{"id":24938532,"url":"https://github.com/checkpointsw-community/sourceguard","last_synced_at":"2026-02-06T05:03:13.466Z","repository":{"id":240259777,"uuid":"260976579","full_name":"CheckPointSW-Community/SourceGuard","owner":"CheckPointSW-Community","description":"Very detailed how-to utilize SourceGuard","archived":false,"fork":false,"pushed_at":"2020-06-24T03:21:32.000Z","size":3783,"stargazers_count":3,"open_issues_count":1,"forks_count":1,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-07-18T06:17:49.172Z","etag":null,"topics":["cves","security-scanner"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CheckPointSW-Community.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-05-03T16:49:23.000Z","updated_at":"2020-10-13T04:01:08.000Z","dependencies_parsed_at":"2024-05-17T16:55:01.828Z","dependency_job_id":null,"html_url":"https://github.com/CheckPointSW-Community/SourceGuard","commit_stats":null,"previous_names":["checkpointsw-community/sourceguard"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/CheckPointSW-Community/SourceGuard","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CheckPointSW-Community%2FSourceGuard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CheckPointSW-Community%2FSourceGuard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CheckPointSW-Community%2FSourceGuard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CheckPointSW-Community%2FSourceGuard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CheckPointSW-Community","download_url":"https://codeload.github.com/CheckPointSW-Community/SourceGuard/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CheckPointSW-Community%2FSourceGuard/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29151590,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-06T02:39:25.012Z","status":"ssl_error","status_checked_at":"2026-02-06T02:37:22.784Z","response_time":59,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cves","security-scanner"],"created_at":"2025-02-02T17:58:38.690Z","updated_at":"2026-02-06T05:03:13.442Z","avatar_url":"https://github.com/CheckPointSW-Community.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Check Point SourceGuard ![header image](sg-logo.png)\n## Check Point DevSecOps Source Code and Docker Container Image Scanner.\n\nWith the rapid adoption of devops for application build and runtime, workloads have evolved from infrastructure servers and virtual machines to code with containers and serverless.\nInfrastructure style security has to evolve as well to code centric security from application build to runtime by shifting security to the left and by becoming treated as code.\nDevOps is built around a CI/CD methodology with various stage where all the stages are automated and interconnected as a pipeline from build to testing to deployment.\nIt is important to natively integrate security to the main stages of the CI/CD pipeline from BUILD to RUNTIME in order to allow application teams to develop apps securely at devops and cloud native speed.\n\nThis is well illustrated by the 4Cs of Cloud Native Security as defined by the CNCF. \nThe 4Cs encompass code,container,kubernetes(COE) and Cloud(hybrid, multi, private,on-prem) and are depending on each other. Securing each element of the 4Cs is critical.\nhttps://kubernetes.io/docs/concepts/security/overview/\n \n ![header image](https://github.com/dean-houari/Mastering-Kubernetes/blob/master/LAB/4c.png)\n \nThe first stage when the application developpers is to upload sourcen code to a various branches to a versioned repository such GitHub or Git. In order to ensure that the code is secure and free of potential source of attacks such as credentials\nand CVEs, it is important to perform source code scanning statically and dynamically identified as SAST and DAST. Effectively scanning when it is ready and commited to a branch and while it is being stored\nin a branch on a repo.\nWhen the code is ready to be compiled into an artifact such as a container, it is important to then scan the container image to tested and deployed.\nWe will be providing support for Docker and the way to create a container is with a Dockerfile which defines the layers composed of containers images, source code and commands used by the app container image.