Skip to content

Commit

Permalink
Merge pull request #43 from theredguild/misc-dockerfile-make-docs
Browse files Browse the repository at this point in the history
Several modifications to dockerfile's ARGs, fixed a bug in the makefile, and updated some docs
  • Loading branch information
mattaereal authored Oct 17, 2024
2 parents 4ea3349 + 3a8f162 commit 809acfa
Show file tree
Hide file tree
Showing 7 changed files with 57 additions and 45 deletions.
3 changes: 2 additions & 1 deletion .env
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,5 @@ T_CLOUDSPLAINING=0.7.0
T_HADOLINT=2.12.0
T_DEPCHECK=10.0.4
T_NODEJSSCAN=3.7
T_RETIRE=5.2.4
T_RETIRE=5.2.4
T_DOCKLE=0.4.14
14 changes: 4 additions & 10 deletions .github/workflows/test-tools.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
name: Test Security Tools container build

on:
push:
branches:
Expand All @@ -17,19 +16,14 @@ on:
jobs:
build-and-test:
runs-on: ubuntu-latest

steps:
- name: Checkout
uses: actions/checkout@v4

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Build container
uses: docker/build-push-action@v6
with:
push: false
context: .
cache-from: type=gha
cache-to: type=gha,mode=max
tags: theredguild/container-sec-tools:latest
- name: Build container using Make
run: make build
env:
DOCKER_BUILDKIT: 1
50 changes: 26 additions & 24 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,28 @@ ARG GROUPNAME=trg
ARG USER_UID=1000
ARG USER_GID=1000

# Additional ARGs for tool versions
ARG T_SNYK
ARG T_RETIRE
ARG T_GITXRAY
ARG T_SEMGREP
ARG T_DETECT_SECRETS
ARG T_NODEJSSCAN
ARG T_CLOUDSPLAINING
ARG T_CHECKOV
ARG T_SCOUTSUITE
ARG T_GITLEAKS
ARG T_LEGITIFY
ARG T_KICS
ARG T_TRIVY
ARG T_TRUFFLEHOG
ARG T_HADOLINT
ARG T_GRYPE
ARG T_DEPCHECK
ARG T_2MS
ARG T_CLAIR
ARG T_DOCKLE

# Install required packages
RUN apt-get update && apt-get install -y \
curl \
Expand Down Expand Up @@ -95,8 +117,6 @@ ENV PNPM_HOME="/home/${USERNAME}/.local/share/pnpm"
ENV PATH="${PNPM_HOME}:${PNPM_HOME}/global/node_modules/.bin:${PATH}"

# Pnpm-related tools
ARG T_SNYK=1.1293.1
ARG T_RETIRE=5.2.4
RUN pnpm install -g eslint-plugin-security \
eslint-plugin-no-unsanitized \
eslint-plugin-no-secrets \
Expand All @@ -108,14 +128,6 @@ RUN pnpm install -g eslint-plugin-security \
retire@${T_RETIRE}

# Pipx-related tools
ARG T_GITXRAY=1.0.15
ARG T_SEMGREP=1.91.0
ARG T_DETECT_SECRETS=1.5.0
ARG T_NODEJSSCAN=3.7
ARG T_CLOUDSPLAINING=0.7.0
ARG T_CHECKOV=3.2.262
ARG T_SCOUTSUITE=5.14.0

RUN pipx install gitxray==$T_GITXRAY \
&& pipx install semgrep==$T_SEMGREP \
&& pipx install detect-secrets==$T_DETECT_SECRETS \
Expand All @@ -133,7 +145,6 @@ RUN git clone https://github.com/awslabs/git-secrets.git git-secrets \
&& rm -rf secrets

# Install gitleaks
ARG T_GITLEAKS=8.21.0
RUN arch=$(dpkg --print-architecture) \
&& if [ "$arch" = "amd64" ]; then arch="x64"; fi \
&& wget https://github.com/gitleaks/gitleaks/releases/download/v${T_GITLEAKS}/gitleaks_${T_GITLEAKS}_linux_$arch.tar.gz \
Expand All @@ -143,15 +154,13 @@ RUN arch=$(dpkg --print-architecture) \
&& rm gitleaks.tar.gz

