Skip to content

Commit

Permalink
Merge pull request #39 from theredguild/misc-dockerfile-readme-1
Browse files Browse the repository at this point in the history
Cleaning dockerfile, improving docs a bit
  • Loading branch information
mattaereal authored Oct 15, 2024
2 parents b284e93 + f648f51 commit 33cd38f
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 44 deletions.
24 changes: 1 addition & 23 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -89,10 +89,6 @@ RUN . $ASDF_DIR/asdf.sh \
ENV GOBIN=/usr/local/bin
ENV PATH="${GOBIN}:${PATH}"

# Install gitxray
RUN . $HOME/.asdf/asdf.sh \
go install github.com/kulkansecurity/gitxray@latest

# # Install pnpm using npm installed via asdf Node.js
RUN npm install -g pnpm
ENV PNPM_HOME="/home/${USERNAME}/.local/share/pnpm"
Expand Down Expand Up @@ -153,13 +149,7 @@ RUN git clone https://github.com/gitleaks/gitleaks.git gitleaks \
&& sudo ln -s /src/gitleaks/gitleaks /usr/local/bin

# Install gh-fake-analyzer
# from mattareal until upstream gets patched
RUN git clone https://github.com/mattaereal/gh-fake-analyzer.git \
&& cd gh-fake-analyzer \
&& python3 -m venv gfa \
&& source gfa/bin/activate \
&& pip install -r requirements.txt \
&& exit
RUN pipx install git+https://github.com/shortdoom/gh-fake-analyzer.git

# Install legitify
RUN git clone https://github.com/Legit-Labs/legitify \
Expand All @@ -175,18 +165,6 @@ RUN git clone https://github.com/Checkmarx/kics.git \
&& sudo ln -s /src/kics/bin/kics /usr/local/bin/kics \
&& echo 'export KICS_QUERIES_PATH=/src/kics/assets/queries' >> ~/.zshrc

# Create a script to run the gh-fake-analyzer
USER root

RUN echo '#!/bin/zsh\n\
source /src/gh-fake-analyzer/gfa/bin/activate\n\
python3 /src/gh-fake-analyzer/analyze.py "$@"\n\
deactivate' > /usr/local/bin/gh-fake-analyzer \
&& chmod +x /usr/local/bin/gh-fake-analyzer \
&& chown -R wanderer:trg /usr/local/bin/gh-fake-analyzer

USER wanderer

# Install Trivy
RUN wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null \
&& echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list \
Expand Down
44 changes: 32 additions & 12 deletions HOWTO.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,29 @@
# How to use the tools inside

We leave you with a rough representative of what do these tools cover, so you get a better grasp on what to use them for.

**Secrets**
2ms, gitleaks, git-secrets, trufflehog

**GitHub / GitLab**
gitxray, gh-fake-analyzer, legitify

**Multi-purpose**
semgrep, trivy, kics

**IaC / SCA / Code**
checkov, scoutsuite, dependency-check

**Cloud**
falco, snyk, cloudsplaining

**Containers / Images**
clair, snyk, grype, hadolint

**NodeJS**
nodejsscan, retirejs, installed-check, better-npm-audit, eslint-plugin-security, eslint-plugin-no-unsanitized, eslint-plugin-no-secrets, node-version-audit, yarn-audit-fix


