diff --git a/Dockerfile b/Dockerfile index 53a4dff..4406a92 100644 --- a/Dockerfile +++ b/Dockerfile @@ -89,10 +89,6 @@ RUN . $ASDF_DIR/asdf.sh \ ENV GOBIN=/usr/local/bin ENV PATH="${GOBIN}:${PATH}" -# Install gitxray -RUN . $HOME/.asdf/asdf.sh \ - go install github.com/kulkansecurity/gitxray@latest - # # Install pnpm using npm installed via asdf Node.js RUN npm install -g pnpm ENV PNPM_HOME="/home/${USERNAME}/.local/share/pnpm" @@ -153,13 +149,7 @@ RUN git clone https://github.com/gitleaks/gitleaks.git gitleaks \ && sudo ln -s /src/gitleaks/gitleaks /usr/local/bin # Install gh-fake-analyzer -# from mattareal until upstream gets patched -RUN git clone https://github.com/mattaereal/gh-fake-analyzer.git \ - && cd gh-fake-analyzer \ - && python3 -m venv gfa \ - && source gfa/bin/activate \ - && pip install -r requirements.txt \ - && exit +RUN pipx install git+https://github.com/shortdoom/gh-fake-analyzer.git # Install legitify RUN git clone https://github.com/Legit-Labs/legitify \ @@ -175,18 +165,6 @@ RUN git clone https://github.com/Checkmarx/kics.git \ && sudo ln -s /src/kics/bin/kics /usr/local/bin/kics \ && echo 'export KICS_QUERIES_PATH=/src/kics/assets/queries' >> ~/.zshrc -# Create a script to run the gh-fake-analyzer -USER root - -RUN echo '#!/bin/zsh\n\ -source /src/gh-fake-analyzer/gfa/bin/activate\n\ -python3 /src/gh-fake-analyzer/analyze.py "$@"\n\ -deactivate' > /usr/local/bin/gh-fake-analyzer \ - && chmod +x /usr/local/bin/gh-fake-analyzer \ - && chown -R wanderer:trg /usr/local/bin/gh-fake-analyzer - -USER wanderer - # Install Trivy RUN wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null \ && echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list \ diff --git a/HOWTO.md b/HOWTO.md index fcf1160..079cb5a 100644 --- a/HOWTO.md +++ b/HOWTO.md @@ -1,5 +1,29 @@ # How to use the tools inside +We leave you with a rough representative of what do these tools cover, so you get a better grasp on what to use them for. + +**Secrets** +2ms, gitleaks, git-secrets, trufflehog + +**GitHub / GitLab** +gitxray, gh-fake-analyzer, legitify + +**Multi-purpose** +semgrep, trivy, kics + +**IaC / SCA / Code** +checkov, scoutsuite, dependency-check + +**Cloud** +falco, snyk, cloudsplaining + +**Containers / Images** +clair, snyk, grype, hadolint + +**NodeJS** +nodejsscan, retirejs, installed-check, better-npm-audit, eslint-plugin-security, eslint-plugin-no-unsanitized, eslint-plugin-no-secrets, node-version-audit, yarn-audit-fix + + - [How to use the tools inside](#how-to-use-the-tools-inside) - [GitXray | Harvest public information from GitHub APIs](#gitxray--harvest-public-information-from-github-apis) - [GH Fake Analyzer | Script to analyze profile GitHub data](#gh-fake-analyzer--script-to-analyze-profile-github-data) @@ -96,18 +120,14 @@ designed for the OSINT/security community, enabling the inspection of potential blackhat, or fake employee accounts for dark patterns (see, Malicious GitHub Accounts) ```bash -# Analyzing users -python analyze.py # analyze a single user -python analyze.py --out_path /path/to/dir # save to different than /out dir - -# Optionally, rename `targets.example` to `targets` -python analyze.py # read from "targets" and analyze all -python analyze.py --targets # custom_file.txt to read from as "targets" -python analyze.py # Monitor single user -python monitor.py --targets # Monitor multiple usernames +gh-analyze # analyze a single user +gh-analyze --out_path /path/to/dir # save to different than /out dir +gh-analyze --targets # custom_file.txt to read from as "targets" +gh-analyze --commit_search # search github for commit messages (slow, experimental) +gh-analyze --token # provide GH_TOKEN to use for this run + +gh-monitor --username # Monitor single user +gh-monitor --targets # Monitor multiple usernames ``` ## git-secrets | Avoid commiting secrets diff --git a/README.md b/README.md index 647f2e8..4504223 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ Unified repository with OSS security tools, just `make exec` and dive into the c There are some tools that have not been integrated to the main container itself, given their nature, but have been or will be added to the repository with an explanation on how to run them separately. -## Firing up the container +## Firing up the container (OUTDATED) ```bash % make @@ -24,12 +24,10 @@ Examples: make clean ``` -## Go to [how to use the tools inside](./HOWTO.md) to understand how each one of them actually work. +## Go to [how to use the tools inside](./HOWTO.md) to understand how each one of them actually work ## Tools included in this container -Except for Hadolint all tools are being installed from their latest releases. - - [x] GitHub analysis (fake profiles, OSINT): - [x] gitxray: A multifaceted security tool that leverages Public GitHub REST APIs for OSINT, Forensics, Pentesting and more. () @@ -50,26 +48,26 @@ Except for Hadolint all tools are being installed from their latest releases. systems like CMS, chats and git. () - [x] detect-secrets: yet another one. () -- [ ] Vulnerability scanners: +- [x] Vulnerability scanners: - [x] trivy: Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more. () - - [] clair: Vulnerability Static Analysis for Containers. () + - [x] clair: Vulnerability Static Analysis for Containers. () - [x] snyk: Snyk CLI scans and monitors your projects for security vulnerabilities. () - [x] grype: A vulnerability scanner for container images and filesystems. () - [x] falco: Cloud Native Runtime Security. () -- [ ] Static analysis: +- [x] Static analysis: - [x] semgrep: Lightweight static analysis for many languages. () - [x] docker-compose () - [x] dockerfile () - [x] kubernetes () - [x] flawfinder () - - [ ] sast-scan: Scan is a free & Open Source DevSecOps tool for performing static analysis + - [x] ~~sast-scan: Scan is a free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies. CI and Git friendly. - () + ()~~ Momentarily removed. - [x] Misconfigurations: - [x] legitify: Detect and remediate misconfigurations and security risks across all your GitHub