Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/HXSecurity/DongTai
Dongtai IAST is an open-source Interactive Application Security Testing (IAST) tool that enables real-time detection of common vulnerabilities in Java applications and third-party components through passive instrumentation. It is particularly suitable for use in the testing phase of the development pipeline.
https://github.com/HXSecurity/DongTai
Last synced: 3 months ago
JSON representation
Dongtai IAST is an open-source Interactive Application Security Testing (IAST) tool that enables real-time detection of common vulnerabilities in Java applications and third-party components through passive instrumentation. It is particularly suitable for use in the testing phase of the development pipeline.
- Host: GitHub
- URL: https://github.com/HXSecurity/DongTai
- Owner: HXSecurity
- License: apache-2.0
- Created: 2021-03-22T04:08:18.000Z (over 3 years ago)
- Default Branch: develop
- Last Pushed: 2024-02-21T19:44:47.000Z (9 months ago)
- Last Synced: 2024-03-06T04:39:21.710Z (8 months ago)
- Language: Python
- Homepage: https://dongtai.io
- Size: 59.4 MB
- Stars: 1,179
- Watchers: 11
- Forks: 137
- Open Issues: 38
-
Metadata Files:
- Readme: README-zh.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE.txt
- Code of conduct: .github/CODE_OF_CONDUCT.md
- Security: SECURITY.md
Awesome Lists containing this project
- awesome-hacking-lists - HXSecurity/DongTai - Dongtai IAST is an open-source Interactive Application Security Testing (IAST) tool that enables real-time detection of common vulnerabilities in Java applications and third-party components through p (Python)
README
# DongTai
[](https://www.djangoproject.com/)
[](https://github.com/HXSecurity/DongTai-agent-java/blob/main/LICENSE)
[](https://github.com/HXSecurity/DongTai/releases)
[](https://github.com/HXSecurity/DongTai-webapi/releases)
[](https://github.com/HXSecurity/DongTai-openapi/releases)
[](https://github.com/HXSecurity/DongTai-engine/releases)
[](https://github.com/HXSecurity/DongTai-web/releases)
[](https://github.com/HXSecurity/DongTai-agent-java/releases)
[](https://github.com/HXSecurity/DongTai-agent-python/releases)
[English](README.md)
## DongTai是什么?
洞态IAST是一款开源的交互式安全测试(IAST)产品,可通过被动插桩模式实现JAVA应用的通用漏洞及第三方组件漏洞的实时检测,非常适合在开发流水线的测试阶段使用。
## 项目结构
```
.
├── deploy
├── dongtai_common 各个服务调用的常用函数和类
├── dongtai_conf 配置文件
├── dongtai_engine 漏洞检测与漏洞处理部分
├── dongtai_protocol dongtai-server和agent交互的协议
├── dongtai_web 与web交互的api
├── static 静态文件
└── test 测试用例
```
## 技术架构
"火线-洞态IAST"具有多个基础服务,包括:`DongTai-web`、`DongTai`、 `agent`、`DongTai-Base-Image`、`DongTai-Plugin-IDEA`,其中:
- `DongTai-web`是DongTai的产品页面,用于处理用户与洞态的交互
- `DongTai>>dongtai_web`负责处理用户的相关操作的API
- `DongTai>>dongtai_protocol`用于处理`agent`上报的注册/心跳/调用方法/第三方组件/错误日志等数据,下发hook策略,下发探针控制指令等
- `DongTai>>dongtai_engine` 根据调用方法数据和污点跟踪算法分析HTTP/HTTPS/RPC请求中是否存在漏洞,同时负责其它相关的定时任务
- `agent`是DongTai的探针模块,包含不同编程语言的数据采集端,用于采集应用运行时的数据并上报至`DongTai-OpenAPI`服务
- `DongTai-Base-Image`包含洞态运行时依赖的基础服务,包括:MySql、Redis
- `DongTai-Plugin-IDEA`是Java探针对应的IDEA插件,可通过插件直接运行Java探针,直接在IDEA中检测漏洞
## 应用场景
"火线-洞态IAST"的应用场景包括但不限于:
- 嵌入`DevSecOps`流程,实现应用漏洞的自动化检测/第三方组件梳理/第三方组件漏洞检测
- 针对开源软件/开源组件进行通用漏洞挖掘
- 上线前安全测试等
## 快速开始
`洞态IAST`支持**SaaS服务**和**本地化部署**,本地化部署的详细部署方案见[**部署文档**](./deploy)
### 1. SaaS版本
- 登录[洞态IAST](https://iast.io)系统
- 根据[在线文档](https://doc.dongtai.io/docs/category/%E5%BF%AB%E9%80%9F%E5%BC%80%E5%A7%8B/)进行快速体验
### 2. 本地化部署版本
**洞态IAST**支持多种部署方案,可通过[部署文档](./deploy)了解部署方案详情,方案如下:
- 单机版部署
- [x] [docker-compose部署](./deploy/docker-compose)
- [ ] docker部署方案 - 待更新
- 集群版部署
- [x] [Kubernetes集群部署](./deploy/kubernetes)
#### docker-compose部署
```shell script
git clone [email protected]:HXSecurity/DongTai.git
cd DongTai
chmod u+x build_with_docker_compose.sh
./build_with_docker_compose.sh
```
## 贡献
欢迎并非常感谢您的贡献, 请参阅[contribution.md](https://github.com/HXSecurity/DongTai/blob/main/CONTRIBUTING.md)了解如何向项目贡献
## 文档
- [官方文档](https://doc.dongtai.io)
- [官方网站](https://dongtai.io)
## Stats
