Git Product home page Git Product logo

vulnerability-scanner's Introduction

Vulnerability Scanner

Scan your repos for vulnerabilities (such as dependencies with published security advisories)

Dependencies

  • NodeJS

Running

Locally

First, do this setup:

  1. Copy .env.dist to .env and add appropriate values.
  2. Install node
  3. Run npm install

Next, use one of the following commands, depending on what you want to do:

Scan an Entire GitHub Organization's Repos

Run this, replacing "ORGANIZATION" with the desired GitHub org. name:

node cli/scan-github-org.js ORGANIZATION

Scan a Specific GitHub Repo

Run this, replacing "REPO" with the desired GitHub repo, in the format "repo-owner/repo-name":

node cli/scan-github-repo.js REPO

Scan an Entire Bitbucket Workspaces's Repos

Run this, replacing "WORKSPACE" with the desired Bitbucket workspace name:

node cli/scan-bitbucket-workspace.js WORKSPACE

Scan a Specific Bitbucket Repo

Run this, replacing "REPO" with the desired Bitbucket repo, in the format "repo-owner/repo-name":

node cli/scan-bitbucket-repo.js REPO

Scan an Entire GitHub Organization and Bitbucket Workspace

Run this, replacing "ORGANIZATION" with the desired GitHub org. name and "WORKSPACE" with the desired Bitbucket workspace name:

node cli/scan-gh-bb.js ORGANIZATION WORKSPACE

NPM

This library is also published as an npm package for use in other JavaScript/Node applications:
https://www.npmjs.com/package/@silintl/vulnerability-scanner

AWS Lambda

To run this on AWS Lambda, see
https://github.com/silinternational/serverless-vulnerability-scanner

Backwards Compatibility

This repo uses semver, and its public interface (in order to determine what changes would break backwards-compatibility) is defined as the functions exported by ./index.js.

Checking PHP versions

Each of the commands for scanning one or more repos also accepts an optional URL to a CSV file with mapping information between Docker images and PHP versions.

Docker-PHP CSV file

Example CSV content:

Docker image,PHP version
openjdk:8-jdk-alpine,NONE
php:7.3-apache-buster,7.3

Note:

  • The header line needs to use exactly those values.
  • The values in the Docker image column should be the exact value used as the FROM in the Dockerfile.
  • For Docker images that do include PHP, specify only the major and minor version (such as 7.3, not 7.3.24).
  • For Docker images that do not include PHP, use NONE.

Tip:
One easy way to maintain a URL-accessible CSV file is as a Google Sheet, using the "File" > "Publish to Web" feature, selecting the desired sheet (tab), specifying "CSV" as the format option, and using the given URL in calls to this library.

Missing Docker image values

If your list of vulnerabilities includes a warning like the following...

No record found in spreadsheet for php:7.3-apache-buster

... you simply need to add a row to your CSV file with that Docker image (in this case, php:7.3-apache-buster) and what version of PHP is uses (in this case, 7.3).

If you do not know what version of PHP it uses (and if it is a Docker image you trust enough to run on your local computer), you can run a command like this, replacing YOUR-DOCKER-IMAGE-STRING with the actual value:

docker run --entrypoint php YOUR-DOCKER-IMAGE-STRING -v

In the example above, that would mean running the following command:

docker run --entrypoint php php:7.3-apache-buster -v

Note:

There is a little get-php-of-docker.sh helper script for determining the PHP version (if any) used in a list of Docker images. However, it will probably change (and even be renamed) in future changes to this library. Feel free to use it, but don't depend on it's current behavior or filename to remain unchanged.

Unknown PHP versions

If your list of vulnerabilities includes a warning like the following...

Unknown PHP version: 8.1

... please submit a PR on this repo to add that PHP version and its EOL date to the "src/php.js" file's list of EOL dates.

To find the End-Of-Life (EOL) date for that version of PHP, go to https://www.php.net/supported-versions and find the latest date any kind of support is planned for that version (typically the "Security Support Until" date).

Thanks!

vulnerability-scanner's People

Contributors

forevermatt avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.