The goal of this image is to provide a ready-to-use toolbox to perform offline scanning of a code base.
💡 The goal is to prevent any disclosure of the code base scanned.
💻 Use the following set of command to build the docker image of the toolbox:
git clone https://github.com/righettod/toolbox-codescan.git
cd toolbox-codescan
docker build . -t righettod/toolbox-codescan💡 The image is build every week and pushed to the GitHub image repository. You can retrieve it with the following command:
docker pull ghcr.io/righettod/toolbox-codescan:main
Caution
It is important to add the option --network none to prevent any IO.
💻 Use the following command to create a container of the toolbox:
docker run --rm -v "C:/Temp:/work" --network none -it ghcr.io/righettod/toolbox-codescan:main
# From here, use one of the provided script...Note
💡 jq is installed and can be used to manipulate the result of a scan.
Note
💡 regexploit is installed and can be used to test exposure of a regular expression to ReDOS.
Tip
📦 All scripts are stored in the folder /tools/scripts but they are referenced into the PATH environment variable.
Important
This custom configuration file is used to define detection expressions.
Script to scan the current folder using GITLEAKS to find secrets into source files and git files. Git files scanning is only performed if a folder .git is present.
🐜 Leaks will be stored in files leaks-gitfiles.json and leaks-sourcefiles.json.
💡 This script can be used to obtains an overview of the leaks identified and stored into the files leaks-*.json. It is imported as the file /tools/scripts/report-secrets.py.
💻 Usage & Example:
$ pwd
/work/sample
$ scan-secrets.sh
5:47PM INF scan completed in 78.1ms
5:47PM INF no leaks foundScript to scan the current folder using a dictionary of secret common variables names (source).
💡 The dictionary of secret common variables names referenced above is imported, as the file /tools/secret-common-variable-names.txt, during the build time of the image.
💻 Usage & Example:
$ pwd
/work/sample
$ scan-secrets-extended.sh
./config/db.properties:50:DB_PASSWORD=Password2024Script to scan the current folder using a set of SEMGREP rules with SEMGREP OSS version.
🐜 Findings will be stored in file findings.json.
💡 This script can be used to obtains an overview of the findings identified and stored into the file findings.json. It is imported as the file /tools/scripts/report.py.
💻 Usage & Example:
$ pwd
/work/sample
$ scan.sh
Usage:
scan.sh [RULES_FOLDER_NAME]
Call example:
scan.sh java
scan.sh php
scan.sh json
See sub folders in '/tools/semgrep-rules'.
Findings will be stored in file 'findings.json'.
$ scan.sh java
┌────────────────┐
│ 1 Code Finding │
└────────────────┘
src/burp/ActivityLogger.java
❯❯❱ tools.semgrep-rules.java.lang.security.audit.formatted-sql-string
Detected a formatted string in a SQL statement. This could lead to SQL injection
if variables in the SQL statement are not properly sanitized. Use a prepared
statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement
using 'connection.prepareStatement'.
91┆ stmt.execute(SQL_TABLE_CREATE);