{"id":15083703,"url":"https://github.com/anteater/anteater","last_synced_at":"2025-10-05T14:31:37.007Z","repository":{"id":51151960,"uuid":"66079606","full_name":"anteater/anteater","owner":"anteater","description":"Anteater - CI/CD Gate Check Framework","archived":true,"fork":false,"pushed_at":"2023-05-22T21:34:24.000Z","size":53669,"stargazers_count":177,"open_issues_count":11,"forks_count":9,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-01-20T03:37:04.300Z","etag":null,"topics":["anteater","circleci","developer-tools","development-enviroment","devops","devops-tools","devsecops","gate","jenkins-pipeline","malware","regexp","scanning","security-audit","travis-ci","virus-total"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/anteater.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS.rst","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-08-19T12:05:02.000Z","updated_at":"2024-08-12T19:24:25.000Z","dependencies_parsed_at":"2024-11-16T00:15:39.627Z","dependency_job_id":null,"html_url":"https://github.com/anteater/anteater","commit_stats":{"total_commits":256,"total_committers":6,"mean_commits":"42.666666666666664","dds":0.4375,"last_synced_commit":"91f931ac421a5902ff4811b814b53906b1e6a9ab"},"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anteater%2Fanteater","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anteater%2Fanteater/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anteater%2Fanteater/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anteater%2Fanteater/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/anteater","download_url":"https://codeload.github.com/anteater/anteater/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":235405235,"owners_count":18984868,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anteater","circleci","developer-tools","development-enviroment","devops","devops-tools","devsecops","gate","jenkins-pipeline","malware","regexp","scanning","security-audit","travis-ci","virus-total"],"created_at":"2024-09-25T06:31:34.593Z","updated_at":"2025-10-05T14:31:31.638Z","avatar_url":"https://github.com/anteater.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Anteater - CI/CD Gate Check Framework\n\n![anteater](http://i.imgur.com/BPvV3Gz.png)\n\n[![Build Status](https://travis-ci.org/anteater/anteater.svg?branch=master)](https://travis-ci.org/anteater/anteater)\n[![Documentation Status](https://readthedocs.org/projects/anteater/badge/?version=latest)](http://anteater.readthedocs.io/en/latest/?badge=latest)\n\nDescription\n-----------\n\nAnteater is an open framework to prevent the unwanted merging of nominated strings,\nfilenames, binaries, depreciated functions, staging enviroment code / credentials\netc. Anything that can be specified with regular expression syntax, can be\nsniffed out by anteater.\n\nYou tell anteater exactly what you don't want to get merged, and anteater looks\nafter the rest.\n\nIf anteater finds something, it exits with a non-zero code which in turn fails\nthe build of your CI tool, with the idea that it would prevent a pull request\nmerging. Any false positives are easily negated by using the\nsame RegExp framework to cancel out the false match.\n\nEntire projects may also be scanned also, using a recursive directory walk.\n\nWith a few simple steps it can be easily implemented into a CI / CD workflow\nwith tooling such as [Travis CI](https://travis-ci.org/), [CircleCI](https://circleci.com/), [Gitlab CI/CD](https://about.gitlab.com/features/gitlab-ci-cd/) and [Jenkins](https://jenkins.io/).\n\nIt is currently used in the Linux Foundations project ['OPNFV'](https://opnfv.org)\nas means to provide automated security checks at gate, but as shown in the\nexamples below, it can be used for other scenarios.\n\nAnteater also provides integrates with the Virus Total API, so any binaries,\npublic IP addresses or URL's found by anteater, will be sent to the Virus Total\nAPI and a report will be returned. If any object is reported as malicous,\nit will fail the CI build job.\n\nExample content is provided for those unsure of what to start with and its\nencouraged and welcomed to share any Anteater filter strings you find useful.\n\nWhy would I want to use this?\n-----------------------------\n\nAnteater has many uses, and can easily be bent to cover your own specific needs.\n\nFirst, as mentioned, it can be set up to block strings and files with a\npotential security impact or risk. This could include private keys, a shell\nhistory, aws credentials etc.\n\nIt is especially useful at ensuring that elements used in a staging /\ndevelopment enviroment don't find there way into a production enviroment.\n\nLet's take a look at some examples:\n\n```\napprun:\n  regex: app\\.run\\s*\\(.*debug.*=.*True.