https://github.com/righettod/toolbox-codescan

Customized toolbox to perform offline scanning of a code base.
https://github.com/righettod/toolbox-codescan

sast scan

Last synced: about 1 year ago
JSON representation

Customized toolbox to perform offline scanning of a code base.

• Host: GitHub
• URL: https://github.com/righettod/toolbox-codescan
• Owner: righettod
• License: gpl-3.0
• Created: 2024-05-16T08:49:06.000Z (about 2 years ago)
• Default Branch: main
• Last Pushed: 2024-05-22T18:01:28.000Z (about 2 years ago)
• Last Synced: 2024-05-22T18:01:40.513Z (about 2 years ago)
• Topics: sast, scan
• Language: Shell
• Homepage:
• Size: 53.7 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# 💻 Code scan toolbox

[![Build and deploy the toolbox image](https://github.com/righettod/toolbox-codescan/actions/workflows/build_docker_image.yml/badge.svg?branch=main)](https://github.com/righettod/toolbox-codescan/actions/workflows/build_docker_image.yml) ![MadeWitVSCode](https://img.shields.io/static/v1?label=Made%20with&message=VisualStudio%20Code&color=blue&?style=for-the-badge&logo=visualstudio) ![MadeWithDocker](https://img.shields.io/static/v1?label=Made%20with&message=Docker&color=blue&?style=for-the-badge&logo=docker) ![AutomatedWith](https://img.shields.io/static/v1?label=Automated%20with&message=GitHub%20Actions&color=blue&?style=for-the-badge&logo=github)

## 🎯 Description

The goal of this image is to provide a ready-to-use toolbox to perform **offline scanning** of a code base.

💡 The goal is to **prevent any disclosure** of the code base scanned.

## 📦 Build

💻 Use the following set of command to build the docker image of the toolbox:

```bash

git clone https://github.com/righettod/toolbox-codescan.git

cd toolbox-codescan

docker build . -t righettod/toolbox-codescan

```

💡 The image is build every week and pushed to the GitHub image repository. You can retrieve it with the following command:

`docker pull ghcr.io/righettod/toolbox-codescan:main`

## 👨‍💻 Usage

>[!CAUTION]

> It is important to add the option `--network none` to prevent any IO.

💻 Use the following command to create a container of the toolbox:

```bash

docker run --rm -v "C:/Temp:/work" --network none -it ghcr.io/righettod/toolbox-codescan:main

# From here, use one of the provided script...

```

## 📋 Scripts

> [!NOTE]

> 💡 [jq](https://jqlang.github.io/jq/) is installed and can be used to manipulate the result of a scan.

> [!NOTE]

> 💡 [regexploit](https://github.com/doyensec/regexploit) is installed and can be used to test exposure of a regular expression to [ReDOS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS).

> [!TIP]

> 📦 All scripts are stored in the folder `/tools/scripts` but they are referenced into the `PATH` environment variable.

### Script 'scan-secrets.sh'

> [!IMPORTANT]

> This [custom configuration file](https://github.com/righettod/toolbox-pentest-web/blob/master/templates/gitleaks-custom-config.toml) is used to define detection expressions.

Script to scan the current folder using [GITLEAKS](https://github.com/gitleaks/gitleaks) to find secrets into source files and git files. Git files scanning is only performed if a folder `.git` is present.

🐜 Leaks will be stored in files `leaks-gitfiles.json` and `leaks-sourcefiles.json`.

💡 This [script](https://github.com/righettod/toolbox-pentest-web/blob/master/scripts/generate-report-gitleaks.py) can be used to obtains an overview of the leaks identified and stored into the files `leaks-*.json`. It is imported as the file `/tools/scripts/report-secrets.py`. 

💻 Usage & Example:

```bash

$ pwd

/work/sample

$ scan-secrets.sh

5:47PM INF scan completed in 78.1ms

5:47PM INF no leaks found

```

### Script 'scan-secrets-extended.sh'

Script to scan the current folder using a dictionary of **secret common variables names** ([source](https://gist.githubusercontent.com/EdOverflow/8bd2faad513626c413b8fc6e9d955669/raw/06a0ef0fd83920d513c65767aae258ecf8382bdf/gistfile1.txt)).

💡 The dictionary of secret common variables names referenced above is imported, as the file `/tools/secret-common-variable-names.txt`, during the build time of the image.

💻 Usage & Example:

```bash

$ pwd

/work/sample

$ scan-secrets-extended.sh

./config/db.properties:50:DB_PASSWORD=Password2024

```

### Script 'scan.sh'

Script to scan the current folder using a set of [SEMGREP rules](https://github.com/semgrep/semgrep-rules) with [SEMGREP](https://semgrep.dev/) OSS version.

🐜 Findings will be stored in file `findings.json`.

💡 This [script](https://github.com/righettod/toolbox-pentest-web/blob/master/scripts/generate-report-semgrep.py) can be used to obtains an overview of the findings identified and stored into the file `findings.json`. It is imported as the file `/tools/scripts/report.py`. 

💻 Usage & Example:

```bash

$ pwd

/work/sample

$ scan.sh

Usage:

   scan.sh [RULES_FOLDER_NAME]

Call example:

    scan.sh java

    scan.sh php

    scan.sh json

See sub folders in '/tools/semgrep-rules'.

Findings will be stored in file 'findings.json'.

$ scan.sh java

┌────────────────┐

│ 1 Code Finding │

└────────────────┘

 src/burp/ActivityLogger.java

❯❯❱ tools.semgrep-rules.java.lang.security.audit.formatted-sql-string

       Detected a formatted string in a SQL statement. This could lead to SQL injection

       if variables in the SQL statement are not properly sanitized. Use a prepared

       statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement

       using 'connection.prepareStatement'.

        91┆ stmt.execute(SQL_TABLE_CREATE);

```

### Script 'online-scan-secrets.sh'

Script to scan a collection of online git repositories using [GITLEAKS](https://github.com/gitleaks/gitleaks) to find secrets into source files and git files.

💡 The script [scan-secrets.sh](scripts/scan-secrets.sh) is used for the scan of a git repository once cloned.

💡 Use the script [online-scan-secrets-consolidate.py](scripts/online-scan-secrets-consolidate.py) to consolidate the generated data into a single file.

💻 Usage & Example:

```bash

$ online-scan-secrets.sh

Usage:

   online-scan-secrets.sh [FILE_WITH_COLLECTION_OF_GIT_REPO_URLS]

Call example:

    online-scan-secrets.sh repositories.txt

$ online-scan-secrets.sh repositories.txt

[*] Execution context:

List of git repositories URL   : repositories.txt (1030 entries)

Data collection storage folder : /work/data-collected

[*] Start repositories checking and data collection...

...

```

### Script 'filters-secrets.py'

Script to allow filtering a large leaks file that uses the [GITLEAKS](https://github.com/gitleaks/gitleaks) format, like for example, a file generated by the script [online-scan-secrets-consolidate.py](scripts/online-scan-secrets-consolidate.py).

💡The output allow to search for specific secrets using **grep** with differents regexes like `grep -B 4 -E 'ey[A-Za-z0-9]{15,}\.[A-Za-z0-9]{15,}\.[A-Za-z0-9_-]*' report.txt`.

💻 Usage:

```bash

$ filters-secrets.py leaks-consolidated.json

```

## 🤝 Sources & credits

* 

* 

* 

* 

*