# Install legitify
ARG T_LEGITIFY=1.0.11
RUN wget https://github.com/Legit-Labs/legitify/releases/download/v${T_LEGITIFY}/legitify_${T_LEGITIFY}_linux_$(dpkg --print-architecture).tar.gz \
-O legitify.tar.gz \
&& sudo tar -xzf legitify.tar.gz -C /usr/local/bin legitify \
&& sudo chmod +x /usr/local/bin/legitify \
&& rm legitify.tar.gz

# Install kics
ARG T_KICS=2.1.3
RUN git clone https://github.com/Checkmarx/kics.git -b v${T_KICS} \
&& cd kics \
&& go mod vendor \
Expand All @@ -160,7 +169,6 @@ RUN git clone https://github.com/Checkmarx/kics.git -b v${T_KICS} \
&& echo 'export KICS_QUERIES_PATH=/src/kics/assets/queries' >> ~/.zshrc

# Install Trivy
ARG T_TRIVY=0.56.2
RUN arch=$(dpkg --print-architecture) \
&& if [ "$arch" = "amd64" ]; then arch="64bit"; fi \
&& if [ "$arch" = "arm64" ]; then arch="ARM64"; fi \
Expand All @@ -169,15 +177,13 @@ RUN arch=$(dpkg --print-architecture) \
&& rm trivy_${T_TRIVY}_Linux-$arch.deb

# Install Trufflehog
ARG T_TRUFFLEHOG=3.82.8
RUN wget https://github.com/trufflesecurity/trufflehog/releases/download/v${T_TRUFFLEHOG}/trufflehog_${T_TRUFFLEHOG}_linux_$(dpkg --print-architecture).tar.gz \
-O trufflehog.tar.gz \
&& sudo tar -xzf trufflehog.tar.gz -C /usr/local/bin trufflehog \
&& sudo chmod +x /usr/local/bin/trufflehog \
&& rm trufflehog.tar.gz

# Install hadolint
ARG T_HADOLINT=2.12.0
RUN arch=$(dpkg --print-architecture) \
&& if [ "$arch" = "amd64" ]; then arch="x86_64"; fi \
&& if [ "$arch" = "arm64" ]; then arch="arm64"; fi \
Expand All @@ -186,36 +192,32 @@ RUN arch=$(dpkg --print-architecture) \
&& sudo mv hadolint-Linux-$arch /usr/local/bin/hadolint

# Install grype
ARG T_GRYPE=0.82.1
RUN wget https://github.com/anchore/grype/releases/download/v${T_GRYPE}/grype_${T_GRYPE}_linux_$(dpkg --print-architecture).deb \
&& sudo dpkg -i grype_${T_GRYPE}_linux_$(dpkg --print-architecture).deb \
&& rm grype_${T_GRYPE}_linux_$(dpkg --print-architecture).deb


# Install dependency-check
ARG T_DEPCHECK=10.0.4
RUN wget -q https://github.com/jeremylong/DependencyCheck/releases/download/v${T_DEPCHECK}/dependency-check-${T_DEPCHECK}-release.zip \
-O dependency-check.zip \
&& unzip dependency-check.zip && rm -f dependency-check.zip \
&& chmod +x dependency-check/bin/dependency-check.sh \
&& sudo ln -s /src/dependency-check/bin/dependency-check.sh /usr/local/bin/dependency-check

# Install dockle
RUN VERSION=$(curl --silent "https://api.github.com/repos/goodwithtech/dockle/releases/latest" | \
grep '"tag_name":' | \
sed -E 's/.*"v([^"]+)".*/\1/') \
&& curl -L -o dockle.deb https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.deb \
# VERSION=$(curl --silent "https://api.github.com/repos/goodwithtech/dockle/releases/latest" | \
# grep '"tag_name":' | \
# sed -E 's/.*"v([^"]+)".*/\1/')
RUN curl -L -o dockle.deb https://github.com/goodwithtech/dockle/releases/download/v${T_DOCKLE}/dockle_${T_DOCKLE}_Linux-64bit.deb \
&& sudo dpkg -i dockle.deb && rm dockle.deb

# Install 2ms
ARG T_2MS=3.10.0
RUN wget https://github.com/checkmarx/2ms/releases/download/v${T_2MS}/linux-amd64.zip \
&& unzip linux-amd64.zip && rm -f linux-amd64.zip \
&& sudo mv 2ms /usr/local/bin/2ms \
&& sudo chmod +x /usr/local/bin/2ms