\nAs developpers use these container images such as busybox, node, nginx etc.. from DockerHub, they may be including CVEs and critical malware.\nYou can find Container training on my page on how to use Docker containers and create a Docker container image: \n\u003e https://github.com/chkp-dhouari/Mastering-Kubernetes/blob/master/Just-Enough-Containers.md\n\nThe SourceGuard scanner will provide SAST and DAST for source code and container images. This applies to Infrastructure as a Code templates as well like Terraform, Ansible or CFTs since they are code.\nThere are many SAST and DAST scanners such Clair and Anchore but the true se3curity value is with the ability to find CVEs and Critical Malware.\nSourceGuard will be using ThreatCloud on the backend to perform analysis using the MD5/SHA256 signatures of the content scanned. \nThreadCloud is the market leading vulnerability and CVE DB that is been succesfully used\non our endpoint security.\nThreatCloud will bring the best CVE and Malware DBs engine with our SAST and DAST security. \n\u003e https://community.checkpoint.com/t5/CheckMates-Nuggets/What-is-Threat-Cloud/td-p/47738\n \n# SourceGuard is NOW available for Beta testing on the CheckPoint Infinity portal.\n## IMPORTANT: While in Beta testing, we will allow up to 100Mb of source code scans per day and 2GB of container images per day.\n\n### SourceGuard Installation:\n\nPlease go to the Infinity portal at https://portal.checkpoint.com\nCreate an account by signing up to Infinity even if you are a checkpoint employee.\n\n ![header image](infinity8.png)\n \n ![header image](account.png)\n\nThe default user space for checkpoint employee is cp-all-demo which CANNOT be used. please switch to your registered account space under the building icon in the top menu bar.\n\n ![header image](infinity6.png)\n \nPlease click on the SourceGuard service under the CONFIG tab on the left side menu and chose the Operating System of your choice ..Windows, MacOS or Linux and then on Download. The latest file is the recommeded choice and please download it to your system in a dir of your choice.\nI would recommend creating a directory to store the file and where you can run all your scans.\n\n ![header image](infinity5.png)\n \n### For source code scanning\n\n\u003e sourceguard-cli -src file \n \n### For Docker image scanning:\n#### Note: Installing Docker is not required for using SourceGuard on your system . ALL you need is a docker image in a .tar file format.\n\n\u003e sourceguard-cli -img \u003cdocker_image\u003e.tar\n\n#### In order to convert a Docker image in .tar file, please do:\n\n\u003e docker save docker_image -o any_file_name.tar\n \n \n ## MacOS Installation:\n \nPlease download and copy the sourceguard-cli file to a directory of your choice \n\n### Make the sourceguard-cli as executable \n\n\u003e chmod 750 sourceguard-cli\n \n```\ndean:Downloads dasig$ \ndean:Downloads dasig$ cp sourceguard-cli ~/sourceguard\ndean:Downloads dasig$ cd sourceguard \ndean:sourceguard dasig$ ls\nsourceguard-cli\ndean:sourceguard dasig$ chmod 750 sourceguard-cli \ndean:sourceguard dasig$ ./sourceguard-cli\n05-04-2020 19:39:33.004 SourceGuard Started\nplease specify source code path or docker image tar path\ndean:sourceguard dasig$ ./sourceguard-cli -help\nUsage of ./sourceguard-cli:\n -V\tprint version\n -d\tdebug output flag\n -img string\n \tpath to docker image tar format\n -j\tjson output flag\n -src string\n \tpath to source code directory\n -t int\n \ttimeout (default 600)\n -x value\n \texclusions: path to exclude from scanning .gitignore syntax\n \n ```\n \n The next step will be to create a token in order to associate the sourceguard-cli command utility to the infinity portal where it will display all scans performed and their results.\n \n ![header image](token2.png)\n \n Then paste the generated token at the command line:\n \n```\ndean:sourceguard dasig$ export SG_CLIENT_ID=..hiden output..\ndean:sourceguard dasig$ export SG_SECRET_KEY=..hiden output..\ndean:sourceguard dasig$ \n\n```\nPlease keep these token values safe..