forked from globocom/huskyCI
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
25e1173
commit 10d2259
Showing
1 changed file
with
62 additions
and
83 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,112 +1,91 @@ | ||
| <p align="center"> | ||
| <img src="https://raw.githubusercontent.com/wiki/globocom/huskyCI/images/huskyCI-logo.png" align="center" height="" /> | ||
| <!-- logo font: Anton --> | ||
| </p> | ||
|
|
||
| <p align="center"> | ||
| <a href="https://github.com/globocom/huskyCI/releases"><img src="https://img.shields.io/github/v/release/globocom/huskyCI"/></a> | ||
| <a href="https://github.com/rafaveira3/writing-and-presentations/blob/master/DEFCON-27-APP-SEC-VILLAGE-Rafael-Santos-huskyCI-Finding-security-flaws-in-CI-before-deploying-them.pdf"><img src="https://img.shields.io/badge/DEFCON%2027-AppSec%20Village-black"/></a> | ||
| <a href="https://github.com/rafaveira3/contributions/blob/master/huskyCI-BlackHat-Europe-2019.pdf"><img src="https://img.shields.io/badge/Black%20Hat%20Europe%202019-Arsenal-black"/></a> | ||
| <a href="https://defectdojo.readthedocs.io/en/latest/integrations.html#huskyci-report"><img src="https://img.shields.io/badge/DefectDojo-Compatible-brightgreen"/></a> | ||
| </p> | ||
| **WARNING**: this is a fork repository, feel free to use it and contribute here but I recommend to try the [official repository](https://github.com/globocom/huskyCI) first. | ||
|
|
||
| ## Introduction | ||
|
|
||
| huskyCI is an open source tool that orchestrates security tests and centralizes all results into a database for further analysis and metrics. It can perform static security analysis in Python ([Bandit][Bandit] and [Safety][Safety]), Ruby ([Brakeman][Brakeman]), JavaScript ([Npm Audit][NpmAudit] and [Yarn Audit][YarnAudit]), Golang ([Gosec][Gosec]), Java ([SpotBugs][SpotBugs] plus [Find Sec Bugs][FindSec]), and HCL ([TFSec][TFSec]). It can also audit repositories for secrets like AWS Secret Keys, Private SSH Keys, and many others using [GitLeaks][Gitleaks]. | ||
| Please look at the official [documentation page](https://huskyci.opensource.globo.com/docs/quickstart/overview). | ||
|
|
||
| ## Getting Started | ||
|
|
||
| Follow this steps to setting up huskyCI using Docker Compose. | ||
|
|
||
| ## How does it work? | ||
| 1. Clone this repository | ||
|
|
||
| Developers can set up a new stage into their CI pipelines to check for vulnerabilities: | ||
| ``` | ||
| git clone https://github.com/rogeriobastos/huskyCI.git | ||
| cd huskyCI/ | ||
| echo "export HUSKYCI_PATH='${PWD}'" > .env | ||
| echo "export HUSKYCI_SCRIPTS='${PWD}/deployments/scripts'" >> .env | ||
| source .env | ||
| ``` | ||
|
|
||
| <p align="center"><img src="huskyCI-stage.png"/></p> | ||
| 1. Create certificates | ||
|
|
||
| If security issues are found in the code, the severity, the confidence, the file, the line, and many more useful information can be shown, as exemplified: | ||
| This certificates are used to protect the communication between huskyCI and docker daemon. | ||
|
|
||
| ``` | ||
| [HUSKYCI][*] poc-python-bandit -> https://github.com/globocom/huskyCI.git | ||
