From c8a615b881a024bd96917ee25c1244ccc4ccaa4c Mon Sep 17 00:00:00 2001 From: Sean Hacker Date: Tue, 18 Jun 2024 22:50:04 -0400 Subject: [PATCH 1/3] Update documentation to remove bad copy/paste --- .goreleaser/goreleaser-publish.yml | 4 ++-- cmd/root.go | 2 +- docs/development/adding.md | 12 ++++++------ docs/development/setup.md | 8 ++++---- docs/docs/index.md | 6 +++--- docs/getting-started/basic-usage.md | 21 ++++++++++++--------- docs/getting-started/installation.md | 14 +++++++------- docs/index.md | 8 +------- 8 files changed, 36 insertions(+), 39 deletions(-) diff --git a/.goreleaser/goreleaser-publish.yml b/.goreleaser/goreleaser-publish.yml index d1ac808..6db9966 100644 --- a/.goreleaser/goreleaser-publish.yml +++ b/.goreleaser/goreleaser-publish.yml @@ -59,7 +59,7 @@ dockers: - prebuilt build_flag_templates: - "--label=org.opencontainers.image.title={{ .ProjectName }}" - - "--label=org.opencontainers.image.description=An on-rails AWS enumeration tool" + - "--label=org.opencontainers.image.description=An on-rails static analysis enumeration tool" - "--label=org.opencontainers.image.vendor=Method Security" - "--label=org.opencontainers.image.version={{ .Version }}" - "--label=org.opencontainers.image.created={{ .Date }}" @@ -82,7 +82,7 @@ dockers: - prebuilt build_flag_templates: - "--label=org.opencontainers.image.title={{ .ProjectName }}" - - "--label=org.opencontainers.image.description=An on-rails AWS enumeration tool" + - "--label=org.opencontainers.image.description=An on-rails static analysis enumeration tool" - "--label=org.opencontainers.image.vendor=Method Security" - "--label=org.opencontainers.image.version={{ .Version }}" - "--label=org.opencontainers.image.created={{ .Date }}" diff --git a/cmd/root.go b/cmd/root.go index 6981356..a4341d5 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -1,4 +1,4 @@ -// Package cmd implements the CobraCLI commands for the methodaws CLI. Subcommands for the CLI should all live within +// Package cmd implements the CobraCLI commands for the codeanalyze CLI. Subcommands for the CLI should all live within // this package. Logic should be delegated to internal packages and functions to keep the CLI commands clean and // focused on CLI I/O. package cmd diff --git a/docs/development/adding.md b/docs/development/adding.md index 410e4ca..c632565 100644 --- a/docs/development/adding.md +++ b/docs/development/adding.md @@ -1,10 +1,10 @@ # Adding a new capability -By design, networkscan breaks every unique network scan into its own top level command. If you are looking to add a brand new capability to the tool, you can take the following steps. +By design, codeanalyze breaks every unique network scan into its own top level command. If you are looking to add a brand new capability to the tool, you can take the following steps. -1. Add a file to `cmd/` that corresponds to the sub-command name you'd like to add to the `networkscan` CLI -2. You can use `cmd/portscan.go` as a template -3. Your file needs to be a member function of the `networkscan` struct and should be of the form `InitCommand` -4. Add a new member to the `networkscan` struct in `cmd/root.go` that corresponsds to your command name. Remember, the first letter must be capitalized. +1. Add a file to `cmd/` that corresponds to the sub-command name you'd like to add to the `codeanalyze` CLI +2. You can use `cmd/semgrep.go` as a template +3. Your file needs to be a member function of the `codeanalyze` struct and should be of the form `InitCommand` +4. Add a new member to the `codeanalyze` struct in `cmd/root.go` that corresponsds to your command name. Remember, the first letter must be capitalized. 5. Call your `Init` function from `main.go` -6. Add logic to your commands runtime and put it in its own package within `internal` (e.g., `internal/portscan`) +6. Add logic to your commands runtime and put it in its own package within `internal` (e.g., `internal/semgrep`) diff --git a/docs/development/setup.md b/docs/development/setup.md index 5b5510b..ad1678c 100644 --- a/docs/development/setup.md +++ b/docs/development/setup.md @@ -2,11 +2,11 @@ ## Adding a new capability -To add a new scan to networkscan, providing new enumeration capabilities to security operators everywhere, please see the [adding a new capability](./adding.md) page. +To add a new scan to codeanalyze, providing new enumeration capabilities to security operators everywhere, please see the [adding a new capability](./adding.md) page. ## Setting up your development environment -If you've just cloned networkscan for the first time, welcome to the community! We use Palantir's [godel](https://github.com/palantir/godel) to streamline local development and [goreleaser](https://goreleaser.com/) to handle the heavy lifting on the release process. +If you've just cloned codeanalyze for the first time, welcome to the community! We use Palantir's [godel](https://github.com/palantir/godel) to streamline local development and [goreleaser](https://goreleaser.com/) to handle the heavy lifting on the release process. To get started with godel, you can run @@ -24,7 +24,7 @@ We can use godel to build our CLI locally by running ./godelw build ``` -You should see output in `out/build/networkscan//-/networkscan`. +You should see output in `out/build/codeanalyze//-/codeanalyze`. If you'd like to clean this output up, you can run @@ -34,7 +34,7 @@ If you'd like to clean this output up, you can run ## Testing releases locally -We can use goreleaser locally as well to test our builds. As networkscan uses [cosign](https://github.com/sigstore/cosign) to sign our artifacts and Docker containers during our CI pipeline, we'll want to skip this step when running locally. +We can use goreleaser locally as well to test our builds. As codeanalyze uses [cosign](https://github.com/sigstore/cosign) to sign our artifacts and Docker containers during our CI pipeline, we'll want to skip this step when running locally. ```bash goreleaser release --snapshot --clean --skip sign diff --git a/docs/docs/index.md b/docs/docs/index.md index ed27012..fa715e3 100644 --- a/docs/docs/index.md +++ b/docs/docs/index.md @@ -6,7 +6,7 @@ codeanalyze offers a variety of static code analysis tools and techniques that a ## Top Level Flags -networkscan has several top level flags that can be used on any subcommand. These include: +codeanalyze has several top level flags that can be used on any subcommand. These include: ```bash Flags: @@ -19,8 +19,8 @@ Flags: ## Version Command -Run `networkscan version` to get the exact version information for your binary +Run `codeanalyze version` to get the exact version information for your binary ## Output Formats -For more information on the various output formats that are supported by networkscan, see the [Output Formats](https://method-security.github.io/docs/output.html) page in our organization wide documentation. +For more information on the various output formats that are supported by codeanalyze, see the [Output Formats](https://method-security.github.io/docs/output.html) page in our organization wide documentation. diff --git a/docs/getting-started/basic-usage.md b/docs/getting-started/basic-usage.md index 82d0510..b77f17b 100644 --- a/docs/getting-started/basic-usage.md +++ b/docs/getting-started/basic-usage.md @@ -2,23 +2,26 @@ ## Binaries -Running as a binary allows you to skip dealing with any container related networking issues and leverage the same network interface that the host machine is using. - -You can validate that the binary is working by scanning the publicly available `scanme.sh`. +Running codeanalyze as a binary allows you to more easily scan local files on your machine without worrying about Docker volumes. ```bash -networkscan portscan --topports 100 --target scanme.sh +codeanalyze semgrep --config-type template --config-value --target /path/to/target --local-rules-dir /path/to/rules ``` ## Docker -Running networkscan within a Docker container should typically work similarly to running directly on a host, however, occasionally there are a few things to keep in mind. +Running codeanalyze within a Docker container should typically work similarly to running directly on a host, however, but there are a few things to keep in mind. If you're running on a Docker container on a MacOS machine and you are trying to scan a locally running service, you can leverage the `host.docker.internal` address as mentioned in the Docker documentation [here](https://docs.docker.com/desktop/networking/#i-want-to-connect-from-a-container-to-a-service-on-the-host). ```bash -docker run ghcr.io/method-security/networkscan \ - portscan \ - --topports 100 \ - --target scanme.sh +docker \ + -v /path/to/target:/opt/target \ + -v /path/to/rules:/opt/rules \ + methodsecurity/codeanalyze \ + semgrep \ + --config-type template \ + --config-value \ + --target /opt/target \ + --local-rules-dir /opt/rules ``` diff --git a/docs/getting-started/installation.md b/docs/getting-started/installation.md index 84cf4e9..49cc5cc 100644 --- a/docs/getting-started/installation.md +++ b/docs/getting-started/installation.md @@ -1,16 +1,16 @@ # Getting Started -If you are just getting started with networkscan, welcome! This guide will walk you through the process of going