-
Notifications
You must be signed in to change notification settings - Fork 112
Home
OWASP Glue is intended to be glue that pulls security tools together and produces consistent results. It is intended to be used for integrating different tools to facilitate integrating security into CI/CD.
The basic idea is that Glue is broken into 5 major pieces, all of which can be controlled via the CLI.
The idea behind mounters is that you may have to pull source code from git, read a local file, process a zip or tar or even AMI. The mounters are intended to abstract that detail from subsequent processing.
Certain things make sense to do at a file system level. Specifically, for Glue, these are running antivirus (ClamAV) and FIM (hashdeep).
The next stage or set of tools are things that process source code. Examples are brakeman, bundler-audit, owasp-dependency-check, etc.
The next stage is for running unit tests, scanning with ZAP, or otherwise analyzing a site that is live.
The filters give us a place to reduce the results back down or eliminate known noisy findings. An example of a filter is to consolidate ZAP x-frame-options findings to one finding per scan, instead of one per page. Another is to not create new jira tickets for items already reported to JIRA.
The reporters just take the findings and put them out in the specified format. Text, csv, jira are common.