• Stars
    star
    788
  • Rank 57,762 (Top 2 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created over 4 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Scan is a free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies. CI and Git friendly.

Introduction

███████╗ ██████╗ █████╗ ███╗   ██╗
██╔════╝██╔════╝██╔══██╗████╗  ██║
███████╗██║     ███████║██╔██╗ ██║
╚════██║██║     ██╔══██║██║╚██╗██║
███████║╚██████╗██║  ██║██║ ╚████║
╚══════╝ ╚═════╝╚═╝  ╚═╝╚═╝  ╚═══╝

Scan is a free open-source security tool for modern DevOps teams. With an integrated multi-scanner based design, Scan can detect various kinds of security flaws in your application, and infrastructure code in a single fast scan without the need for any remote server. Scan is purpose built for workflow integration with nifty features such as automatic build breaker, results baseline and PR summary comments. Scan products are open-source under Apache-2.0 license.

Build Status

Scan philosophy

  • Your code, dependencies, and configuration are your business. No code would ever leave your builds. All scanners, rules and data including the vulnerability database are downloaded locally to perform the scans
  • Out-of-the-box experience: Users shouldn't have to configure or learn anything to use scan across languages and pipelines

Bundled tools

Programming Language Tools
ansible ansible-lint
apex pmd
arm checkov
aws checkov
bash shellcheck
bom cdxgen
credscan gitleaks
depscan dep-scan
dockerfile checkov
go gosec, staticcheck
groovy find-sec-bugs
java cdxgen, gradle, find-sec-bugs, pmd
jsp pmd, find-sec-bugs
json jq, jsondiff, jsonschema
kotlin detekt, find-sec-bugs
scala find-sec-bugs
kubernetes checkov, kubesec, kube-score
nodejs cdxgen, yarn, rush
php psalm, phpstan (ide only)
plsql pmd
python cfg-scan (1), bandit, cdxgen
ruby brakeman (2), dep-scan
rust cdxgen
serverless checkov
terraform checkov, tfsec
Visual Force (vf) pmd
Apache Velocity (vm) pmd
yaml yamllint
docker/container image dep-scan
  • (1) - Deep analyzer for Python is a built-in feature
  • (2) - Brakeman is not bundled with scan. Use brakeman with an appropriate license and export the report in json format using -o reports/source-ruby-report.json

Bundled languages/runtime

  • jq
  • Golang 1.14
  • Python 3.8
  • OpenJDK 11
  • Node.js 10
  • Yarnpkg

Please visit the official documentation site for scan to learn about the configuration and CI/CD integration options. We also have a dedicated discord channel for issues and support.

Getting started

scan is ideal for use with CI and also as a pre-commit hook for local development. Scan is distributed as a container image shiftleft/scan, and as an AppImage for supported Linux distributions.

Scanning projects locally

Easy one-liner command below:

sh <(curl https://slscan.sh)

The above command simply invokes the below docker run command.

docker run --rm -e "WORKSPACE=${PWD}" -v $PWD:/app shiftleft/scan scan --build

On Windows, the command changes slightly depending on the terminal.

cmd

docker run --rm -e "WORKSPACE=%cd%" -e "GITHUB_TOKEN=%GITHUB_TOKEN%" -v "%cd%:/app:cached" shiftleft/scan scan

PowerShell and PowerShell Core

docker run --rm -e "WORKSPACE=$(pwd)" -e "GITHUB_TOKEN=$env:GITHUB_TOKEN" -v "$(pwd):/app:cached" shiftleft/scan scan

WSL Bash

docker run --rm -e "WORKSPACE=${PWD}" -e "GITHUB_TOKEN=${GITHUB_TOKEN}" -v "$PWD:/app:cached" shiftleft/scan scan

git-bash

docker run --rm -e "WORKSPACE=${PWD}" -e "GITHUB_TOKEN=${GITHUB_TOKEN}" -v "/$PWD:/app:cached" shiftleft/scan scan

Don't forget the slash (/) before $PWD for git-bash!

