{"id":17925264,"url":"https://github.com/righettod/toolbox-codescan","last_synced_at":"2025-04-03T09:27:22.161Z","repository":{"id":240020193,"uuid":"801447660","full_name":"righettod/toolbox-codescan","owner":"righettod","description":"Customized toolbox to perform offline scanning of a code base.","archived":false,"fork":false,"pushed_at":"2024-05-22T18:01:28.000Z","size":55,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-05-22T18:01:40.513Z","etag":null,"topics":["sast","scan"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/righettod.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-05-16T08:49:06.000Z","updated_at":"2024-05-30T12:54:12.176Z","dependencies_parsed_at":"2024-05-30T12:54:11.404Z","dependency_job_id":"a9e9867e-bece-49d0-96a0-23edea1865ff","html_url":"https://github.com/righettod/toolbox-codescan","commit_stats":null,"previous_names":["righettod/toolbox-codescan"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Ftoolbox-codescan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Ftoolbox-codescan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Ftoolbox-codescan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/righettod%2Ftoolbox-codescan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/righettod","download_url":"https://codeload.github.com/righettod/toolbox-codescan/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246973570,"owners_count":20862893,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["sast","scan"],"created_at":"2024-10-28T20:53:16.078Z","updated_at":"2025-04-03T09:27:22.143Z","avatar_url":"https://github.com/righettod.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 💻 Code scan toolbox\n\n[![Build and deploy the toolbox image](https://github.com/righettod/toolbox-codescan/actions/workflows/build_docker_image.yml/badge.svg?branch=main)](https://github.com/righettod/toolbox-codescan/actions/workflows/build_docker_image.yml) ![MadeWitVSCode](https://img.shields.io/static/v1?label=Made%20with\u0026message=VisualStudio%20Code\u0026color=blue\u0026?style=for-the-badge\u0026logo=visualstudio) ![MadeWithDocker](https://img.shields.io/static/v1?label=Made%20with\u0026message=Docker\u0026color=blue\u0026?style=for-the-badge\u0026logo=docker) ![AutomatedWith](https://img.shields.io/static/v1?label=Automated%20with\u0026message=GitHub%20Actions\u0026color=blue\u0026?style=for-the-badge\u0026logo=github)\n\n## 🎯 Description\n\nThe goal of this image is to provide a ready-to-use toolbox to perform **offline scanning** of a code base.\n\n💡 The goal is to **prevent any disclosure** of the code base scanned.\n\n## 📦 Build\n\n💻 Use the following set of command to build the docker image of the toolbox:\n\n```bash\ngit clone https://github.com/righettod/toolbox-codescan.git\ncd toolbox-codescan\ndocker build . -t righettod/toolbox-codescan\n```\n\n💡 The image is build every week and pushed to the GitHub image repository. You can retrieve it with the following command:\n\n`docker pull ghcr.io/righettod/toolbox-codescan:main`\n\n## 👨‍💻 Usage\n\n\u003e[!CAUTION]\n\u003e It is important to add the option `--network none` to prevent any IO.\n\n💻 Use the following command to create a container of the toolbox:\n\n```bash\ndocker run --rm -v \"C:/Temp:/work\" --network none -it ghcr.io/righettod/toolbox-codescan:main\n# From here, use one of the provided script...\n```\n\n## 📋 Scripts\n\n\u003e [!NOTE]\n\u003e 💡 [jq](https://jqlang.github.io/jq/) is installed and can be used to manipulate the result of a scan.\n\n\u003e [!NOTE]\n\u003e 💡 [regexploit](https://github.com/doyensec/regexploit) is installed and can be used to test exposure of a regular expression to [ReDOS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS).\n\n\u003e [!TIP]\n\u003e 📦 All scripts are stored in the folder `/tools/scripts` but they are referenced into the `PATH` environment variable.\n\n### Script 'scan-secrets.sh'\n\n\u003e [!IMPORTANT]\n\u003e This [custom configuration file](https://github.com/righettod/toolbox-pentest-web/blob/master/templates/gitleaks-custom-config.toml) is used to define detection expressions.\n\nScript to scan the current folder using [GITLEAKS](https://github.com/gitleaks/gitleaks) to find secrets into source files and git files. Git files scanning is only performed if a folder `.git` is present.\n\n🐜 Leaks will be stored in files `leaks-gitfiles.json` and `leaks-sourcefiles.json`.