ci-analysis-collector

Quantum's CI analysis collector utility is a wrapper for common security tools for normalizing results to rank and prioritize the remediation of vulnerabilities discovered in your applications and infrastructure.

This utility can be modified to be used with your own aggregation and analysis pipeline or used directly with the Quantum Security Platform.

Prerequisites

This utility requires Node.js and git. Additionally, you must install any tools you wish to use that are wrapped by this utility – each of which will have its own dependencies. Alternatively, Quantum supplies Docker containers for each of the officially supported tools.

Usage

Use npx to directly reference, install, and run this utility:

# npx <= 6
npx @quantum-sec/ci-analysis-collector [tool] [args]

# npx >= 7
npx --yes --package @quantum-sec/ci-analysis-collector \
  --call 'ci-analysis-collector [tool] [args]'

Where [tool] is the all lowercase name or "ID" of the tool (see the table of supported tools below) and where [args] are any of the following optional arguments:

Arguments

--path [path] – the path to source code being analyzed (default: "$PWD")
--soft-fail – when specified a zero exit code will be returned regardless of whether or not checks are failing (default: false)
--quiet – when specified, passing checks will be excluded from the printed output (default: false)
--log-level [LEVEL] – the log verbosity (one of error, warning, info, or debug) (default: info)
--webhook-url [URL] – the URL to which results will be PUT (defaults to the Quantum Platform webhook)

Environment Variables

QS_API_TOKEN – the API token associated with this analysis collection generated in the Quantum Security Console
QS_COLLECTOR_SOFT_FAIL – same as the --soft-fail argument above
QS_COLLECTOR_QUIET – same as the --quiet argument above
QS_COLLECTOR_WEBHOOK_URL – same as the --webhook-url argument above

Supported Tools

Tool	Analysis Type	Platforms / Languages	Container Runtime
checkov	SAST	Terraform CloudFormation ARM Templates Dockerfile Kubernetes	quantumsec/docker-pipeline-checkov
sonarqube	SAST, DAST	C / C++ / Objective-C C# Go Java JavaScript / TypeScript Kotlin PHP Python Ruby Scala Swift Visual Basic	quantumsec/docker-pipeline-sonarqube
trivy	SAST	Terraform Dockerfile Kubernetes	quantumsec/docker-pipeline-trivy
tfsec (Planned)	SAST	Terraform	quantumsec/docker-pipeline-tfsec
ZAP	SAST	HTTP	quantumsec/docker-pipeline-zap

Code of Conduct

Help us keep this project open and inclusive. Please read and follow our Code of Conduct.

License

This code is released under the Apache 2.0 License.

Name		Name	Last commit message	Last commit date
Latest commit History 59 Commits
.docs		.docs
.github		.github
.tools/jasmine		.tools/jasmine
src		src
.eslintignore		.eslintignore
.eslintrc		.eslintrc
.eslintrc.json		.eslintrc.json
.gitignore		.gitignore
.npmignore		.npmignore
.nycrc		.nycrc
.pre-commit-config.yaml		.pre-commit-config.yaml
.releaserc.json		.releaserc.json
Dockerfile		Dockerfile
LICENSE		LICENSE
README.md		README.md
azure-pipelines.yml		azure-pipelines.yml
jasmine.json		jasmine.json
package-lock.json		package-lock.json
package.json		package.json
tsconfig.json		tsconfig.json

License

quantum-sec/ci-analysis-collector

Folders and files

Latest commit

History

Repository files navigation

ci-analysis-collector

Prerequisites

Usage

Arguments

Environment Variables

Supported Tools

Code of Conduct

License

About

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Languages