Merge pull request #39 from theredguild/misc-dockerfile-readme-1

Cleaning dockerfile, improving docs a bit

Dockerfile

@@ -89,10 +89,6 @@ RUN . $ASDF_DIR/asdf.sh \
 ENV GOBIN=/usr/local/bin
 ENV PATH="${GOBIN}:${PATH}"
 
-# Install gitxray
-RUN . $HOME/.asdf/asdf.sh \
-    go install github.com/kulkansecurity/gitxray@latest
-
 # # Install pnpm using npm installed via asdf Node.js
 RUN npm install -g pnpm
 ENV PNPM_HOME="/home/${USERNAME}/.local/share/pnpm"
@@ -153,13 +149,7 @@ RUN git clone https://github.com/gitleaks/gitleaks.git gitleaks \
     && sudo ln -s /src/gitleaks/gitleaks /usr/local/bin
 
 # Install gh-fake-analyzer
-# from mattareal until upstream gets patched
-RUN git clone https://github.com/mattaereal/gh-fake-analyzer.git \
-    && cd gh-fake-analyzer \
-    && python3 -m venv gfa \
-    && source gfa/bin/activate \
-    && pip install -r requirements.txt \
-    && exit
+RUN pipx install git+https://github.com/shortdoom/gh-fake-analyzer.git
 
 # Install legitify
 RUN git clone https://github.com/Legit-Labs/legitify \
@@ -175,18 +165,6 @@ RUN git clone https://github.com/Checkmarx/kics.git \
     && sudo ln -s /src/kics/bin/kics /usr/local/bin/kics \
     && echo 'export KICS_QUERIES_PATH=/src/kics/assets/queries' >> ~/.zshrc
 
-# Create a script to run the gh-fake-analyzer
-USER root
-
-RUN echo '#!/bin/zsh\n\
-source /src/gh-fake-analyzer/gfa/bin/activate\n\
-python3 /src/gh-fake-analyzer/analyze.py "$@"\n\
-deactivate' > /usr/local/bin/gh-fake-analyzer \
-    && chmod +x /usr/local/bin/gh-fake-analyzer \
-    && chown -R wanderer:trg /usr/local/bin/gh-fake-analyzer
-
-USER wanderer
-
 # Install Trivy
 RUN wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null \
     && echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list \

HOWTO.md

@@ -1,5 +1,29 @@
 # How to use the tools inside
 
+We leave you with a rough representative of what do these tools cover, so you get a better grasp on what to use them for.
+
+**Secrets**
+2ms, gitleaks, git-secrets, trufflehog
+
+**GitHub / GitLab**
+gitxray, gh-fake-analyzer, legitify
+
+**Multi-purpose**
+semgrep, trivy, kics
+
+**IaC / SCA / Code**
+checkov, scoutsuite, dependency-check
+
+**Cloud**
+falco, snyk, cloudsplaining
+
+**Containers / Images**
+clair, snyk, grype, hadolint
+
+**NodeJS**
+nodejsscan, retirejs, installed-check, better-npm-audit, eslint-plugin-security, eslint-plugin-no-unsanitized, eslint-plugin-no-secrets, node-version-audit, yarn-audit-fix
+
+
 - [How to use the tools inside](#how-to-use-the-tools-inside)
   - [GitXray | Harvest public information from GitHub APIs](#gitxray--harvest-public-information-from-github-apis)
   - [GH Fake Analyzer | Script to analyze profile GitHub data](#gh-fake-analyzer--script-to-analyze-profile-github-data)
@@ -96,18 +120,14 @@ designed for the OSINT/security community, enabling the inspection of potential
 blackhat, or fake employee accounts for dark patterns (see, Malicious GitHub Accounts)
 
 ```bash
-# Analyzing users
-python analyze.py <username> # analyze a single user
-python analyze.py <username> --out_path /path/to/dir # save to different than /out dir
-
-# Optionally, rename `targets.example` to `targets` 
-python analyze.py # read from "targets" and analyze all
-python analyze.py --targets <path> # custom_file.txt to read from as "targets"   
-python analyze.py <us
-
-# Monitor users
-python monitor.py --username <username> # Monitor single user
-python monitor.py --targets <file> # Monitor multiple usernames
+gh-analyze <username> # analyze a single user
+gh-analyze <username> --out_path /path/to/dir # save to different than /out dir
+gh-analyze --targets <path> # custom_file.txt to read from as "targets"
+gh-analyze <username> --commit_search # search github for commit messages (slow, experimental)
+gh-analyze <username> --token <token> # provide GH_TOKEN to use for this run
+
+gh-monitor --username <username> # Monitor single user
+gh-monitor --targets <file> # Monitor multiple usernames
 ```
 
