
1
star
20

depscan-bin

Binary builds for dep-scan - The Dependency Scanner
1
star