Scanner-Cli – A Project Security/Vulnerability/Risk Scanning Tool

0
5
Scanner-Cli - A Project Security/Vulnerability/Risk Scanning Tool

The Hawkeye scanner-cli is a mission safety, vulnerability and common threat highlighting software. It is supposed to be built-in into your pre-commit hooks and your pipelines.

Running and configuring the scanner
The Hawkeye scanner-cli assumes that your listing construction is such that it retains the toolchain’s recordsdata on high degree. Roughly, that is what it boils all the way down to:

  • Node.js tasks have a package deal.json on high degree
  • Ruby tasks can have a Gemfile on high degree
  • Python tasks can have a necessities.txt on high degree
  • PHP tasks can have a composer.lock on high degree
  • Java tasks can have a construct (gradle) or goal (maven) folder, and embody .java and .jar recordsdata

This isn’t exhaustive as generally instruments require additional recordsdata to exist. To perceive how the modules resolve whether or not they can deal with a mission, please verify the How it works part and the modules folder.

Docker (really helpful)
The docker picture is arms-down the simplest strategy to the scanner. Please be aware that your mission root (e.g. $PWD) must be mounted to /goal.

docker run --rm -v $PWD:/goal hawkeyesec/scanner-cli

The docker construct can also be the really helpful strategy to run the scanner in your CI pipelines. This is an instance of working Hawkeye towards one in every of your tasks in GoCD:

<pipeline title="security-scan">
  <stage title="Hawkeye" cleanWorkingDir="true">
    <jobs>
      <job title="scan">
        <duties>
          <exec command="docker">
            <arg>pull</arg>
            <arg>hawkeyesec/scanner-cli</arg>
            <runif standing="passed" />
          </exec>
          <exec command="bash">
            <arg>-c</arg>
            <arg>docker run --rm -v $PWD:/goal hawkeyesec/scanner-cli</arg>
            <runif standing="passed" />
          </exec>
        </duties>
      </job>
    </jobs>
  </stage>
</pipeline>

npm
You can set up and run hawkeye in a Node.js mission through

npm set up --save-dev @hawkeyesec/scanner-cli
npx hawkeye scan

This technique is really helpful in a Node.js mission, the place the opposite toolchains (e.g. python, ruby) should not required.
With this technique, it’s also really helpful to invoke the scanner in a git pre-commit hook (e.g. through the pre-commit package deal) to fail the commit if points are discovered.

Configuration Files (really helpful)
You can configure the scanner through .hawkeyerc and .hawkeyeignore recordsdata in your mission root.
The .hawkeyerc file is a JSON file that permits you to configure …

  • the modules to run,
  • the writers to make use of, and
  • the failure threshold
"critical",
    "showCode": true

The .hawkeyeignore file is a set of common expressions matching paths and module error codes to exclude from the scan, and is equal to utilizing the --exclude flag. Lines beginning with # are thought to be feedback.
Please be aware that any particular charaters reserved in regular expressions (-[]{}()*+?.,^$|#s) must be escaped when used as a literal!
Please additionally be aware that the module error codes are normally not proven, since they don’t seem to be primarily related for the person. If you need to exclude a sure false constructive, you’ll be able to show the module error codes with the flag --show-code or the showCode property within the .hawkeyerc.

^take a look at/

# this can be a remark

^README.md

The CLI
Use hawkeye modules to listing the obtainable modules and their standing.

> npx hawkeye modules
[info] Version: v1.4.0
[info] Module Status
[info] Enabled:   recordsdata-ccnumber
[info]            Scans for suspicious file contents which might be prone to include bank card numbers
[info] Enabled:   recordsdata-contents
[info]            Scans for suspicious file contents which might be prone to include secrets and techniques
[info] Disabled:  recordsdata-entropy
[info]            Scans recordsdata for strings with excessive entropy which might be prone to include passwords
[info] Enabled:   recordsdata-secrets and techniques
[info]            Scans for suspicious filenames which might be prone to include secrets and techniques
[info] Enabled:   java-discover-secbugs
[info]            Finds widespread safety points in Java code with findsecbugs
[info] Enabled:   java-owasp
[info]            Scans Java tasks for gradle/maven dependencies with recognized vulnerabilities with the OWASP dependency checker
[info] Enabled:   node-crossenv
[info]            Scans node tasks for recognized malicious crossenv dependencies
[info] Enabled:   node-npmaudit
[info]            Checks node tasks for dependencies with recognized vulnerabilities
[info] Enabled:   node-npmoutdated
[info]            Checks node tasks for outdated npm modules
[info] Enabled:   node-yarnaudit
[info]            Checks yarn tasks for dependencies with recognized vulnerabilities
[info] Enabled:   node-yarnoutdated
[info]            Checks node tasks for outdated yarn modules
[info] Enabled:   php-safety-checker
[info]            Checks whether or not the composer.lock comprises dependencies with recognized vulnerabilities utilizing safety-checker
[info] Enabled:   python-bandit
[info]            Scans for widespread safety points in Python code with bandit.
[info] Enabled:   python-piprot
[info]            Scans python dependencies for outdated packages
[info] Enabled:   python-security
[info]            Checks python dependencies for recognized safety vulnerabilities with the protection software.
[info] Enabled:   ruby-brakeman
[info]            Statically analyzes Rails code for safety points with Brakeman.
[info] Enabled:   ruby-bundler-scan
[info]            Scan for Ruby gems with recognized vulnerabilities utilizing bundler```

