diff --git a/Dockerfile b/Dockerfile index eddaedb..dc4d3e0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ FROM python:3-alpine3.19 -ENV VERSION=1.0.0 +ARG VERSION=0.1.0 RUN apk update && apk upgrade @@ -12,7 +12,7 @@ RUN pip install --upgrade pip RUN pip install wheel RUN python setup.py bdist_wheel -RUN pip install dist/fafnir-${VERSION}-py3-none-any.whl +RUN pip install dist/fafnir-$VERSION-py3-none-any.whl RUN adduser -D fafnir -USER fafnir \ No newline at end of file +USER fafnir diff --git a/VERSION b/VERSION index afaf360..6c6aa7c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.0.0 \ No newline at end of file +0.1.0 \ No newline at end of file diff --git a/docs/source/configuration.rst b/docs/source/configuration.rst new file mode 100644 index 0000000..73dca30 --- /dev/null +++ b/docs/source/configuration.rst @@ -0,0 +1,42 @@ + +fafnir-sec configuration +======================== + +.. _configuration: + +Set up fafnir-sec with a configuration file +-------------------------------------------- + +Exclude tools +^^^^^^^^^^^^^^ + +.. code-block:: yaml + + exclude-tools: # Uncomment the tools you want to exclude from analysis + - semgrep + - bandit + - find-sec-bugs + - osv-scanner + #- trivy-sca + - gitleaks + - checkov + - syft + +Tools configuration +^^^^^^^^^^^^^^^^^^^^ + +.. code-block:: yaml + + tools-config: + semgrep: + api-key: # Semgrep API key + checkov: + api-key: #"Add an api key '--bc-api-key ' to see more detailed insights via https://bridgecrew.cloud" + +Container analysis (local image scan) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. code-block:: yaml + + containers: + image: "" \ No newline at end of file diff --git a/docs/source/index.rst b/docs/source/index.rst index 490e77b..39664c4 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -2,11 +2,12 @@ Welcome to fafnir's documentation! ================================== -**Fafnir** is an open-source tool that allows for the complete automation of launching different security tools detecting vulnerabilities in the software supply chain. +**fafnir-sec** is an open-source tool that allows for the complete automation of launching different security tools detecting vulnerabilities in the software supply chain. This tool reports vulnerabilities in the different parts of the supply chain management, like source code, dependencies, containers, infrastructure as code... -Fafnir was a dwarf-like creature in Norse mythology, who transformed himself into a terrifying dragon to protect his treasure. `More about his history here`_. +.. note:: + Fafnir was a dwarf-like creature in Norse mythology, who transformed himself into a terrifying dragon to protect his treasure. `More about his history here`_. .. toctree:: :maxdepth: 2 @@ -15,5 +16,6 @@ Fafnir was a dwarf-like creature in Norse mythology, who transformed himself int whatis usage run + configuration .. _more about his history here: https://vikingr.org/other-beings/fafnir \ No newline at end of file diff --git a/docs/source/run.rst b/docs/source/run.rst index 56a4a65..71f3308 100644 --- a/docs/source/run.rst +++ b/docs/source/run.rst @@ -1,8 +1,40 @@ -Execution example -================= +Run fafnir-sec +============== .. _run: -First time running fafnir -------------------------- +Run fafnir-sec for first time +------------------------------ +You can run the tool in a easy way using the following command: + +.. code-block:: console + + fafnir $PATH_TO_CODE + +.. _options: + +Options +-------- + ++----------------+----------------------+---------------------------------+ +| Option name | Flag | Description | +| | | | ++================+======================+=================================+ +| Verbose | -v, --verbose | Verbose mode (debug mode) | ++----------------+----------------------+---------------------------------+ +| Configuration | -c, --configuration | Set up fafnir-sec configuration | +| | | using the configuration file | ++----------------+----------------------+---------------------------------+ +| Asynchronous | -a, --asynchronous | Asynchronous mode to run | +| | | security tools at the same time | ++----------------+----------------------+---------------------------------+ +| Output type | -t, --output-type | Report type: json, sarif | +| | | | ++----------------+----------------------+---------------------------------+ +| Output path | -t, --output-path | Path to the fafnir-sec report | +| | | | ++----------------+----------------------+---------------------------------+ +| Disable API | -x, --disable-apis | Disable API requests | +| | | | ++----------------+----------------------+---------------------------------+ diff --git a/docs/source/usage.rst b/docs/source/usage.rst index 358ff51..70fecaa 100644 --- a/docs/source/usage.rst +++ b/docs/source/usage.rst @@ -6,7 +6,7 @@ Getting started Installation ------------ -**fafnir** can be executed in Linux, MacOS and Windows OS. To use ``fafnir``, you can install it using two ways: docker or python. +**fafnir-sec** can be executed in Linux, MacOS and Windows OS. To use ``fafnir``, you can install it using two ways: docker or python. Docker: ^^^^^^^ @@ -18,7 +18,7 @@ Docker: .. code-block:: console - docker pull ghsyn4ck/fafnir:latest + docker pull ghsyn4ck/fafnir-sec:latest Python: @@ -28,7 +28,7 @@ Python: * Python 3.6 or later installed * Pip installed -* Internet access in the machine to install ``fafnir`` module and the dependencies from Pypi. +* Internet access in the machine to install ``fafnir-sec`` module and the dependencies from Pypi. .. code-block:: console @@ -51,7 +51,7 @@ Run the container previously pulled with the command to execute: .. code-block:: console - docker run ghsyn4ck/fafnir:latest fafnir --help + docker run ghsyn4ck/fafnir-sec:latest fafnir --help Python: diff --git a/docs/source/whatis.rst b/docs/source/whatis.rst index a080175..e0a3622 100644 --- a/docs/source/whatis.rst +++ b/docs/source/whatis.rst @@ -1,7 +1,7 @@ What is fafnir? ================ -``fafnir`` is a free open-source **application security posture management (ASPM)** tool to detect vulnerabilities in the software supply chain. +``fafnir-sec`` is a free open-source **application security posture management (ASPM)** tool to detect vulnerabilities in the software supply chain. This tool uses other open-source tools to detect the vulnerabilities related with the application code and build & deploy process. @@ -10,4 +10,10 @@ This tool uses other open-source tools to detect the vulnerabilities related wit How fafnir works? ------------------ -``fafnir`` +``fafnir-sec`` pulls the official Docker image of the security tools to analyze and detect vulnerabilities. + +First of all, ``fafnir-sec`` evaluates the programming languages, technologies and configuration files to choose the needed security tools in the best way. + +Then, ``fafnir-sec`` runs the security tools using official Docker images to detect all vulnerabilities from SAST, SCA, container analysis, secrets, IaC... + +Finally, the goal of ``fafnir-sec`` is group all vulnerabilities and report it in a standard and single way. diff --git a/src/main.py b/src/main.py index 1c56d22..96d2e8e 100644 --- a/src/main.py +++ b/src/main.py @@ -11,7 +11,7 @@ from .report.report import generate_report -VERSION = '1.0.0' +VERSION = '0.1.0' @click.command() diff --git a/src/report/generate_report/generate_sarif.py b/src/report/generate_report/generate_sarif.py index df5d588..4308f71 100644 --- a/src/report/generate_report/generate_sarif.py +++ b/src/report/generate_report/generate_sarif.py @@ -1,3 +1,4 @@ + def generate_report_sarif(scan_fullpath: str, report: dict) -> dict: """ Generates a SARIF report from the given report.