Scan multiple projects

docker run --rm -e "WORKSPACE=${PWD}" -v $PWD:/app shiftleft/scan scan --src /app --type credscan,nodejs,python,yaml --out_dir /app/reports

Scan Java project

For Java and JVM language-based projects, it is important to compile the projects before invoking sast-scan in the dev and CI workflow.

docker run --rm -e "WORKSPACE=${PWD}" -v ~/.m2:/.m2 -v <source path>:/app shiftleft/scan scan --src /app --type java

# For gradle project
docker run --rm -e "WORKSPACE=${PWD}" -v ~/.gradle:/.gradle -v <source path>:/app shiftleft/scan scan --src /app --type java

Automatic project detection

Feel free to skip --type to enable auto-detection. Or pass comma-separated values if the project has multiple types.

Scanning container images

Scanning container images is now possible with slscan. The recommended approach is to export the container image using docker or podman save command first followed by an invocation of scan with the .tar file.

docker pull shiftleft/scan-slim:latest
docker save -o scanslim.tar shiftleft/scan-slim:latest
# podman save --format oci-archive -o scanslim.tar shiftleft/scan-slim:latest
docker run --rm -e "WORKSPACE=${PWD}" -v $PWD:/app shiftleft/scan scan --src /app/scanslim.tar -o /app/reports --type docker

Alternatively, it is possible to let scan pull the container image before analysis. However, it requires exposing your docker or podman daemon socket and therefore not recommended. You can try it if you are feeling adventurous by passing the below parameters to the docker run command.

-e "DOCKER_HOST=unix:/var/run/docker.sock:" -v "/var/run/docker.sock:/var/run/docker.sock"

Example: To scan the container image shiftleft/scan-slim:

docker run --rm -e "WORKSPACE=$(pwd)" -e "DOCKER_HOST=unix:/var/run/docker.sock:" \
    -v "/var/run/docker.sock:/var/run/docker.sock" \
    -v "$(pwd):/app" shiftleft/scan scan -t docker -i shiftleft/scan-slim

Example: To scan the container image redmine@sha256:a5c5f8a64a0d9a436a0a6941bc3fb156be0c89996add834fe33b66ebeed2439e:

docker run --rm -e "WORKSPACE=$(pwd)" -e "DOCKER_HOST=unix:/var/run/docker.sock:" \
    -v "/var/run/docker.sock:/var/run/docker.sock" \
    -v "$(pwd):/app" shiftleft/scan scan -t docker -i redmine@sha256:a5c5f8a64a0d9a436a0a6941bc3fb156be0c89996add834fe33b66ebeed2439e

Same example with podman

podman run --rm -e "WORKSPACE=$(pwd)" -e "DOCKER_HOST=unix:/run/user/1000/podman/podman.sock:" \
    -v "/run/user/1000:/run/user/1000" \
    -v "$(pwd):/app" shiftleft/scan scan -t docker -i redmine@sha256:a5c5f8a64a0d9a436a0a6941bc3fb156be0c89996add834fe33b66ebeed2439e

Viewing reports

Reports would be produced in the directory specified for --out_dir. In the above examples, it is set to reports which will be a directory under the source code root directory.

Some of the reports would be converted to a standard called SARIF. Such reports would end with the extension .sarif. Opening and viewing sarif files require a viewer such as:

Issues with dockerhub?

Many scan images are mirrored to quay.io through the CI pipeline. Simply prefix quay.io/ to the image name. Below are the mirrors available.

Scan users

Scan is used by many organizations and over 1000s of opensource projects. Some notable organizations that use scan are:

  • Microsoft
  • D2iQ
  • McKinsey & Company
  • NIO
  • Neo Financial
  • Accenture
  • Wipro
  • NCI Agency

Send us a PR for including your organization name here. You can also show your support for scan by using the hashtags #slscan on social media.

