This repository has been archived by the owner on Jan 5, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Makefile.sec
90 lines (72 loc) · 2.31 KB
/
Makefile.sec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
SHELL = /bin/bash
# VARIABLES
RESULTS_FOLDER ?= "results/"
## container scanning
REGISTRY ?= docker.io
IMAGE_NAME ?= alpine
IMAGE_TAG ?= latest
## sast
# SONAR_URL ?= https://sonarcloud.io # URL for Sonar(Cloud|Qube)
## secret detection
TRUFFLEHOG_ENTROPY ?= False
TRUFFLEHOG_REPORT ?= trufflehog_report.json
SHHGIT_CONFIG_FILE ?= "config.yaml"
# CONTAINER SCANNING
container_scanning: audit_grype audit_trivy
audit_grype:
$(GRYPE) $(REGISTRY)/$(IMAGE_NAME):$(IMAGE_TAG)
audit_trivy_prepare:
docker run \
--rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v $(HOME)/.cache:/root/.cache/ aquasec/trivy --clear-cache
audit_trivy: audit_trivy_prepare
docker run \
--rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v $(HOME)/.cache:/root/.cache/ aquasec/trivy \
$(REGISTRY)/$(IMAGE_NAME):$(IMAGE_TAG)
# SAST
sast: audit_slscan
audit_slscan:
cp "./tests/sast_rules.json" "$(RESULTS_FOLDER)/.sastscanrc"
docker run --rm -e "WORKSPACE=$(RESULTS_FOLDER)" \
-v $(RESULTS_FOLDER):/app shiftleft/sast-scan scan \
--type credscan,depscan,ansible,aws,bash,go,groovy,python,kubernetes,serverless,terraform,vf,vm,yaml \
--out_dir /app/reports --mode deploy
rm -- "$(RESULTS_FOLDER)/.sastscanrc"
audit_sonar:
docker run \
--rm \
-e SONAR_LOGIN="$(SONAR_LOGIN)" \
-e SONAR_HOST_URL="http://$(SONAR_URL)" \
-v "${PWD}:/usr/src" \
-v ${HOME}/.sonar/cache:/opt/sonar-scanner/.sonar/cache \
sonarsource/sonar-scanner-cli -Dsonar.verbose=true
# SECRET DETECTION
secret_detection: audit_trufflehog audit_shhgit
audit_trufflehog:
docker run \
-t \
--rm \
-v $(PWD):/target dxa4481/trufflehog \
--max_depth=20 \
--json \
--regex \
--entropy=$(TRUFFLEHOG_ENTROPY) \
file:///target | tee $(RESULTS_FOLDER)/trufflehog_report.json | jq -C
audi_shhgit_prepare:
rm -f -- "$(PWD)/$(RESULTS_FOLDER)"
rm -f -- "$(SHHGIT_CONFIG_FILE)"
curl https://raw.githubusercontent.com/eth0izzle/shhgit/master/config.yaml -o "$(SHHGIT_CONFIG_FILE)"
audit_shhgit: audi_shhgit_prepare
docker run \
--rm \
-v "$(PWD):/src/" \
-v /tmp/config.yaml:/app/config.yaml \
eth0izzle/shhgit \
-debug \
-local "/src" \
-config-path /app/ \
-entropy-threshold 0 \
-csv-path "/src/$(RESULTS_FOLDER)"