\n\n💡 This [script](https://github.com/righettod/toolbox-pentest-web/blob/master/scripts/generate-report-gitleaks.py) can be used to obtains an overview of the leaks identified and stored into the files `leaks-*.json`. It is imported as the file `/tools/scripts/report-secrets.py`. \n\n💻 Usage \u0026 Example:\n\n```bash\n$ pwd\n/work/sample\n\n$ scan-secrets.sh\n5:47PM INF scan completed in 78.1ms\n5:47PM INF no leaks found\n```\n\n### Script 'scan-secrets-extended.sh'\n\nScript to scan the current folder using a dictionary of **secret common variables names** ([source](https://gist.githubusercontent.com/EdOverflow/8bd2faad513626c413b8fc6e9d955669/raw/06a0ef0fd83920d513c65767aae258ecf8382bdf/gistfile1.txt)).\n\n💡 The dictionary of secret common variables names referenced above is imported, as the file `/tools/secret-common-variable-names.txt`, during the build time of the image.\n\n💻 Usage \u0026 Example:\n\n```bash\n$ pwd\n/work/sample\n\n$ scan-secrets-extended.sh\n./config/db.properties:50:DB_PASSWORD=Password2024\n```\n\n### Script 'scan.sh'\n\nScript to scan the current folder using a set of [SEMGREP rules](https://github.com/semgrep/semgrep-rules) with [SEMGREP](https://semgrep.dev/) OSS version.\n\n🐜 Findings will be stored in file `findings.json`.\n\n💡 This [script](https://github.com/righettod/toolbox-pentest-web/blob/master/scripts/generate-report-semgrep.py) can be used to obtains an overview of the findings identified and stored into the file `findings.json`. It is imported as the file `/tools/scripts/report.py`. \n\n💻 Usage \u0026 Example:\n\n```bash\n$ pwd\n/work/sample\n\n$ scan.sh\nUsage:\n   scan.sh [RULES_FOLDER_NAME]\n\nCall example:\n    scan.sh java\n    scan.sh php\n    scan.sh json\n\nSee sub folders in '/tools/semgrep-rules'.\n\nFindings will be stored in file 'findings.json'.\n\n$ scan.sh java\n\n┌────────────────┐\n│ 1 Code Finding │\n└────────────────┘\n\n src/burp/ActivityLogger.java\n❯❯❱ tools.semgrep-rules.java.lang.security.audit.formatted-sql-string\n       Detected a formatted string in a SQL statement. This could lead to SQL injection\n       if variables in the SQL statement are not properly sanitized. Use a prepared\n       statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement\n       using 'connection.prepareStatement'.\n\n        91┆ stmt.execute(SQL_TABLE_CREATE);\n```\n\n### Script 'online-scan-secrets.sh'\n\nScript to scan a collection of online git repositories using [GITLEAKS](https://github.com/gitleaks/gitleaks) to find secrets into source files and git files.\n\n💡 The script [scan-secrets.sh](scripts/scan-secrets.sh) is used for the scan of a git repository once cloned.\n\n💡 Use the script [online-scan-secrets-consolidate.py](scripts/online-scan-secrets-consolidate.py) to consolidate the generated data into a single file.\n\n💻 Usage \u0026 Example:\n\n```bash\n$ online-scan-secrets.sh\nUsage:\n   online-scan-secrets.sh [FILE_WITH_COLLECTION_OF_GIT_REPO_URLS]\n\nCall example:\n    online-scan-secrets.sh repositories.txt\n\n$ online-scan-secrets.sh repositories.txt\n[*] Execution context:\nList of git repositories URL   : repositories.txt (1030 entries)\nData collection storage folder : /work/data-collected\n[*] Start repositories checking and data collection...\n...\n```\n\n### Script 'filters-secrets.py'\n\nScript to allow filtering a large leaks file that uses the [GITLEAKS](https://github.com/gitleaks/gitleaks) format, like for example, a file generated by the script [online-scan-secrets-consolidate.py](scripts/online-scan-secrets-consolidate.py).\n\n💡The output allow to search for specific secrets using **grep** with differents regexes like `grep -B 4 -E 'ey[A-Za-z0-9]{15,}\\.[A-Za-z0-9]{15,}\\.[A-Za-z0-9_-]*' report.txt`.\n\n💻 Usage:\n\n```bash\n$ filters-secrets.py leaks-consolidated.json\n```\n\n## 🤝 Sources \u0026 credits\n\n* \u003chttps://github.com/semgrep/semgrep-rules\u003e\n* \u003chttps://semgrep.dev/docs/getting-started/quickstart-oss\u003e\n* \u003chttps://semgrep.dev/docs/ignore-oss\u003e\n* \u003chttps://gitleaks.io/\u003e\n* \u003chttps://github.com/doyensec/regexploit\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frighettod%2Ftoolbox-codescan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frighettod%2Ftoolbox-codescan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frighettod%2Ftoolbox-codescan/lists"}