- [How to use the tools inside](#how-to-use-the-tools-inside)
- [GitXray | Harvest public information from GitHub APIs](#gitxray--harvest-public-information-from-github-apis)
- [GH Fake Analyzer | Script to analyze profile GitHub data](#gh-fake-analyzer--script-to-analyze-profile-github-data)
Expand Down Expand Up @@ -96,18 +120,14 @@ designed for the OSINT/security community, enabling the inspection of potential
blackhat, or fake employee accounts for dark patterns (see, Malicious GitHub Accounts)

```bash
# Analyzing users
python analyze.py <username> # analyze a single user
python analyze.py <username> --out_path /path/to/dir # save to different than /out dir

# Optionally, rename `targets.example` to `targets`
python analyze.py # read from "targets" and analyze all
python analyze.py --targets <path> # custom_file.txt to read from as "targets"
python analyze.py <us

# Monitor users
python monitor.py --username <username> # Monitor single user
python monitor.py --targets <file> # Monitor multiple usernames
gh-analyze <username> # analyze a single user
gh-analyze <username> --out_path /path/to/dir # save to different than /out dir
gh-analyze --targets <path> # custom_file.txt to read from as "targets"
gh-analyze <username> --commit_search # search github for commit messages (slow, experimental)
gh-analyze <username> --token <token> # provide GH_TOKEN to use for this run

gh-monitor --username <username> # Monitor single user
gh-monitor --targets <file> # Monitor multiple usernames
```

## git-secrets | Avoid commiting secrets
Expand Down
16 changes: 7 additions & 9 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Unified repository with OSS security tools, just `make exec` and dive into the c
There are some tools that have not been integrated to the main container itself, given their nature,
but have been or will be added to the repository with an explanation on how to run them separately.

## Firing up the container
## Firing up the container (OUTDATED)

```bash
% make
Expand All @@ -24,12 +24,10 @@ Examples:
make clean
```

## Go to [how to use the tools inside](./HOWTO.md) to understand how each one of them actually work.
## Go to [how to use the tools inside](./HOWTO.md) to understand how each one of them actually work

## Tools included in this container

Except for Hadolint all tools are being installed from their latest releases.

- [x] GitHub analysis (fake profiles, OSINT):
- [x] gitxray: A multifaceted security tool that leverages Public GitHub REST APIs for OSINT,
Forensics, Pentesting and more. (<https://github.com/kulkansecurity/gitxray>)
Expand All @@ -50,26 +48,26 @@ Except for Hadolint all tools are being installed from their latest releases.
systems like CMS, chats and git. (<https://github.com/Checkmarx/2ms>)
- [x] detect-secrets: yet another one. (<https://github.com/Yelp/detect-secrets>)

- [ ] Vulnerability scanners:
- [x] Vulnerability scanners:
- [x] trivy: Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes,
code repositories, clouds and more. (<https://github.com/aquasecurity/trivy>)
- [] clair: Vulnerability Static Analysis for Containers. (<https://github.com/quay/clair>)
- [x] clair: Vulnerability Static Analysis for Containers. (<https://github.com/quay/clair>)
- [x] snyk: Snyk CLI scans and monitors your projects for security vulnerabilities.
(<https://github.com/snyk/cli>)
- [x] grype: A vulnerability scanner for container images and filesystems.
(<https://github.com/anchore/grype/>)
- [x] falco: Cloud Native Runtime Security. (<https://github.com/falcosecurity/falco>)

- [ ] Static analysis:
- [x] Static analysis:
- [x] semgrep: Lightweight static analysis for many languages.
(<https://github.com/semgrep/semgrep>)
- [x] docker-compose (<https://semgrep.dev/p/docker-compose>)
- [x] dockerfile (<https://semgrep.dev/p/dockerfile>)
- [x] kubernetes (<https://semgrep.dev/p/kubernetes>)
- [x] flawfinder (<https://semgrep.dev/p/flawfinder>)
- [ ] sast-scan: Scan is a free & Open Source DevSecOps tool for performing static analysis
- [x] ~~sast-scan: Scan is a free & Open Source DevSecOps tool for performing static analysis
based security testing of your applications and its dependencies. CI and Git friendly.
(<https://github.com/marksarka/sast-scan>)
(<https://github.com/marksarka/sast-scan>)~~ Momentarily removed.

- [x] Misconfigurations:
- [x] legitify: Detect and remediate misconfigurations and security risks across all your GitHub
Expand Down

0 comments on commit 33cd38f

Please sign in to comment.