Use `hawkeye scan` to kick off a scan:

npx hawkeye scan –help [info] Version: v1.3.0 Usage: hawkeye-scan [options]

Options: -a, –all Scan all recordsdata, regardless if a git repo is discovered. Defaults to tracked recordsdata in git repositories. -t, –target [/path/to/project] The location to scan. Defaults to $PWD. -f, –fail-on [low|medium|high|critical] Set the extent at which hawkeye returns non-zero standing codes. Defaults to low. -m, –module [module name] Run particular module. Defaults to all relevant modules. -e, –exclude [pattern] Specify a number of exclusion patterns (eg. take a look at/*). Can be specified a number of occasions. -j, –json [/path/to/file.json] Write findings to file. -s, –sumo [https://sumologic-http-connector] Write findings to SumoLogic. -H, –http [https://your-site.com/api/results] Write findings to a given url. –show-code Shows the code the module makes use of for reporting, helpful for ignoring sure false positives -g, –staged Scan solely git-staged recordsdata. -h, –help output utilization data


# Results

#### Exit Codes

The scanner-cli responds with the next exit codes:

* Exit code Zero signifies no findings above or equal to the minimal threshold have been discovered.
* Exit code 1 signifies that points have been discovered above or equal to the minimal threshold.
* Exit code 42 signifies that an surprising error occurred someplace in this system. This is probably going a bug and mustn't occur. Please verify the log output and report a bug.

#### Redirecting the console output

If you want to redirect the console logger output, the really helpful technique is latching onto stdout. In this instance, we're making use of each JSON and stdout outcomes:

```bash
docker run --rm -v $PWD:/goal hawkeyesec/scanner-cli -j hawkeye-outcomes.json -f crucial 2>&1 | tee hawkeye-outcomes.txt

Console output
By default, the scanner outputs its outcomes to the console in tabular type.

Sumologic
The outcomes might be despatched to a SumoLogic collector of your selection. In this instance, we’ve a collector with a single HTTP supply.

hawkeye scan --sumo https://collectors.us2.sumologic.com/receiver/v1/http/your-http-collector-url

In SumoLogic, seek for _collector="hawkeye" | json auto:

Any HTTP endpoint
Similar to the SumoLogic instance, the scanner can ship the outcomes to any given HTTP endpoint that accepts POST messages.

hawkeye scan --http http://your.logging.foobar/endpoint

The outcomes can be despatched with User-Agent: hawkeye. Similar to the console output, the next JSON can be POSTed for every discovering:

{
  "module": "files-contents",
  "level": "critical",
  "offender": "testfile3.yml",
  "description": "Private key in file",
  "mitigation": "Check line number: 3"
}

How it really works
Hawkeye is designed to be extensible by including modules and writers.

Modules
Modules are principally little bits of code that both implement their very own logic, or wrap a 3rd occasion software and standardise the output. They solely run if the required standards are met. For instance: The npm outdated module would solely run if a package deal.json is detected within the scan goal – because of this, you need not inform Hawkeye what sort of mission you might be scanning.

Generic Modules

  • recordsdata-ccnumber: Scans for suspicious file contents which might be prone to include bank card numbers
  • recordsdata-contents: Scans for suspicious file contents which might be prone to include secrets and techniques
  • recordsdata-entropy: Scans recordsdata for strings with excessive entropy which might be prone to include passwords. Entropy scanning is disabled by default due to the excessive variety of false positives. It is helpful to scan codebases every so often for keys, wherein case please run it please utilizing the -m recordsdata-entropy change.
  • recordsdata-secrets and techniques: Scans for suspicious filenames which might be prone to include secrets and techniques

Java

  • java-discover-secbugs: Finds widespread safety points in Java code with findsecbugs
  • java-owasp: Scans Java tasks for gradle/maven dependencies with recognized vulnerabilities with the OWASP dependency checker

Node.js

  • node-crossenv: Scans node tasks for recognized malicious crossenv dependencies
  • node-npmaudit: Checks node tasks for dependencies with recognized vulnerabilities with npm audit
  • node-npmoutdated: Checks node tasks for outdated npm modules with npm outdated
  • node-yarnaudit: Checks yarn tasks for dependencies with recognized vulnerabilities with yarn audit
  • node-yarnoutdated: Checks node tasks for outdated yarn modules with yarn outdated

PHP

  • php-safety-checker: Checks whether or not the composer.lock comprises dependencies with recognized vulnerabilities utilizing safety-checker

Python

  • python-bandit: Scans for widespread safety points in Python code with bandit.
  • python-piprot: Scans python dependencies for outdated packages with piprot
  • python-security: Checks python dependencies for recognized safety vulnerabilities with the protection software.

Ruby

  • ruby-brakeman: Statically analyzes Rails code for safety points with Brakeman.
  • ruby-bundler-scan: Scan for Ruby gems with recognized vulnerabilities utilizing bundler

Adding a module
If you will have an thought for a module, please be happy open a characteristic request within the points part. If you will have a little bit of time left, please contemplate sending us a pull request. To see modules work, please head over to the modules folder to search out how issues are working.

MoreTip.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.