Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/ozontech/dtrack-audit

OWASP Dependency Track API client for intergration into CI/CD pipeline
https://github.com/ozontech/dtrack-audit

component-analysis security security-tools software-composition-analysis

Last synced: 13 days ago
JSON representation

OWASP Dependency Track API client for intergration into CI/CD pipeline

Host: GitHub
URL: https://github.com/ozontech/dtrack-audit
Owner: ozontech
License: gpl-3.0
Created: 2019-10-11T09:30:02.000Z (about 5 years ago)
Default Branch: master
Last Pushed: 2023-06-16T15:14:24.000Z (over 1 year ago)
Last Synced: 2024-05-20T20:44:36.533Z (6 months ago)
Topics: component-analysis, security, security-tools, software-composition-analysis
Language: Go
Homepage:
Size: 3.46 MB
Stars: 47
Watchers: 12
Forks: 14
Open Issues: 11
Metadata Files:
- Readme: README.md
- License: COPYING

Awesome Lists containing this project

awesome-frontend-security - `dtrack-audit` - OWASP Dependency Track API client for CI/CD. (Dependencies / Serializers)

README

# dtrack-audit
[OWASP Dependency Track](https://dependencytrack.org) API client for your security CI/CD pipeline. See [Dependency-Track docs: Continuous Integration & Delivery](https://docs.dependencytrack.org/usage/cicd/) for use case.

## Install

### Local Installation

*Go 1.16+*
```bash
go install github.com/ozontech/dtrack-audit/cmd/dtrack-audit@latest
```

*Go version < 1.16*
```bash
go get github.com/ozontech/dtrack-audit/cmd/dtrack-audit
```

## Features

* Fully configurable via environment variables
* Async and sync modes. In async mode dtrack-audit simply sends SBOM file to DTrack API (like cURL but *in much more comfortable way*). Sync mode means: upload SBOM file, wait for the scan result, show it and exit with non-zero code. So you can break corresponding CI/CD job to make developers pay attention to findings
* You can filter the results. With Sync mode enabled show result and fail an audit **if the results include a vulnerability with a severity of specified level or higher**. Severity levels are: critical, high, medium, low, info, unassigned
* Auto creation of projects. With this feautre you can configure SCA (with dtrack-audit) step globally for your CI/CD and it will create project, e.g. with name from environment variable like `$CI_PROJECT_NAME`. So you don't need to configure it manually for each project
* Support for TeamCity CI output. You can use `-T` flag to enable JSON output. After that, activate the [Golang build feature](https://www.jetbrains.com/help/teamcity/golang.html).

### Sample output

```bash
$ cyclonedx-bom -o bom.xml
$ dtrack-audit -s -g high

SBOM file is successfully uploaded to DTrack API. Result token is 12345f5e-4ccb-45fe-b8fd-1234a8bf0081

2 vulnerabilities found!

> HIGH: Arbitrary File Write
Component: adm-zip 0.4.7
More info: https://dtrack/vulnerability/?source=NPM&vulnId=994

> CRITICAL: Prototype Pollution
Component: handlebars 4.0.11
More info: https://dtrack/vulnerability/?source=NPM&vulnId=755
```