diff --git a/.env b/.env index d70c3a6..0522313 100644 --- a/.env +++ b/.env @@ -1,22 +1,27 @@ -T_GITXRAY=1.0.15 -T_TRUFFLEHOG=3.82.8 -T_GITLEAKS=8.21.0 T_2MS=3.10.0 -T_DETECT_SECRETS=1.5.0 -T_TRIVY=0.56.2 +T_CHECKOV=3.2.269 T_CLAIR=4.8.0 -T_SNYK=1.1293.1 -T_GRYPE=0.82.1 -T_FALCO=0.39.1 -T_SEMGREP=1.91.0 -T_LEGITIFY=1.0.11 -T_KICS=2.1.3 -T_CHECKOV=3.2.262 -T_SCOUTSUITE=5.14.0 T_CLOUDSPLAINING=0.7.0 -T_HADOLINT=2.12.0 +T_CLOUDSPLOIT=3.9.0 T_DEPCHECK=10.0.4 +T_DEPSCAN=5.2.6 +T_DETECT_SECRETS=1.5.0 +T_DOCKLE=0.4.14 +T_FALCO=0.39.1 +T_GITLEAKS=8.21.0 +T_GITXRAY=1.0.16 +T_GRYPE=0.82.1 +T_HADOLINT=2.12.0 +T_KICS=2.1.3 +T_LEGITIFY=1.0.11 +T_NJSSCAN=0.3.7 T_NODEJSSCAN=3.7 +T_OCTOSCAN=0.1.1 +T_PROWLER=4.4.1 T_RETIRE=5.2.4 -T_DOCKLE=0.4.14 +T_SCOUTSUITE=5.14.0 +T_SEMGREP=1.91.0 +T_SNYK=1.1293.1 +T_TRIVY=0.56.2 +T_TRUFFLEHOG=3.82.8 diff --git a/Dockerfile b/Dockerfile index 1a74368..1537292 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,26 +7,31 @@ ARG USER_UID=1000 ARG USER_GID=1000 # Additional ARGs for tool versions -ARG T_SNYK -ARG T_RETIRE -ARG T_GITXRAY -ARG T_SEMGREP -ARG T_DETECT_SECRETS -ARG T_NODEJSSCAN -ARG T_CLOUDSPLAINING +ARG T_2MS ARG T_CHECKOV -ARG T_SCOUTSUITE +ARG T_CLAIR +ARG T_CLOUDSPLAINING +ARG T_CLOUDSPLOIT +ARG T_DEPCHECK +ARG T_DEPSCAN +ARG T_DETECT_SECRETS +ARG T_DOCKLE ARG T_GITLEAKS -ARG T_LEGITIFY +ARG T_GITXRAY +ARG T_GRYPE +ARG T_HADOLINT ARG T_KICS +ARG T_LEGITIFY +ARG T_NJSSCAN +ARG T_NODEJSSCAN +ARG T_OCTOSCAN +ARG T_PROWLER +ARG T_RETIRE +ARG T_SCOUTSUITE +ARG T_SEMGREP +ARG T_SNYK ARG T_TRIVY ARG T_TRUFFLEHOG -ARG T_HADOLINT -ARG T_GRYPE -ARG T_DEPCHECK -ARG T_2MS -ARG T_CLAIR -ARG T_DOCKLE # Install required packages RUN apt-get update && apt-get install -y \ @@ -127,15 +132,24 @@ RUN pnpm install -g eslint-plugin-security \ snyk@${T_SNYK} \ retire@${T_RETIRE} +# Manually install Cloudsploit +RUN git clone --branch v${T_CLOUDSPLOIT} https://github.com/aquasecurity/cloudsploit.git \ + && cd cloudsploit \ + && npm init --yes \ + && npm install ${PACKAGENAME} \ + && npm link /src/cloudsploit + # Pipx-related tools -RUN pipx install gitxray==$T_GITXRAY \ - && pipx install semgrep==$T_SEMGREP \ - && pipx install detect-secrets==$T_DETECT_SECRETS \ - && pipx install nodejsscan==$T_NODEJSSCAN \ - && pipx install cloudsplaining==$T_CLOUDSPLAINING \ - && pipx install checkov==$T_CHECKOV \ - && pipx install scoutsuite==$T_SCOUTSUITE \ +RUN pipx install gitxray==${T_GITXRAY} \ + && pipx install semgrep==${T_SEMGREP} \ + && pipx install detect-secrets==${T_DETECT_SECRETS} \ + && pipx install nodejsscan==${T_NODEJSSCAN} \ + && pipx install cloudsplaining==${T_CLOUDSPLAINING} \ + && pipx install checkov==${T_CHECKOV} \ + && pipx install scoutsuite==${T_SCOUTSUITE} \ && pipx install git+https://github.com/shortdoom/gh-fake-analyzer.git \ + && pipx install prowler==${T_PROWLER} \ + && pipx install njsscan==${T_NJSSCAN} \ && pipx ensurepath # Install git-secrets @@ -144,6 +158,24 @@ RUN git clone https://github.com/awslabs/git-secrets.git git-secrets \ && sudo make install \ && rm -rf secrets +RUN git clone https://github.com/mattaereal/gh-workflow-auditor \ + && cd gh-workflow-auditor \ + && python3 -m venv gwa \ + && source gwa/bin/activate \ + && pip install -r requirements.txt \ + && exit + +USER root + +RUN echo '#!