\n## YOU ARE NOW READY TO SCAN YOUR SOURCE CODE AND YOUR DOCKER CONTAINER IMAGES!\n\n### Run the SourceGuard CLI with ./ on MacOS:\n\n\u003e ./sourceguard-cli\n\nNote: in order to scan Docker container images, you will need to save docker images in a .tar file.\nIn the example below, i am scanning the official Palo Alto container image for Terraform/Ansible that i downloaded from Docker hub:\n\n\n```\ndean:sourceguard dasig$ docker images\nREPOSITORY TAG IMAGE ID CREATED SIZE\nowasp/railsgoat latest 69f009ec9735 2 weeks ago 1.25GB\ntestwebserver latest 23802c78f6a2 2 months ago 939MB\nnode latest 2a0d8959c8e1 2 months ago 939MB\nh1kkan/jenkins-docker lts 155fb6109564 6 months ago 1.41GB\nkubernetes-hugo latest cb484dc1e163 8 months ago 213MB\nalpine latest 4d90542f0623 9 months ago 5.58MB\nf5devcentral/f5-demo-app 2.0.0 4a0258aa1752 10 months ago 58MB\narush/gateone http 0217951b392b 12 months ago 1.19GB\npaloaltonetworks/terraform_ansible latest ee1b39b7d2f2 13 months ago 499MB\narush/cka_lab latest 28ee82e1b525 22 months ago 20.4MB\nlucapalano/jenkins-newman latest 7b076ab30c03 2 years ago 945MB\nvulnerables/web-owasp-railsgoat latest 7e920996d870 2 years ago 719MB\ndean:sourceguard dasig$ \ndean:sourceguard dasig$ docker save paloaltonetworks/terraform_ansible -o palo.tar\ndean:sourceguard dasig$ \ndean:sourceguard dasig$ ls -l palo.tar\n-rw------- 1 dasig staff 511048704 Apr 5 20:25 palo.tar\ndean:sourceguard dasig$ \ndean:sourceguard dasig$ \ndean:sourceguard dasig$ ./sourceguard-cli -img palo.tar\n05-04-2020 20:30:55.813 SourceGuard Started\n05-04-2020 20:30:57.357 Project name: terraform_ansible path: /var/folders/b4/dpgj60zj7854dsd2kdhbdhp80000gn/T/sourceGuard162328374\n05-04-2020 20:30:57.357 Scan id: 086a77ace5fcd665e185fa8483a18c2d866121ea8d7535bdaa99989d23c09427-cTfA8E\n05-04-2020 20:31:06.750 Scanning ...\n05-04-2020 20:32:49.848 Analyzing ...\n05-04-2020 20:33:51.766 Action: BLOCK\nContent Findings:\n\t- ID: .....\n\t Name: \"aws_secret_access_key\"\n\t Description: \"Possible AWS secret access key\"\n\t\t\n\t......\t\n```\n\n#### The results are displayed on the portal and CLI and was flagged as BLOCK...The SourceGuard scan found many critical CVEs \nThis illustrate the importance of container image scanning from any source on Docker Hub and the ability of SourceGuard to succesfully find critical issues with ThreatCloud \n\n ![header image](docker2.png)\n\n#### In the case below, we scanned the Aquasec official docker image for their Kubernetes vulnerabilities scanner or kube-hunter and came back as BLOCK with CVEs\n\n ![header image](aquasec.png)\n\n ## LINUX Installation:\n \n The installation on Linus is pretty much the same as MacOS by downloading the sourceguard-cli file on your linux system or VM.\n You can build Linux VMs using virtual box automatically in a devops manner with the Vagrant I provided with my mastering Kubernetes course. The Vagrant script will also install Docker and installation steps are located at: \n\u003e https://github.com/chkp-dhouari/Mastering-Kubernetes/blob/master/Provision-the-Kubernetes-environment.md\n\n ### Make the sourceguard-cli file as executable with chmod +x command:\n \n \u003e chmod +x sourceguard-cli\n \n ### Then run the sourceguard-cli:\n \n \u003e sourceguard-cli -src or -img\n \n or\n \n \u003e ./sourceguard-cli -src or -img\n \n \n## WINDOWS Installation:\n\nDownload the sourceguard-cli exe file to the sourceguard directory that you created, copy the tokens and then execute the sourceguard-cli from the windowns command line tool.\n \n \n# SourceGuard Management and Tracking:\n All the scans performed can be accessed under the Scans tab and are all catalogued under the Project tab. \n Each scan can be identified with a scan id which is automatically generated when running the scan at the command line.\n\n\n ![header image](infinity20.png)\n \n \n ![header image](infinity11.png)\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcheckpointsw-community%2Fsourceguard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcheckpointsw-community%2Fsourceguard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcheckpointsw-community%2Fsourceguard/lists"}