*\\)\n  desc: \"Running flask in debug mode could potentially leak sensitive data\"\n```\n\nThe above will match code where a flask server is set to running in debug mode\n`` app.run(host='0.0.0.0' port=80 debug=true)``, which can be typical to a\ndevelopers enviroment and mistakenly staged into production.\n\nFor a rails app, this could be:\n\n``  regex: \\\u003c%=.*debug.*%\u003e``\n\nEven more simple, look for the following in most logging frameworks:\n\n`` regex: log\\.debug``\n\nNeed to stop developers mistakenly adding a private key?\n\n```\n  private_key:\n    regex: -----BEGIN\\sRSA\\sPRIVATE\\sKEY----\n    desc: \"This looks like it could be a private key\"\n```\n\nHow about credential files that would cause a job loss if ever leaked into\nproduction? Anteater works with file names too.\n\nFor Example:\n\n``jenkins\\.plugins\\.publish_over_ssh\\.BapSshPublisherPlugin\\.xml``\n\nOr even..\n\n```\n- \\.pypirc\n- \\.gem\\/credentials\n- aws_access_key_id\n- aws_secret_access_key\n- LocalSettings\\.php\n```\n\nIf your app has its own custom secrets / config file, then its very easy to\nadd your own regular expressions. Everything is set using YAML formatting,\nso no need to change anteaters code.\n\nDepreciated functions, classes etc\n----------------------------------\n\nAnother use is for when a project depreciates an old function, yet developers\nmight still make pull requests using the old function naming:\n\n```\ndepreciated_function:``\n  regex: depreciated_function\\(.*\\)\n  desc: This function was depreciated in release X, use Y function.\n```\n\nOr perhaps stopping people from using 1.x versions of a framework:\n\n``\u003cscript.src.*=\"https:\\/\\/ajax\\.googleapis\\.com\\/ajax\\/libs\\/angularjs\\/1.*\u003c\\/script\u003e``\n\nWhat if I get false postives?\n-----------------------------\n\nEasy, you set a RegExp to stop the match , kind of like RegExp'ception.\n\nLet's say we want to stop use of MD5:\n\n```\nmd245:\n  regex: md[245]\n  desc: \"Insecure hashing algorithm\"\n```\n\nThis then incorrectly gets matched to the following:\n\n``mystring = int(amd500) * 4``\n\nWe set a specific ignore RegEx, so it matches and then is unmatched by the\nignore entry.\n\n``mystring.=.int\\(amd500\\).*``\n\nYet other instance of ``MD5`` continue to get flagged.\n\nBinaries\n--------\n\nWith anteater, if you pass the argument ``--binaries``, any binary found\ncauses a build failure on the originating pull request. It is not until a\nsha256 checksum is set within anteater's YAML ignore files, that the build is\nallowed to pass.\n\nThis means you can block people from checking in compiled objects, images, PDFs\netc that may have an unknown origin or tampering with the existing binary files.\n\nAn example:\n\n```\n$ anteater --binaries --project myproj --patchset /tmp/patch\nNon Whitelisted Binary file: /folder/to/repo/images/pal.png\nPlease submit patch with this hash: 3aeae9c71e82942e2f34341e9185b14b7cca9142d53f8724bb8e9531a73de8b2\n```\nLet's enter the hash::\n```\nbinaries:\n  images/pal.png:\n    - 3aeae9c71e82942e2f34341e9185b14b7cca9142d53f8724bb8e9531a73de8b2\n```\nRun the job again::\n```\n$ anteater --binaries --project myproj --patchset /tmp/patch\nFound matching file hash for: /folder/to/repo/images/pal.png\n```\n\nThis way we can sure binaries are not tampered with by means of a failed\ncryptographic signature / checksum.\n\nAny binaries not having a sha256 checksum will also be sent to the Virus Total\nAPI for scanning.\n\nVirus Total API\n---------------\n\nIf the following flags (combined or individually) ``--ips``, ``-urls``, ``--binaries``\nare used, anteater will perform a lookup to the Virus Total API.\n\nIP addresses, will be have their DNS history checked for any previous or present connection\nwith known black listed domains marked as malicious or containing malware.\n\nURLs, will be checked for any previous or present connection with known black listed domains\nmarked as malicious or containing malware.\n\nAs mentioned, Binaries will be sent to Virus Total and verified as clean / infected.\n\nFor more details and indepth documentation, please visit [readthedocs](http://anteater.readthedocs.io/en/latest/)\n\nLast of all, if you do use anteater, I would love to know (twitter: @decodebytes)\nand pull requests / issues are welcome!\n\nContribute\n----------\n\nContributions are welcome.\n\nPlease make a pull request in a new branch, and not master.\n\n```\ngit checkout -b mypatch\n```\n\n```\ngit push origin mypatch\n```\n\nUnit tests and PEP8 checks are in tox, so simply run the `tox` command before\npushing your code.\n\nIf your patch fixes and issue, please paste the issue url into the commit\nmessage.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanteater%2Fanteater","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fanteater%2Fanteater","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanteater%2Fanteater/lists"}