# Install clair
ARG T_CLAIR=4.8.0
RUN wget https://github.com/quay/clair/releases/download/v${T_CLAIR}/clairctl-linux-$(dpkg --print-architecture) \
-O clairctl \
&& chmod +x clairctl \
Expand Down
2 changes: 1 addition & 1 deletion HOWTO.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ checkov, scoutsuite, dependency-check
falco, snyk, cloudsplaining

**Containers / Images**
clair, snyk, grype, hadolint
clair, snyk, grype, hadolint, dockle

**NodeJS**
nodejsscan, retirejs, installed-check, better-npm-audit, eslint-plugin-security, eslint-plugin-no-unsanitized, eslint-plugin-no-secrets, node-version-audit, yarn-audit-fix
Expand Down
18 changes: 14 additions & 4 deletions Makefile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
IMAGE_NAME := devsecops-toolset
IMAGE_NAME := devsecops-toolkit
.DEFAULT_GOAL := help

# Get the latest release tag from git
Expand All @@ -7,6 +7,13 @@ LATEST_RELEASE := $(shell git describe --tags --abbrev=0)
include .env
BUILD_ARGS := $(foreach VAR,$(shell sed 's/=.*//' .env),--build-arg $(VAR)=$($(VAR)))

# Use buildx only in GitHub Actions
ifdef GITHUB_ACTIONS
DOCKER_BUILD_CMD := docker buildx build --load --cache-from type=gha --cache-to type=gha,mode=max
else
DOCKER_BUILD_CMD := docker build
endif

help:
@echo "Usage:"
@echo " make <target>"
Expand All @@ -27,7 +34,10 @@ help:

# Build the Docker image using current branch
build:
docker build $(BUILD_ARGS) -t $(IMAGE_NAME):latest .
@if ! docker images $(IMAGE_NAME) | awk '{ print $$1 }' | grep -q "^$(IMAGE_NAME)$$"; then \
echo "Docker image $(IMAGE_NAME) not found. Building now..."; \
$(DOCKER_BUILD_CMD) $(BUILD_ARGS) -t $(IMAGE_NAME) .; \
fi

# Build the Docker image using the latest release
release:
Expand All @@ -37,10 +47,10 @@ release:

# TODO: Check this.
latest:
docker build $(foreach VAR,$(shell sed 's/=.*//' .env),--build-arg $(VAR)=latest) -t $(IMAGE_NAME):latest .
$(DOCKER_BUILD_CMD) $(foreach VAR,$(shell sed 's/=.*//' .env),--build-arg $(VAR)=latest) -t $(IMAGE_NAME):latest .

exec: build
@echo "Running interactive shell inside the $(IMAGE_NAME) container..."
@docker run --rm -it -v $(PWD):/workdir $(IMAGE_NAME):latest /bin/bash
@docker run --rm -it -v $(PWD):/workdir $(IMAGE_NAME):latest /bin/zsh

.PHONY: help build release latest exec
11 changes: 8 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,9 @@ Unified repository with OSS security tools, just `make exec` and dive into the c
There are some tools that have not been integrated to the main container itself, given their nature,
but have been or will be added to the repository with an explanation on how to run them separately.

## Firing up the container
## First step

### Firing up the container

```bash
% make
Expand All @@ -26,9 +28,12 @@ Examples:
make exec
```

## Go to [how to use the tools inside](./HOWTO.md) to understand how each one of them actually work
## Second step

Now you have your container up and running, but what am I supposed to do with it?
Well, go to **[how to use the tools inside](./HOWTO.md)** to understand how each one of them actually work.

## Tools included in this container
### Tools included in this repository

- [x] GitHub analysis (fake profiles, OSINT):
- [x] gitxray: A multifaceted security tool that leverages Public GitHub REST APIs for OSINT,
Expand Down
4 changes: 2 additions & 2 deletions motd
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@
\ V V / (_| | | | | (_| | __/ | | __/ |
\_/\_/ \__,_|_| |_|\__,_|\___|_| \___|_|

Welcome to the container sec oss tools by The Red Guild
Welcome to the devsecops toolset by The Red Guild

This container was created as a resource for a workshop,
which intends to spread awareness, help people protect themselves
and the repos they interact with.
and the repos they interact with. Say hi! @theredguild, don't be a stranger.

0 comments on commit 809acfa

Please sign in to comment.