Skip to content

Customized toolbox to perform offline scanning of a code base.

License

Notifications You must be signed in to change notification settings

righettod/toolbox-codescan

Repository files navigation

💻 Code scan toolbox

Build and deploy the toolbox image MadeWitVSCode MadeWithDocker AutomatedWith

🎯 Description

The goal of this image is to provide a ready-to-use toolbox to perform offline scanning of a code base.

💡 The goal is to prevent any disclosure of the code base scanned.

📦 Build

💻 Use the following set of command to build the docker image of the toolbox:

git clone https://github.com/righettod/toolbox-codescan.git
cd toolbox-codescan
docker build . -t righettod/toolbox-codescan

💡 The image is build every week and pushed to the GitHub image repository. You can retrieve it with the following command:

docker pull ghcr.io/righettod/toolbox-codescan:main

👨‍💻 Usage

Caution

It is important to add the option --network none to prevent any IO.

💻 Use the following command to create a container of the toolbox:

docker run --rm -v "C:/Temp:/work" --network none -it ghcr.io/righettod/toolbox-codescan:main
# From here, use one of the provided script...

📋 Scripts

Note

💡 jq is installed and can be used to manipulate the result of a scan.

Note

💡 regexploit is installed and can be used to test exposure of a regular expression to ReDOS.

Tip

📦 All scripts are stored in the folder /tools/scripts but they are referenced into the PATH environment variable.

Script 'scan-secrets.sh'

Important

This custom configuration file is used to define detection expressions.

Script to scan the current folder using GITLEAKS to find secrets into source files and git files. Git files scanning is only performed if a folder .git is present.

🐜 Leaks will be stored in files leaks-gitfiles.json and leaks-sourcefiles.json.

💡 This script can be used to obtains an overview of the leaks identified and stored into the files leaks-*.json. It is imported as the file /tools/scripts/report-secrets.py.

💻 Usage & Example:

$ pwd
/work/sample

$ scan-secrets.sh
5:47PM INF scan completed in 78.1ms
5:47PM INF no leaks found

Script 'scan-secrets-extended.sh'

Script to scan the current folder using a dictionary of secret common variables names (source).

💡 The dictionary of secret common variables names referenced above is imported, as the file /tools/secret-common-variable-names.txt, during the build time of the image.

💻 Usage & Example:

$ pwd
/work/sample

$ scan-secrets-extended.sh
./config/db.properties:50:DB_PASSWORD=Password2024

Script 'scan.sh'

Script to scan the current folder using a set of SEMGREP rules with SEMGREP OSS version.

🐜 Findings will be stored in file findings.json.

💡 This script can be used to obtains an overview of the findings identified and stored into the file findings.json. It is imported as the file /tools/scripts/report.py.

💻 Usage & Example:

$ pwd
/work/sample

$ scan.sh
Usage:
   scan.sh [RULES_FOLDER_NAME]

Call example:
    scan.sh java
    scan.sh php
    scan.sh json

See sub folders in '/tools/semgrep-rules'.

Findings will be stored in file 'findings.json'.

$ scan.sh java

┌────────────────┐
│ 1 Code Finding │
└────────────────┘

 src/burp/ActivityLogger.java
❯❯❱ tools.semgrep-rules.java.lang.security.audit.formatted-sql-string
       Detected a formatted string in a SQL statement. This could lead to SQL injection
       if variables in the SQL statement are not properly sanitized. Use a prepared
       statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement
       using 'connection.prepareStatement'.

        91┆ stmt.execute(SQL_TABLE_CREATE);

Script 'online-scan-secrets.sh'

Script to scan a collection of online git repositories using GITLEAKS to find secrets into source files and git files.

💡 The script scan-secrets.sh is used for the scan of a git repository once cloned.

💡 Use the script online-scan-secrets-consolidate.py to consolidate the generated data into a single file.

💻 Usage & Example:

$ online-scan-secrets.sh
Usage:
   online-scan-secrets.sh [FILE_WITH_COLLECTION_OF_GIT_REPO_URLS]

Call example:
    online-scan-secrets.sh repositories.txt

$ online-scan-secrets.sh repositories.txt
[*] Execution context:
List of git repositories URL   : repositories.txt (1030 entries)
Data collection storage folder : /work/data-collected
[*] Start repositories checking and data collection...
...

Script 'filters-secrets.py'

Script to allow filtering a large leaks file that uses the GITLEAKS format, like for example, a file generated by the script online-scan-secrets-consolidate.py.

💡The output allow to search for specific secrets using grep with differents regexes like grep -B 4 -E 'ey[A-Za-z0-9]{15,}\.[A-Za-z0-9]{15,}\.[A-Za-z0-9_-]*' report.txt.

💻 Usage:

$ filters-secrets.py leaks-consolidated.json

🤝 Sources & credits

About

Customized toolbox to perform offline scanning of a code base.

Topics

Resources

License

Stars

Watchers

Forks

Packages