zero to one with the tool. +If you are just getting started with codeanalyze, welcome! This guide will walk you through the process of going zero to one with the tool. ## Installation -networkscan is provided in several convenient form factors, including statically compiled binary images on a variety of architectures as well as a Docker image for both x86 and ARM machines. +codeanalyze is provided in several convenient form factors, including statically compiled binary images on a variety of architectures as well as a Docker image for both x86 and ARM machines. If you do not see an architecture that you require, please open a [Discussion](https://method-security.github.io/community/contribute/discussions.html) to propose adding it. ### Binaries -networkscan currently supports statically compiled binaries across the following operating systems and architectures: +codeanalyze currently supports statically compiled binaries across the following operating systems and architectures: | OS | Architecture | | ------- | ------------ | @@ -19,16 +19,16 @@ networkscan currently supports statically compiled binaries across the following | MacOS | arm64 | | Windows | amd64 | -The latest binaries can be downloaded directly from [Github](https://github.com/Method-Security/networkscan/releases/latest). +The latest binaries can be downloaded directly from [Github](https://github.com/Method-Security/codeanalyze/releases/latest). ### Docker -Docker images for networkscan are hosted in both Github Container Registry as well as on Docker Hub and can be pulled via: +Docker images for codeanalyze are hosted in both Github Container Registry as well as on Docker Hub and can be pulled via: ```bash -docker pull ghcr.io/method-security/networkscan +docker pull ghcr.io/method-security/codeanalyze ``` ```bash -docker pull methodsecurity/networkscan +docker pull methodsecurity/codeanalyze ``` diff --git a/docs/index.md b/docs/index.md index 5964e5c..d6a4257 100644 --- a/docs/index.md +++ b/docs/index.md @@ -28,13 +28,7 @@ For the full list of available installation options, please see the [Installatio ### General Usage ```bash -codeanalyze semgrep -``` - -#### Examples - -```bash -codeanalyze portscan --topports 100 scanme.sh +codeanalyze semgrep --config-type template --config-value --target /path/to/target --local-rules-dir /path/to/rules ``` ## Contributing From 0ca56506c6c866ac7693409f799e77fbde870035 Mon Sep 17 00:00:00 2001 From: Sean Hacker Date: Tue, 18 Jun 2024 22:51:12 -0400 Subject: [PATCH 2/3] Update README with badges --- README.md | 70 +++++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 52 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 8a76b59..bd75930 100644 --- a/README.md +++ b/README.md @@ -1,32 +1,66 @@ -# Codeanalyze +
+

codeanalyze

-Codeanalyze analyzes local code repositories or directories for configurations and vulnerabilities. It can be run locally or as part of CI. +[![GitHub Release][release-img]][release] +[![Verify][verify-img]][verify] +[![Go Report Card][go-report-img]][go-report] +[![License: Apache-2.0][license-img]][license] -## Adding a new codeanalyze Capability +[![GitHub Downloads][github-downloads-img]][release] +[![Docker Pulls][docker-pulls-img]][docker-pull] -TODO update the below +
-1. Add a file to `cmd/` that corresponds to the sub-command name you'd like to add to the `codeanalyze` CLI -2. You can use `cmd/ec2.go` as a template -3. Your file needs to be a member function of the `AwsEnumerate` struct and should be of the form `InitCommand` -4. Add a new member to the `AwsEnumerate` struct in `cmd/root.go` that corresponsds to your command name. Remember, the first letter must be capitalized. -5. Call your `Init` function from `main.go` -6. Add logic to your commands runtime and put it in its own package within `internal` (e.g., `internal/ec2`) +codeanalyze provides an opinionated perspective on top of popular static analysis capabilities such as [Semgrep](https://semgrep.dev/) to provide visibility into vulnerabilities and misconfigurations that may exist in a team's code base. Designed with data-modeling and data-integration needs in mind, codeanalyze can be used on its own as an interactive CLI, orchestrated as part of a broader data pipeline, or leveraged from within the Method Platform. -## Testing +The types of scans that codeanalyze can conduct are constantly growing. For the most up to date listing, please see the documentation [here](./docs/index.md) -### Testing from Source (pre-build) +To learn more about codeanalyze, please see the [Documentation site](https://method-security.github.io/codeanalyze/) for the