/bin/zsh\n\ + source /src/gh-workflow-auditor/gwa/bin/activate\n\ + python3 /src/gh-workflow-auditor/main.py "$@"\n\ + deactivate' > /usr/local/bin/gh-workflow-auditor \ + && chmod +x /usr/local/bin/gh-workflow-auditor \ + && chown -R wanderer:trg /usr/local/bin/gh-workflow-auditor + +USER wanderer + # Install gitleaks RUN arch=$(dpkg --print-architecture) \ && if [ "$arch" = "amd64" ]; then arch="x64"; fi \ @@ -223,6 +255,16 @@ RUN wget https://github.com/quay/clair/releases/download/v${T_CLAIR}/clairctl-li && chmod +x clairctl \ && sudo mv clairctl /usr/local/bin/clairctl +# Install depscan +RUN curl -LO https://github.com/owasp-dep-scan/depscan-bin/releases/download/v${T_DEPSCAN}/depscan-linux-amd64 \ + && chmod +x depscan-linux-amd64 \ + && sudo mv depscan-linux-amd64 /usr/local/bin/depscan + +# Install Octoscan +RUN curl -LO https://github.com/synacktiv/octoscan/releases/download/v${T_OCTOSCAN}/octoscan \ + && chmod +x octoscan \ + && sudo mv octoscan /usr/local/bin + # Clean up RUN sudo apt-get clean \ && sudo rm -rf /var/lib/apt/lists/* diff --git a/Makefile b/Makefile index d978554..f9d6312 100644 --- a/Makefile +++ b/Makefile @@ -20,16 +20,20 @@ help: @echo "" @echo "Targets:" @echo " build Build the Docker image with the software versions described in the .env file" + @echo " rebuild Forces build, even if a previous image exists. Won't delete previous images" @echo " release Build the Docker image with the software versions described in the .env file, but from a specific release of this repo" @echo " latest Build the Docker image with the latest version for each tool" @echo " exec Run an interactive shell inside the container" + @echo " clean Remove Docke image $(IMAGE_NAME) and wipe cache (CAREFUL)" @echo "" @echo "Examples:" @echo " make" @echo " make build" + @echo " make rebuild" @echo " make release" @echo " make latest" @echo " make exec" + @echo " make clean" @echo "" # Build the Docker image using current branch @@ -37,20 +41,31 @@ build: @if ! docker images $(IMAGE_NAME) | awk '{ print $$1 }' | grep -q "^$(IMAGE_NAME)$$"; then \ echo "Docker image $(IMAGE_NAME) not found. Building now..."; \ $(DOCKER_BUILD_CMD) $(BUILD_ARGS) -t $(IMAGE_NAME) .; \ + else \ + echo "Image found, not building. If you want to rebuild, run make rebuild"; \ fi +rebuild: + @echo "Rebuilding $(IMAGE_NAME) without cache, will take a while." + @$(DOCKER_BUILD_CMD) $(BUILD_ARGS) --no-cache -t $(IMAGE_NAME) .; + + # Build the Docker image using the latest release release: - git checkout $(LATEST_RELEASE) - $(MAKE) build - git checkout - + @git checkout $(LATEST_RELEASE) + @$(MAKE) build + @git checkout - # TODO: Check this. latest: - $(DOCKER_BUILD_CMD) $(foreach VAR,$(shell sed 's/=.*//' .env),--build-arg $(VAR)=latest) -t $(IMAGE_NAME):latest . + @$(DOCKER_BUILD_CMD) $(foreach VAR,$(shell sed 's/=.*//' .env),--build-arg $(VAR)=latest) -t $(IMAGE_NAME):latest . exec: build @echo "Running interactive shell inside the $(IMAGE_NAME) container..." @docker run --hostname trg --rm -it -v $(PWD):/workdir $(IMAGE_NAME):latest /bin/zsh -.PHONY: help build release latest exec \ No newline at end of file +clean: + @echo "Removing Docker image with the name $(IMAGE_NAME)..." + @docker rmi -f $(IMAGE_NAME) && docker builder prune -f + +.PHONY: help build rebuild release latest exec clean \ No newline at end of file diff --git a/README.md b/README.md index bbb492f..5f13cd1 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ Unified repository with OSS security tools, just `make exec` and dive into the container! -There are some tools that have not been integrated to the main container