Glue is distributed in a Docker image for each of use. This has the advantage of coming with tools already configured and ready to go.
docker pull owasp/glue
This is one way to get help.
docker run --rm owasp/glue --help
Most basic starting point. Will analyze a predetermined codebase.
docker run --rm --name=Glue owasp/glue
Here is an example that runs on a github repo.
docker run --rm --name=Glue owasp/glue https://github.com/YourOrg/YourProject.git
This example only runs code analysis tools and outputs JSON.
docker run --rm --name=Glue owasp/glue -l code -f json https://github.com/YourOrg/YourProject.git
Example:
docker run --rm --name=Glue owasp/glue -l code -f json https://github.com/Owasp/triage.git
Running against a local file system:
docker run --rm --name=Glue -v /code/location:/tmp/directory owasp/glue -d -f json /tmp/directory/
Example:
docker run --rm --name=Glue -v /Users/mk/line/tmp/triage:/tmp/triage owasp/glue -l code -f json /tmp/triage/
Note that the folder sharing on Windows and Mac is constrained by Docker Volumes. To summarize those for Mac, it is easy to share directories in the Users home directory but if you want to share a different directory you have to make it shared through VirtualBox or whatever container controls your base image.
Glue supports running specific tools using the -t flag. For example the following command only runs retire.js on the project.
docker run --rm --name=Glue -v /Users/mk/line/tmp/NodeGoat:/tmp/nodegoat owasp/glue:0.7 -t retirejs -f csv /tmp/nodegoat/
The tools include:
- brakeman
- bundler-audit
- retirejs
- nodesecurityproject
- eslint
- sfl (Sensitive file lookup - part of Glue)
- Docker: https://get.docker.com/
To run the code from the docker image by hand or debug issues there, run the following:
docker run --name=Glue --rm -i -t --entrypoint=bash owasp/glue
Then, you will be in the root of the project. You can run the tool as though you were developing it.
For advanced usage scenarios, you can save your configuration and use it at runtime.