| [HUSKYCI][*] huskyCI analysis started! yDS9tb9mdt4QnnyvOBp3eVAXE1nWpTRQ | ||
| [HUSKYCI][!] Title: Use of exec detected. | ||
| [HUSKYCI][!] Language: Python | ||
| [HUSKYCI][!] Tool: Bandit | ||
| [HUSKYCI][!] Severity: MEDIUM | ||
| [HUSKYCI][!] Confidence: HIGH | ||
| [HUSKYCI][!] Details: Use of exec detected. | ||
| [HUSKYCI][!] File: ./main.py | ||
| [HUSKYCI][!] Line: 7 | ||
| [HUSKYCI][!] Code: | ||
| 6 | ||
| 7 exec(command) | ||
| 8 | ||
| [HUSKYCI][!] Title: Possible hardcoded password: 'password123!' | ||
| [HUSKYCI][!] Language: Python | ||
| [HUSKYCI][!] Tool: Bandit | ||
| [HUSKYCI][!] Severity: LOW | ||
| [HUSKYCI][!] Confidence: MEDIUM | ||
| [HUSKYCI][!] Details: Possible hardcoded password: 'password123!' | ||
| [HUSKYCI][!] File: ./main.py | ||
| [HUSKYCI][!] Line: 1 | ||
| [HUSKYCI][!] Code: | ||
| 1 secret = 'password123!' | ||
| 2 | ||
| 3 password = 'thisisnotapassword' #nohusky | ||
| 4 | ||
| [HUSKYCI][SUMMARY] Python -> huskyci/bandit:1.6.2 | ||
| [HUSKYCI][SUMMARY] High: 0 | ||
| [HUSKYCI][SUMMARY] Medium: 1 | ||
| [HUSKYCI][SUMMARY] Low: 1 | ||
| [HUSKYCI][SUMMARY] NoSecHusky: 1 | ||
| [HUSKYCI][SUMMARY] Total | ||
| [HUSKYCI][SUMMARY] High: 0 | ||
| [HUSKYCI][SUMMARY] Medium: 1 | ||
| [HUSKYCI][SUMMARY] Low: 1 | ||
| [HUSKYCI][SUMMARY] NoSecHusky: 1 | ||
| [HUSKYCI][*] The following securityTests were executed and no blocking vulnerabilities were found: | ||
| [HUSKYCI][*] [huskyci/gitleaks:2.1.0] | ||
| [HUSKYCI][*] Some HIGH/MEDIUM issues were found in these securityTests: | ||
| [HUSKYCI][*] [huskyci/bandit:1.6.2] | ||
| ERROR: Job failed: exit code 190 | ||
| echo "export HUSKYCI_CERT_PATH='${HUSKYCI_PATH}/certs'" >> $HUSKYCI_PATH/.env | ||
| echo "export HUSKYCI_CERT_PASSPHRASE='mypassword'" >> $HUSKYCI_PATH/.env | ||
| echo "export HUSKYCI_DOCKERAPI_HOST='address.to.dockerapi.host'" >> $HUSKYCI_PATH/.env | ||
| echo "export HUSKYCI_DOCKERAPI_ADDR='1.2.3.4'" >> $HUSKYCI_PATH/.env | ||
| echo "export HUSKYCI_HOST='address.to.huskyci.host'" >> $HUSKYCI_PATH/.env | ||
| source $HUSKYCI_PATH/.env | ||
| make create-certs | ||
| ``` | ||
|
|
||
| ## Getting Started | ||
| 1. Configure the docker daemon | ||
|
|
||
| You can try huskyCI by setting up a local environment using Docker Compose following [this guide](https://huskyci.opensource.globo.com/docs/development/set-up-environment). | ||
| HuskyCI requires a docker daemon listening on a TCP port to start the security test containers. You can use the local docker daemon or a remote one (in a VM for example). For security reasons we also configure docker to only allows connections from clients authenticated by a certificate signed by that CA generated above. For more details about this configuration look at docker documentation [here](https://docs.docker.com/engine/install/linux-postinstall/#configure-where-the-docker-daemon-listens-for-connections) and [here](https://docs.docker.com/engine/security/protect-access/#use-tls-https-to-protect-the-docker-daemon-socket). | ||
|
|
||
| ## Documentation | ||