More Repositories

1

codepropertygraph

Code Property Graph: specification, query language, and utilities
Scala
454
star
2

overflowdb

ShiftLeft OverflowDB
Java
113
star
3

llvm2cpg

LLVM meets Code Property Graphs
C++
84
star
4

traceleft

eBPF based syscalls, files and network events tracing framework
Go
82
star
5

tarpit-java

Tarpit - A Web application seeded with vulnerabilities, rootkits, backdoors & data leaks
Java
74
star
6

llvm2graphml

Explore LLVM Bitcode interactively using a graph database
C++
57
star
7

scan-action

52
star
8

tinkergraph-gremlin

Java
38
star
9

fuzzyc2cpg

A fuzzy parser for C/C++ that creates semantic code property graphs
35
star
10

scan-docs

28
star
11

sbt-ci-release-early

Sbt plugin for fully automated releases, without SNAPSHOT and git sha's in the version. A remix of the best ideas from sbt-ci-release and sbt-release-early. For local CI and/or sonatype/maven central.
Scala
20
star
12

gaum

Go
18
star
13

SharpSyntaxRewriter

A C# syntax rewriter
C#
18
star
14

flask-webgoat

flask-webgoat is a deliberately-vulnerable application written with the Flask web framework.
Python
18
star
15

js2cpg

Scala
18
star
16

bctrace

A library for creating hook-based java agents, without dealing with bytecode
Java
13
star
17

shiftleft-scan-vscode

ShiftLeft Scan is a free and open-source commercial-grade security tool for modern DevOps teams.
TypeScript
12
star
18

HelloShiftLeft

Java
10
star
19

sql-task-queue

PLpgSQL
10
star
20

shiftleft-python-demo

Python
9
star
21

tarpit-c

TARPIT-C : A set of C code snippets seeded with vulnerable conditions
C
8
star
22

shiftleft-java-demo

Java
7
star
23

shiftleft-js-demo

JavaScript
7
star
24

cpgqls-client-python

Python
7
star
25

shiftleft-go-demo

Go
6
star
26

joern-sample-extension

A sample of a standalone extension for Joern/Ocular
Scala
6
star
27

overflowdb-codegen

Scala
6
star
28

field-integrations

integration tools and docs
Python
5
star
29

atlassian-connect-go

This repo contains a set of tools you can use to create Jira plugins using the Atlassian Connect framework. It is written in Go.
Go
5
star
30

ocular-docs

All things ocular related
4
star
31

tarpit-python

TARPIT-PYTHON - A WEB APPLICATION SEEDED WITH VULNERABILITIES, ROOTKITS, BACKDOORS AND DATA LEAKS
Python
4
star
32

shiftleft-kotlin-demo

Kotlin
3
star
33

shiftleft-terraform-demo

HCL
3
star
34

shiftleft-go-example

Sample go application with ShiftLeft Inspect integration
Go
2
star
35

shiftleft-ts-demo

TypeScript
2
star
36

http4k-webgoat

Kotlin
2
star
37

shiftleft-js-example

Sample JavaScript application with ShiftLeft Inspect integration
JavaScript
2
star
38

soot

Java
2
star
39

scan-reports

HTML
2
star
40

shiftleft-vue-demo

2
star
41

shiftleft-python-example

Sample python application with ShiftLeft Inspect integration
Python
2
star
42

HelloShiftLeft-Mar2021

Java
2
star
43

shiftleft-csharp-demo

C#
2
star
44

shiftleft-java-example

Sample Java application with ShiftLeft Inspect integration
Java
2
star
45

x42

LLVM
1
star
46

tarpit-nodejs

JavaScript
1
star
47

gather-dependencies-gradle-plugin

Kotlin
1
star
48

zipdu

zipdu is a webservice implementation vulnerable to zip bombs and directory traversals. Written in multiple different languages
C++
1
star
49

HelloShiftLeft-Scala

Scala
1
star
50

shiftleft-ts-example

Sample TypeScript application with ShiftLeft Inspect integration
TypeScript
1
star
51

sl-angular

ShiftLeft angular test repo
HTML
1
star
52

shiftleft-php-demo

PHP
1
star
53

shiftleft-ruby-demo

HTML
1
star
54

shiftleft-c-demo

C
1
star
55

sl-react

ShiftLeft react test repo
JavaScript
1
star