itself, given their nature, +There are some tools that have not been integrated into the main container itself, given their nature, but have been or will be added to the repository with an explanation on how to run them separately. ## First step @@ -35,42 +35,45 @@ Well, go to **[how to use the tools inside](./HOWTO.md)** to understand how each ### Tools included in this repository -- [x] 2ms: Too many secrets (2MS) helps people protect their secrets on any file or on systems like CMS, chats, and git. () -- [x] better-npm-audit: Provides additional features on top of the existing npm audit options. () -- [x] checkov: Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images, and open-source packages. () -- [x] clair: Vulnerability Static Analysis for Containers. () -- [x] Cloudsplaining: AWS IAM assessment tool. () -- [ ] cloudsploit: AWS security scanning and monitoring tool for detecting threats and misconfigurations. () -- [x] DependencyCheck: OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies. () -- [x] detect-secrets: yet another one. () -- [x] dockle: Container Image Linter for Security, helping build the Best-Practice Docker Image, easy to start. () -- [x] eslint-plugin-no-secrets: An ESLint plugin to find strings that might be secrets/credentials. () -- [x] eslint-plugin-no-unsanitized: Custom ESLint rule to disallow unsafe innerHTML, outerHTML, insertAdjacentHTML, and alike. () -- [x] eslint-plugin-security: ESLint rules for Node Security. () -- [x] falco: Cloud Native Runtime Security. () -- [x] generic: A set of GitHub actions for checking your projects for vulnerabilities. () -- [x] gh-fake-analyzer: Dump github profile data for analysis. () -- [x] git-secrets: Works along with git, preventing secrets from being pushed to a repo. () -- [x] gitxray: A multifaceted security tool that leverages Public GitHub REST APIs for OSINT, Forensics, Pentesting, and more. () -- [x] gitleaks: Protect and discover secrets. () -- [x] grype: A vulnerability scanner for container images and filesystems. () -- [x] harden-runner: Network egress filtering and runtime security for GitHub-hosted and self-hosted runners. () -- [x] hadolint: Dockerfile linter. () -- [x] installed-check: Verifies that installed modules comply with the requirements specified in package.json. () -- [x] kics: Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code. () -- [x] kube-bench: Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark. () -- [x] lavamoat: Tools for sandboxing your dependency graph. () -- [x] legitify: Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets. () -- [x] node-version-audit: Node Version Audit is a tool to check Node.js version against a regularly updated list of CVE exploits, new releases, and end of life dates. () -- [x] nodejsscan: A static security code scanner for Node.js applications. () -- [x] npm audit: This built-in npm command checks for vulnerabilities in your installed packages. -- [ ] prowler: AWS security best practices assessment, auditing, hardening, and incident response tool. () -- [x] retirejs: Scanner detecting the use of JavaScript libraries with known vulnerabilities. () -- [x] scoutsuite: Multi-Cloud Security Auditing Tool. () -- [x] secure-repo: Orchestrate GitHub Actions Security. () -- [x] semgrep: Lightweight static analysis for many languages. () -- [x] snyk: Snyk CLI scans and monitors your projects for security vulnerabilities. () -- [x] trivy: Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds, and