Unified repository with OSS security tools, just make exec
and dive into the container!
There are some tools that have not been integrated into the main container itself, given their nature, but have been or will be added to the repository with an explanation of how to run them separately.
Usage:
make <target>
Targets:
build "Build the Docker image with the software versions described in the .env file"
rebuild "Forces build, even if a previous image exists. Won't delete previous images"
release "Build the Docker image with the software versions described in the .env file, but from a specific release of this repo"
latest "Build the Docker image with the latest version for each tool"
exec "Run an interactive shell inside the container"
clean "Remove Docker image $(IMAGE_NAME) and wipe cache (CAREFUL)"
Examples:
make
make build
make rebuild
make release
make latest
make exec
make clean
Now you have your container up and running, but what am I supposed to do with it? Well, go to how to use the tools inside to understand how each one of them actually work.
- 2ms: Detects and manages secrets in files and systems like CMS, chats, and git. (https://github.com/Checkmarx/2ms)
- better-npm-audit: Enhances npm audit with additional features. (https://www.npmjs.com/package/better-npm-audit)
- checkov: Scans infrastructure as code for misconfigurations and vulnerabilities. (https://github.com/bridgecrewio/checkov)
- clair: Analyzes container images for vulnerabilities. (https://github.com/quay/clair)
- cloudsplaining: Assesses AWS IAM policies for security risks. (https://github.com/salesforce/cloudsplaining)
- cloudsploit: Scans AWS environments for security threats and misconfigurations. (https://github.com/aquasecurity/cloudsploit)
- DependencyCheck: Identifies vulnerabilities in application dependencies. (https://github.com/jeremylong/DependencyCheck)
- depscan: Scans for vulnerabilities in dependencies. (https://github.com/owasp-dep-scan/depscan-bin)
- detect-secrets: Detects secrets in codebases to prevent leaks. (https://github.com/Yelp/detect-secrets)
- dockle: Lints container images for security best practices. (https://github.com/goodwithtech/dockle)
- eslint-plugin-no-secrets: ESLint plugin to detect potential secrets in code. (https://www.npmjs.com/package/eslint-plugin-no-secrets)
- eslint-plugin-no-unsanitized: Prevents unsafe DOM manipulations in JavaScript. (https://www.npmjs.com/package/eslint-plugin-no-unsanitized)
- eslint-plugin-security: Provides security rules for ESLint. (https://www.npmjs.com/package/eslint-plugin-security)
- falco: Monitors runtime security events in cloud-native environments. (https://github.com/falcosecurity/falco)
- generic: GitHub actions for vulnerability checks. (https://github.com/snyk/actions)
- gh-fake-analyzer: Analyzes GitHub profiles for data insights. (https://github.com/shortdoom/gh-fake-analyzer/tree/main)
- git-secrets: Prevents committing secrets to git repositories. (https://github.com/awslabs/git-secrets)
- gitxray: Uses GitHub APIs for security analysis and OSINT. (https://github.com/kulkansecurity/gitxray)
- gitleaks: Scans for secrets in code repositories. (https://github.com/gitleaks/gitleaks)
- grype: Scans container images and filesystems for vulnerabilities. (https://github.com/anchore/grype/)
- harden-runner: Secures GitHub Actions runners with network filtering. (https://github.com/step-security/harden-runner)
- hadolint: Lints Dockerfiles for best practices. (https://github.com/hadolint/hadolint)
- installed-check: Ensures installed modules match package.json requirements. (https://www.npmjs.com/package/installed-check)
- kics: Detects security issues in infrastructure-as-code. (https://github.com/Checkmarx/kics)
- kube-bench: Checks Kubernetes deployments against CIS benchmarks. (https://github.com/aquasecurity/kube-bench)
- lavamoat: Sandboxes dependency graphs for security. (https://github.com/LavaMoat/lavamoat)
- legitify: Manages security risks in GitHub and GitLab assets. (https://github.com/Legit-Labs/legitify)
- njsscan: Scans JavaScript applications for security vulnerabilities. (https://github.com/ajinabraham/njsscan)
- node-version-audit: Audits Node.js versions for known vulnerabilities. (https://www.npmjs.com/package/node-version-audit)
- nodejsscan: Scans Node.js applications for security issues. (https://github.com/ajinabraham/NodeJsScan)
- npm audit: Checks installed packages for vulnerabilities.
- octoscan: Scans GitHub repositories for sensitive information. (https://github.com/synacktiv/octoscan)
- prowler: Audits AWS environments for security best practices. (https://github.com/prowler-cloud/prowler)
- retirejs: Scans JavaScript libraries for known vulnerabilities. (https://github.com/RetireJS/retire.js)
- scoutsuite: Audits multi-cloud environments for security issues. (https://github.com/nccgroup/ScoutSuite)
- secure-repo: Secures GitHub Actions workflows. (https://github.com/step-security/secure-repo)
- semgrep: Performs lightweight static analysis across languages. (https://github.com/semgrep/semgrep)
- snyk: Scans projects for security vulnerabilities. (https://github.com/snyk/cli)
- trivy: Scans for vulnerabilities and misconfigurations in various environments. (https://github.com/aquasecurity/trivy)
- trufflehog: Finds and analyzes leaked credentials. (https://github.com/trufflesecurity/trufflehog) [Easy marketplace] (https://github.com/marketplace/actions/trufflehog-oss)
- wait-for-secrets: Provides 2FA for GitHub Actions. (https://github.com/step-security/wait-for-secrets)
- yarn-audit-fix: Adds missing fix functionality to yarn audit. (https://www.npmjs.com/package/yarn-audit-fix)