Vulnerability Scanner
Scan your repos for vulnerabilities (such as dependencies with published security advisories)
Dependencies
- NodeJS
Running
Locally
First, do this setup:
- Copy
.env.dist
to.env
and add appropriate values. - Install node
- Run
npm install
Next, use one of the following commands, depending on what you want to do:
Scan an Entire GitHub Organization's Repos
Run this, replacing "ORGANIZATION" with the desired GitHub org. name:
node cli/scan-github-org.js ORGANIZATION
Scan a Specific GitHub Repo
Run this, replacing "REPO" with the desired GitHub repo, in the format "repo-owner/repo-name":
node cli/scan-github-repo.js REPO
Scan an Entire Bitbucket Workspaces's Repos
Run this, replacing "WORKSPACE" with the desired Bitbucket workspace name:
node cli/scan-bitbucket-workspace.js WORKSPACE
Scan a Specific Bitbucket Repo
Run this, replacing "REPO" with the desired Bitbucket repo, in the format "repo-owner/repo-name":
node cli/scan-bitbucket-repo.js REPO
Scan an Entire GitHub Organization and Bitbucket Workspace
Run this, replacing "ORGANIZATION" with the desired GitHub org. name and "WORKSPACE" with the desired Bitbucket workspace name:
node cli/scan-gh-bb.js ORGANIZATION WORKSPACE
NPM
This library is also published as an npm package for use in other
JavaScript/Node applications:
https://www.npmjs.com/package/@silintl/vulnerability-scanner
AWS Lambda
To run this on AWS Lambda, see
https://github.com/silinternational/serverless-vulnerability-scanner
Backwards Compatibility
This repo uses semver, and its public interface (in order to determine what
changes would break backwards-compatibility) is defined as the functions
exported by ./index.js
.
Checking PHP versions
Each of the commands for scanning one or more repos also accepts an optional URL to a CSV file with mapping information between Docker images and PHP versions.
Docker-PHP CSV file
Example CSV content:
Docker image,PHP version
openjdk:8-jdk-alpine,NONE
php:7.3-apache-buster,7.3
Note:
- The header line needs to use exactly those values.
- The values in the Docker image column should be the exact value used as the
FROM
in the Dockerfile. - For Docker images that do include PHP, specify only the major and minor
version (such as
7.3
, not7.3.24
). - For Docker images that do not include PHP, use
NONE
.
Tip:
One easy way to maintain a URL-accessible CSV file is as a Google Sheet, using
the "File" > "Publish to Web" feature, selecting the desired sheet (tab),
specifying "CSV" as the format option, and using the given URL in calls to this
library.
Missing Docker image values
If your list of vulnerabilities includes a warning like the following...
No record found in spreadsheet for php:7.3-apache-buster
... you simply need to add a row to your CSV file with that Docker image (in
this case, php:7.3-apache-buster
) and what version of PHP is uses (in this
case, 7.3
).
If you do not know what version of PHP it uses (and if it is a Docker image you
trust enough to run on your local computer), you can run a command like this,
replacing YOUR-DOCKER-IMAGE-STRING
with the actual value:
docker run --entrypoint php YOUR-DOCKER-IMAGE-STRING -v
In the example above, that would mean running the following command:
docker run --entrypoint php php:7.3-apache-buster -v
Note:
There is a little get-php-of-docker.sh
helper script for determining the
PHP version (if any) used in a list of Docker images. However, it will probably
change (and even be renamed) in future changes to this library. Feel free to use
it, but don't depend on it's current behavior or filename to remain unchanged.
Unknown PHP versions
If your list of vulnerabilities includes a warning like the following...
Unknown PHP version: 8.1
... please submit a PR on this repo to add that PHP version and its EOL date to the "src/php.js" file's list of EOL dates.
To find the End-Of-Life (EOL) date for that version of PHP, go to https://www.php.net/supported-versions and find the latest date any kind of support is planned for that version (typically the "Security Support Until" date).
Thanks!