Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Several modifications to dockerfile's ARGs, fixed a bug in the makefile, and updated some docs #43

Merged
merged 3 commits into from
Oct 17, 2024
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .env
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,5 @@ T_CLOUDSPLAINING=0.7.0
T_HADOLINT=2.12.0
T_DEPCHECK=10.0.4
T_NODEJSSCAN=3.7
T_RETIRE=5.2.4
T_RETIRE=5.2.4
T_DOCKLE=0.4.14
50 changes: 26 additions & 24 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,28 @@ ARG GROUPNAME=trg
ARG USER_UID=1000
ARG USER_GID=1000

# Additional ARGs for tool versions
ARG T_SNYK
ARG T_RETIRE
ARG T_GITXRAY
ARG T_SEMGREP
ARG T_DETECT_SECRETS
ARG T_NODEJSSCAN
ARG T_CLOUDSPLAINING
ARG T_CHECKOV
ARG T_SCOUTSUITE
ARG T_GITLEAKS
ARG T_LEGITIFY
ARG T_KICS
ARG T_TRIVY
ARG T_TRUFFLEHOG
ARG T_HADOLINT
ARG T_GRYPE
ARG T_DEPCHECK
ARG T_2MS
ARG T_CLAIR
ARG T_DOCKLE

# Install required packages
RUN apt-get update && apt-get install -y \
curl \
Expand Down Expand Up @@ -95,8 +117,6 @@ ENV PNPM_HOME="/home/${USERNAME}/.local/share/pnpm"
ENV PATH="${PNPM_HOME}:${PNPM_HOME}/global/node_modules/.bin:${PATH}"

# Pnpm-related tools
ARG T_SNYK=1.1293.1
ARG T_RETIRE=5.2.4
RUN pnpm install -g eslint-plugin-security \
eslint-plugin-no-unsanitized \
eslint-plugin-no-secrets \
Expand All @@ -108,14 +128,6 @@ RUN pnpm install -g eslint-plugin-security \
retire@${T_RETIRE}

# Pipx-related tools
ARG T_GITXRAY=1.0.15
ARG T_SEMGREP=1.91.0
ARG T_DETECT_SECRETS=1.5.0
ARG T_NODEJSSCAN=3.7
ARG T_CLOUDSPLAINING=0.7.0
ARG T_CHECKOV=3.2.262
ARG T_SCOUTSUITE=5.14.0

RUN pipx install gitxray==$T_GITXRAY \
&& pipx install semgrep==$T_SEMGREP \
&& pipx install detect-secrets==$T_DETECT_SECRETS \
Expand All @@ -133,7 +145,6 @@ RUN git clone https://github.com/awslabs/git-secrets.git git-secrets \
&& rm -rf secrets

# Install gitleaks
ARG T_GITLEAKS=8.21.0
RUN arch=$(dpkg --print-architecture) \
&& if [ "$arch" = "amd64" ]; then arch="x64"; fi \
&& wget https://github.com/gitleaks/gitleaks/releases/download/v${T_GITLEAKS}/gitleaks_${T_GITLEAKS}_linux_$arch.tar.gz \
Expand All @@ -143,15 +154,13 @@ RUN arch=$(dpkg --print-architecture) \
&& rm gitleaks.tar.gz

# Install legitify
ARG T_LEGITIFY=1.0.11
RUN wget https://github.com/Legit-Labs/legitify/releases/download/v${T_LEGITIFY}/legitify_${T_LEGITIFY}_linux_$(dpkg --print-architecture).tar.gz \
-O legitify.tar.gz \
&& sudo tar -xzf legitify.tar.gz -C /usr/local/bin legitify \
&& sudo chmod +x /usr/local/bin/legitify \
&& rm legitify.tar.gz

# Install kics
ARG T_KICS=2.1.3
RUN git clone https://github.com/Checkmarx/kics.git -b v${T_KICS} \
&& cd kics \
&& go mod vendor \
Expand All @@ -160,7 +169,6 @@ RUN git clone https://github.com/Checkmarx/kics.git -b v${T_KICS} \
&& echo 'export KICS_QUERIES_PATH=/src/kics/assets/queries' >> ~/.zshrc

# Install Trivy
ARG T_TRIVY=0.56.2
RUN arch=$(dpkg --print-architecture) \
&& if [ "$arch" = "amd64" ]; then arch="64bit"; fi \
&& if [ "$arch" = "arm64" ]; then arch="ARM64"; fi \
Expand All @@ -169,15 +177,13 @@ RUN arch=$(dpkg --print-architecture) \
&& rm trivy_${T_TRIVY}_Linux-$arch.deb

# Install Trufflehog
ARG T_TRUFFLEHOG=3.82.8
RUN wget https://github.com/trufflesecurity/trufflehog/releases/download/v${T_TRUFFLEHOG}/trufflehog_${T_TRUFFLEHOG}_linux_$(dpkg --print-architecture).tar.gz \
-O trufflehog.tar.gz \
&& sudo tar -xzf trufflehog.tar.gz -C /usr/local/bin trufflehog \
&& sudo chmod +x /usr/local/bin/trufflehog \
&& rm trufflehog.tar.gz

# Install hadolint
ARG T_HADOLINT=2.12.0
RUN arch=$(dpkg --print-architecture) \
&& if [ "$arch" = "amd64" ]; then arch="x86_64"; fi \
&& if [ "$arch" = "arm64" ]; then arch="arm64"; fi \
Expand All @@ -186,36 +192,32 @@ RUN arch=$(dpkg --print-architecture) \
&& sudo mv hadolint-Linux-$arch /usr/local/bin/hadolint