 ## git-secrets | Avoid commiting secrets

README.md

@@ -5,7 +5,7 @@ Unified repository with OSS security tools, just `make exec` and dive into the c
 There are some tools that have not been integrated to the main container itself, given their nature,
 but have been or will be added to the repository with an explanation on how to run them separately.
 
-## Firing up the container
+## Firing up the container (OUTDATED)
 
 ```bash
 % make
@@ -24,12 +24,10 @@ Examples:
   make clean
 ```
 
-## Go to [how to use the tools inside](./HOWTO.md) to understand how each one of them actually work.
+## Go to [how to use the tools inside](./HOWTO.md) to understand how each one of them actually work
 
 ## Tools included in this container
 
-Except for Hadolint all tools are being installed from their latest releases.
-
 - [x] GitHub analysis (fake profiles, OSINT):
   - [x] gitxray: A multifaceted security tool that leverages Public GitHub REST APIs for OSINT,
       Forensics, Pentesting and more. (<https://github.com/kulkansecurity/gitxray>)
@@ -50,26 +48,26 @@ Except for Hadolint all tools are being installed from their latest releases.
           systems like CMS, chats and git. (<https://github.com/Checkmarx/2ms>)
     - [x] detect-secrets: yet another one. (<https://github.com/Yelp/detect-secrets>)
 
-- [ ] Vulnerability scanners:
+- [x] Vulnerability scanners:
   - [x] trivy: Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes,
       code repositories, clouds and more. (<https://github.com/aquasecurity/trivy>)
-  - [] clair: Vulnerability Static Analysis for Containers. (<https://github.com/quay/clair>)
+  - [x] clair: Vulnerability Static Analysis for Containers. (<https://github.com/quay/clair>)
   - [x] snyk: Snyk CLI scans and monitors your projects for security vulnerabilities.
       (<https://github.com/snyk/cli>)
   - [x] grype: A vulnerability scanner for container images and filesystems.
       (<https://github.com/anchore/grype/>)
   - [x] falco: Cloud Native Runtime Security. (<https://github.com/falcosecurity/falco>)
 
-- [ ] Static analysis:
+- [x] Static analysis:
   - [x] semgrep: Lightweight static analysis for many languages.
       (<https://github.com/semgrep/semgrep>)
     - [x] docker-compose (<https://semgrep.dev/p/docker-compose>)
     - [x] dockerfile (<https://semgrep.dev/p/dockerfile>)
     - [x] kubernetes (<https://semgrep.dev/p/kubernetes>)
     - [x] flawfinder (<https://semgrep.dev/p/flawfinder>)
-  - [ ] sast-scan: Scan is a free & Open Source DevSecOps tool for performing static analysis
+  - [x] ~~sast-scan: Scan is a free & Open Source DevSecOps tool for performing static analysis
       based security testing of your applications and its dependencies. CI and Git friendly.
-      (<https://github.com/marksarka/sast-scan>)
+      (<https://github.com/marksarka/sast-scan>)~~ Momentarily removed.
 
 - [x] Misconfigurations:
   - [x] legitify: Detect and remediate misconfigurations and security risks across all your GitHub