| Use the command `systemctl edit docker.service` to open an override file for docker.service in a text editor. | ||
|
|
||
| All guides and the full documentation can be found in the [official documentation page](https://huskyci.opensource.globo.com/docs/quickstart/overview). | ||
| Add the following lines. | ||
|
|
||
| ## Contributing | ||
| ``` | ||
| [Service] | ||
| ExecStart= | ||
| ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/path/to/certs/docker/ca.pem --tlscert=/path/to/certs/docker/server-cert.pem --tlskey=/path/to/certs/docker/server-key.pem -H fd:// -H tcp://0.0.0.0:2376 | ||
| ``` | ||
|
|
||
| Read our [contributing guide](https://github.com/globocom/huskyCI/blob/master/CONTRIBUTING.md) to learn about our development process, how to propose bugfixes and improvements, and how to build and test your changes to huskyCI. | ||
| Reload systemd and restart docker. | ||
|
|
||
| ## Communication | ||
| ``` | ||
| systemctl daemon-reload | ||
| systemctl restart docker.service | ||
| ``` | ||
|
|
||
| We have a few channels for contact, feel free to reach out to us at: | ||
| 1. Configure MongoDB | ||
|
|
||
| - [GitHub Issues](https://github.com/globocom/huskyCI/issues) | ||
| - [Gitter](https://gitter.im/globocom/huskyCI) | ||
| - [Twitter](https://twitter.com/huskyCI) | ||
| Set up MongoDB init file. | ||
|
|
||
| ## Contributors | ||
| ``` | ||
| echo "export HUSKYCI_DATABASE_DB_NAME='huskyCIDB'" >> $HUSKYCI_PATH/.env | ||
| echo "export HUSKYCI_DATABASE_DB_USERNAME='huskyCIUser'" >> $HUSKYCI_PATH/.env | ||
| echo "export HUSKYCI_DATABASE_DB_PASSWORD='huskyCIPassword'" >> $HUSKYCI_PATH/.env | ||
| source $HUSKYCI_PATH/.env | ||
| make prepare-local-mongodb | ||
| ``` | ||
|
|
||
| 1. Configure HuskyCI | ||
|
|
||
| ``` | ||
| echo "export HUSKYCI_API_DEFAULT_USERNAME='huskyCIUser'" >> $HUSKYCI_PATH/.env | ||
| echo "export HUSKYCI_API_DEFAULT_PASSWORD='huskyCIPassword'" >> $HUSKYCI_PATH/.env | ||
| echo "export HUSKYCI_API_ALLOW_ORIGIN_CORS='\"*\"'" >> $HUSKYCI_PATH/.env | ||
| source $HUSKYCI_PATH/.env | ||
| ``` | ||
|
|
||
| This project exists thanks to all the [contributors]((https://github.com/globocom/huskyCI/graphs/contributors)). You rock! ❤️🚀 | ||
| 1. Build and run HuskyCI and MongoDB containers | ||
|
|
||
| Docker compose will start up mongodb and huskyCI and you can reach uskyCI API at `http://localhost:8888/`. | ||
|
|
||
| ``` | ||
| make compose-up | ||
| ``` | ||
|
|
||
| ## License | ||
|
|
||
| huskyCI is licensed under the [BSD 3-Clause "New" or "Revised" License](https://github.com/globocom/huskyCI/blob/master/LICENSE.md). | ||
|
|
||
| [Bandit]: https://github.com/PyCQA/bandit | ||
| [Safety]: https://github.com/pyupio/safety | ||
| [Brakeman]: https://github.com/presidentbeef/brakeman | ||
| [Gosec]: https://github.com/securego/gosec | ||
| [NpmAudit]: https://docs.npmjs.com/cli/audit | ||
| [YarnAudit]: https://yarnpkg.com/lang/en/docs/cli/audit/ | ||
| [Gitleaks]: https://github.com/zricethezav/gitleaks | ||
| [SpotBugs]: https://spotbugs.github.io | ||
| [FindSec]: https://find-sec-bugs.github.io | ||
| [TFSec]: https://github.com/liamg/tfsec |