# Install grype
ARG T_GRYPE=0.82.1
RUN wget https://github.com/anchore/grype/releases/download/v${T_GRYPE}/grype_${T_GRYPE}_linux_$(dpkg --print-architecture).deb \
&& sudo dpkg -i grype_${T_GRYPE}_linux_$(dpkg --print-architecture).deb \
&& rm grype_${T_GRYPE}_linux_$(dpkg --print-architecture).deb


# Install dependency-check
ARG T_DEPCHECK=10.0.4
RUN wget -q https://github.com/jeremylong/DependencyCheck/releases/download/v${T_DEPCHECK}/dependency-check-${T_DEPCHECK}-release.zip \
-O dependency-check.zip \
&& unzip dependency-check.zip && rm -f dependency-check.zip \
&& chmod +x dependency-check/bin/dependency-check.sh \
&& sudo ln -s /src/dependency-check/bin/dependency-check.sh /usr/local/bin/dependency-check

# Install dockle
RUN VERSION=$(curl --silent "https://api.github.com/repos/goodwithtech/dockle/releases/latest" | \
grep '"tag_name":' | \
sed -E 's/.*"v([^"]+)".*/\1/') \
&& curl -L -o dockle.deb https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.deb \
# VERSION=$(curl --silent "https://api.github.com/repos/goodwithtech/dockle/releases/latest" | \
# grep '"tag_name":' | \
# sed -E 's/.*"v([^"]+)".*/\1/')
RUN curl -L -o dockle.deb https://github.com/goodwithtech/dockle/releases/download/v${T_DOCKLE}/dockle_${T_DOCKLE}_Linux-64bit.deb \
&& sudo dpkg -i dockle.deb && rm dockle.deb

# Install 2ms
ARG T_2MS=3.10.0
RUN wget https://github.com/checkmarx/2ms/releases/download/v${T_2MS}/linux-amd64.zip \
&& unzip linux-amd64.zip && rm -f linux-amd64.zip \
&& sudo mv 2ms /usr/local/bin/2ms \
&& sudo chmod +x /usr/local/bin/2ms

# Install clair
ARG T_CLAIR=4.8.0
RUN wget https://github.com/quay/clair/releases/download/v${T_CLAIR}/clairctl-linux-$(dpkg --print-architecture) \
-O clairctl \
&& chmod +x clairctl \
Expand Down
2 changes: 1 addition & 1 deletion HOWTO.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ checkov, scoutsuite, dependency-check
falco, snyk, cloudsplaining

**Containers / Images**
clair, snyk, grype, hadolint
clair, snyk, grype, hadolint, dockle

**NodeJS**
nodejsscan, retirejs, installed-check, better-npm-audit, eslint-plugin-security, eslint-plugin-no-unsanitized, eslint-plugin-no-secrets, node-version-audit, yarn-audit-fix
Expand Down
9 changes: 6 additions & 3 deletions Makefile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
IMAGE_NAME := devsecops-toolset
IMAGE_NAME := devsecops-toolkit
.DEFAULT_GOAL := help

# Get the latest release tag from git
Expand Down Expand Up @@ -27,7 +27,10 @@ help:

# Build the Docker image using current branch
build:
docker build $(BUILD_ARGS) -t $(IMAGE_NAME):latest .
@if ! docker images $(IMAGE_NAME) | awk '{ print $$1 }' | grep -q "^$(IMAGE_NAME)$$"; then \
echo "Docker image $(IMAGE_NAME) not found. Building now..."; \
docker build $(BUILD_ARGS) -t $(IMAGE_NAME) .; \
fi

# Build the Docker image using the latest release
release:
Expand All @@ -41,6 +44,6 @@ latest:

exec: build
@echo "Running interactive shell inside the $(IMAGE_NAME) container..."
@docker run --rm -it -v $(PWD):/workdir $(IMAGE_NAME):latest /bin/bash
@docker run --rm -it -v $(PWD):/workdir $(IMAGE_NAME):latest /bin/zsh

.PHONY: help build release latest exec
11 changes: 8 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,9 @@ Unified repository with OSS security tools, just `make exec` and dive into the c
There are some tools that have not been integrated to the main container itself, given their nature,
but have been or will be added to the repository with an explanation on how to run them separately.

## Firing up the container
## First step

### Firing up the container

```bash
% make
Expand All @@ -26,9 +28,12 @@ Examples:
make exec
```

## Go to [how to use the tools inside](./HOWTO.md) to understand how each one of them actually work
## Second step

Now you have your container up and running, but what am I supposed to do with it?
Well, go to **[how to use the tools inside](./HOWTO.md)** to understand how each one of them actually work.

## Tools included in this container
### Tools included in this repository

- [x] GitHub analysis (fake profiles, OSINT):
- [x] gitxray: A multifaceted security tool that leverages Public GitHub REST APIs for OSINT,
Expand Down
4 changes: 2 additions & 2 deletions motd
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@
\ V V / (_| | | | | (_| | __/ | | __/ |
\_/\_/ \__,_|_| |_|\__,_|\___|_| \___|_|

Welcome to the container sec oss tools by The Red Guild
Welcome to the devsecops toolset by The Red Guild

This container was created as a resource for a workshop,
which intends to spread awareness, help people protect themselves
and the repos they interact with.
and the repos they interact with. Say hi! @theredguild, don't be a stranger.
Loading