more. () -- [x] trufflehog: Find, verify, and analyze leaked credentials. () [Easy marketplace] (https://github.com/marketplace/actions/trufflehog-oss) -- [x] wait-for-secrets: 2fa for GHA. () -- [x] yarn-audit-fix: The missing yarn audit fix. () +- [x] 2ms: Detects and manages secrets in files and systems like CMS, chats, and git. () +- [x] better-npm-audit: Enhances npm audit with additional features. () +- [x] checkov: Scans infrastructure as code for misconfigurations and vulnerabilities. () +- [x] clair: Analyzes container images for vulnerabilities. () +- [x] cloudsplaining: Assesses AWS IAM policies for security risks. () +- [x] cloudsploit: Scans AWS environments for security threats and misconfigurations. () +- [x] DependencyCheck: Identifies vulnerabilities in application dependencies. () +- [x] depscan: Scans for vulnerabilities in dependencies. () +- [x] detect-secrets: Detects secrets in codebases to prevent leaks. () +- [x] dockle: Lints container images for security best practices. () +- [x] eslint-plugin-no-secrets: ESLint plugin to detect potential secrets in code. () +- [x] eslint-plugin-no-unsanitized: Prevents unsafe DOM manipulations in JavaScript. () +- [x] eslint-plugin-security: Provides security rules for ESLint. () +- [x] falco: Monitors runtime security events in cloud-native environments. () +- [x] generic: GitHub actions for vulnerability checks. () +- [x] gh-fake-analyzer: Analyzes GitHub profiles for data insights. () +- [x] git-secrets: Prevents committing secrets to git repositories. () +- [x] gitxray: Uses GitHub APIs for security analysis and OSINT. () +- [x] gitleaks: Scans for secrets in code repositories. () +- [x] grype: Scans container images and filesystems for vulnerabilities. () +- [x] harden-runner: Secures GitHub Actions runners with network filtering. () +- [x] hadolint: Lints Dockerfiles for best practices. () +- [x] installed-check: Ensures installed modules match package.json requirements. () +- [x] kics: Detects security issues in infrastructure-as-code. () +- [ ] kube-bench: Checks Kubernetes deployments against CIS benchmarks. () +- [x] lavamoat: Sandboxes dependency graphs for security. () +- [x] legitify: Manages security risks in GitHub and GitLab assets. () +- [x] njsscan: Scans JavaScript applications for security vulnerabilities. () +- [x] node-version-audit: Audits Node.js versions for known vulnerabilities. () +- [x] nodejsscan: Scans Node.js applications for security issues. () +- [x] npm audit: Checks installed packages for vulnerabilities. +- [x] octoscan: Scans GitHub repositories for sensitive information. () +- [x] prowler: Audits AWS environments for security best practices. () +- [x] retirejs: Scans JavaScript libraries for known vulnerabilities. () +- [x] scoutsuite: Audits multi-cloud environments for security issues. () +- [x] secure-repo: Secures GitHub Actions workflows. () +- [x] semgrep: Performs lightweight static analysis across languages. () +- [x] snyk: Scans projects for security vulnerabilities. () +- [x] trivy: Scans for vulnerabilities and misconfigurations in various environments. () +- [x] trufflehog: Finds and analyzes leaked credentials. () [Easy marketplace] (https://github.com/marketplace/actions/trufflehog-oss) +- [x] wait-for-secrets: Provides 2FA for GitHub Actions. () +- [x] yarn-audit-fix: Adds missing fix functionality to yarn audit. () \ No newline at end of file