most detailed information. -You can test locally without building by running +## Quick Start + +### Get codeanalyze + +For the full list of available installation options, please see the [Installation](./getting-started/installation.md) page. For convenience, here are some of the most commonly used options: + +- `docker run methodsecurity/codeanalyze` +- `docker run ghcr.io/method-security/codeanalyze` +- Download the latest binary from the [Github Releases](https://github.com/Method-Security/codeanalyze/releases/latest) page +- [Installation documentation](./getting-started/installation.md) + +### General Usage ```bash -go run main.go +codeanalyze semgrep --config-type template --config-value --target /path/to/target --local-rules-dir /path/to/rules ``` -### Testing the CLI (post-build) +## Contributing + +Interested in contributing to codeanalyze? Please see our organization wide [Contribution](https://method-security.github.io/community/contribute/discussions.html) page. + +## Want More? + +If you're looking for an easy way to tie codeanalyze into your broader cybersecurity workflows, or want to leverage some autonomy to improve your overall security posture, you'll love the broader Method Platform. + +For more information, visit us [here](https://method.security) + +## Community + +codeanalyze is a Method Security open source project. -You can test locally using the CLI by building it from source. Run, `./godelw clean && ./godelw build` to clean out the `out/` directory and rebuild. You will now have a binary at `out/build/codeanalyze//darwin-arm64/codeanalyze` that you can run +Learn more about Method's open source source work by checking out our other projects [here](https://github.com/Method-Security) or our organization wide documentation [here](https://method-security.github.io). -## Building the Docker Container +Have an idea for a Tool to contribute? Open a Discussion [here](https://github.com/Method-Security/Method-Security.github.io/discussions). -I have not yet figured out how to get godel to build docker for us, so at the moment, it's a bit of a pain. The best idea is to follow what the `build-docker` stage in `.gitlab-ci.yml` does +[verify]: https://github.com/Method-Security/codeanalyze/actions/workflows/verify.yml +[verify-img]: https://github.com/Method-Security/codeanalyze/actions/workflows/verify.yml/badge.svg +[go-report]: https://goreportcard.com/report/github.com/Method-Security/codeanalyze +[go-report-img]: https://goreportcard.com/badge/github.com/Method-Security/codeanalyze +[release]: https://github.com/Method-Security/codeanalyze/releases +[releases]: https://github.com/Method-Security/codeanalyze/releases/latest +[release-img]: https://img.shields.io/github/release/Method-Security/codeanalyze.svg?logo=github +[github-downloads-img]: https://img.shields.io/github/downloads/Method-Security/codeanalyze/total?logo=github +[docker-pulls-img]: https://img.shields.io/docker/pulls/methodsecurity/codeanalyze?logo=docker&label=docker%20pulls%20%2F%20codeanalyze +[docker-pull]: https://hub.docker.com/r/methodsecurity/codeanalyze +[license]: https://github.com/Method-Security/codeanalyze/blob/main/LICENSE +[license-img]: https://img.shields.io/badge/License-Apache%202.0-blue.svg From b2320105111bbe218fcd3c77ce54934dd4bc2ad2 Mon Sep 17 00:00:00 2001 From: Sean Hacker Date: Tue, 18 Jun 2024 23:05:54 -0400 Subject: [PATCH 3/3] Ensure semgrep is on the path --- Dockerfile | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4b6109b..52ff0d0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,8 @@ -FROM alpine:3.20 as base +FROM alpine:3.20 ARG CLI_NAME="codeanalyze" +ARG USERNAME="method" +ARG SEMGREP_VERSION="1.76.0" RUN \ apk update && \ @@ -20,16 +22,19 @@ RUN \ mkdir -p /opt/method/${CLI_NAME}/service/bin && \ mkdir -p /mnt/output -COPY configs/* /opt/method/${CLI_NAME}/var/conf/ -COPY ${CLI_NAME} /opt/method/${CLI_NAME}/service/bin/${CLI_NAME} +# COPY configs/* /opt/method/${CLI_NAME}/var/conf/ +# COPY ${CLI_NAME} /opt/method/${CLI_NAME}/service/bin/${CLI_NAME} RUN \ - adduser --disabled-password --gecos '' method && \ - chown -R method:method /opt/method/${CLI_NAME}/ && \ - chown -R method:method /mnt/output + adduser --disabled-password --gecos '' ${USERNAME} && \ + chown -R ${USERNAME}:${USERNAME} /opt/method/${CLI_NAME}/ && \ + chown -R ${USERNAME}:${USERNAME} /mnt/output -USER method +USER ${USERNAME} WORKDIR /opt/method/${CLI_NAME}/ -ENV PATH="/opt/method/${CLI_NAME}/service/bin:${PATH}" +RUN \ + pipx install semgrep==${SEMGREP_VERSION} + +ENV PATH="/opt/method/${CLI_NAME}/service/bin:/home/${USERNAME}/.local/bin:${PATH}"