From 4f9c2fec9db922eb2f648d37673788a989853306 Mon Sep 17 00:00:00 2001 From: Julian Fonticoba Date: Tue, 20 Feb 2024 09:59:51 +0100 Subject: [PATCH 1/4] Docs --- VERSION | 2 +- docs/source/configuration.rst | 42 ++++++++++++++++++++ docs/source/index.rst | 6 ++- docs/source/run.rst | 40 +++++++++++++++++-- docs/source/usage.rst | 8 ++-- docs/source/whatis.rst | 10 ++++- src/main.py | 2 +- src/report/generate_report/generate_sarif.py | 1 + 8 files changed, 97 insertions(+), 14 deletions(-) create mode 100644 docs/source/configuration.rst diff --git a/VERSION b/VERSION index afaf360..6c6aa7c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.0.0 \ No newline at end of file +0.1.0 \ No newline at end of file diff --git a/docs/source/configuration.rst b/docs/source/configuration.rst new file mode 100644 index 0000000..73dca30 --- /dev/null +++ b/docs/source/configuration.rst @@ -0,0 +1,42 @@ + +fafnir-sec configuration +======================== + +.. _configuration: + +Set up fafnir-sec with a configuration file +-------------------------------------------- + +Exclude tools +^^^^^^^^^^^^^^ + +.. code-block:: yaml + + exclude-tools: # Uncomment the tools you want to exclude from analysis + - semgrep + - bandit + - find-sec-bugs + - osv-scanner + #- trivy-sca + - gitleaks + - checkov + - syft + +Tools configuration +^^^^^^^^^^^^^^^^^^^^ + +.. code-block:: yaml + + tools-config: + semgrep: + api-key: # Semgrep API key + checkov: + api-key: #"Add an api key '--bc-api-key ' to see more detailed insights via https://bridgecrew.cloud" + +Container analysis (local image scan) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. code-block:: yaml + + containers: + image: "" \ No newline at end of file diff --git a/docs/source/index.rst b/docs/source/index.rst index 490e77b..39664c4 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -2,11 +2,12 @@ Welcome to fafnir's documentation! ================================== -**Fafnir** is an open-source tool that allows for the complete automation of launching different security tools detecting vulnerabilities in the software supply chain. +**fafnir-sec** is an open-source tool that allows for the complete automation of launching different security tools detecting vulnerabilities in the software supply chain. This tool reports vulnerabilities in the different parts of the supply chain management, like source code, dependencies, containers, infrastructure as code... -Fafnir was a dwarf-like creature in Norse mythology, who transformed himself into a terrifying dragon to protect his treasure. `More about his history here`_. +.. note:: + Fafnir was a dwarf-like creature in Norse mythology, who transformed himself into a terrifying dragon to protect his treasure. `More about his history here`_. .. toctree:: :maxdepth: 2 @@ -15,5 +16,6 @@ Fafnir was a dwarf-like creature in Norse mythology, who transformed himself int whatis usage run + configuration .. _more about his history here: https://vikingr.org/other-beings/fafnir \ No newline at end of file diff --git a/docs/source/run.rst b/docs/source/run.rst index 56a4a65..71f3308 100644 --- a/docs/source/run.rst +++ b/docs/source/run.rst @@ -1,8 +1,40 @@ -Execution example -================= +Run fafnir-sec +============== .. _run: -First time running fafnir -------------------------- +Run fafnir-sec for first time +------------------------------ +You can run the tool in a easy way using the following command: + +.. code-block:: console + + fafnir $PATH_TO_CODE + +.. _options: + +Options +-------- + ++----------------+----------------------+---------------------------------+ +| Option name | Flag | Description | +| | | | ++================+======================+=================================+ +| Verbose | -v, --verbose | Verbose mode (debug mode) | ++----------------+----------------------+---------------------------------+ +| Configuration | -c, --configuration | Set up fafnir-sec configuration | +| | | using the configuration file | ++----------------+----------------------+---------------------------------+ +| Asynchronous | -a, --asynchronous | Asynchronous mode to run | +| | | security tools at the same time | ++----------------+----------------------+---------------------------------+ +| Output type | -t, --output-type | Report type: json, sarif | +| | | | ++----------------+----------------------+---------------------------------+ +| Output path | -t, --output-path | Path to the fafnir-sec report | +| | | | ++----------------+----------------------+---------------------------------+ +| Disable API | -x, --disable-apis | Disable API requests | +| | | | ++----------------+----------------------+---------------------------------+ diff --git a/docs/source/usage.rst b/docs/source/usage.rst index 358ff51..70fecaa 100644 --- a/docs/source/usage.rst +++ b/docs/source/usage.rst @@ -6,7 +6,7 @@ Getting started Installation ------------ -**fafnir** can be executed in Linux, MacOS and Windows OS. To use ``fafnir``, you can install it using two ways: docker or python. +**fafnir-sec** can be executed in Linux, MacOS and Windows OS. To use ``fafnir``, you can install it using two ways: docker or python. Docker: ^^^^^^^ @@ -18,7 +18,7 @@ Docker: .. code-block:: console - docker pull ghsyn4ck/fafnir:latest + docker pull ghsyn4ck/fafnir-sec:latest Python: @@ -28,7 +28,7 @@ Python: * Python 3.6 or later installed * Pip installed -* Internet access in the machine to install ``fafnir`` module and the dependencies from Pypi. +* Internet access in the machine to install ``fafnir-sec`` module and the dependencies from Pypi. .. code-block:: console @@ -51,7 +51,7 @@ Run the container previously pulled with the command to execute: .. code-block:: console - docker run ghsyn4ck/fafnir:latest fafnir --help + docker run ghsyn4ck/fafnir-sec:latest fafnir --help Python: diff --git a/docs/source/whatis.rst b/docs/source/whatis.rst index a080175..e0a3622 100644 --- a/docs/source/whatis.rst +++ b/docs/source/whatis.rst @@ -1,7 +1,7 @@ What is fafnir? ================ -``fafnir`` is a free open-source **application security posture management (ASPM)** tool to detect vulnerabilities in the software supply chain. +``fafnir-sec`` is a free open-source **application security posture management (ASPM)** tool to detect vulnerabilities in the software supply chain. This tool uses other open-source tools to detect the vulnerabilities related with the application code and build & deploy process. @@ -10,4 +10,10 @@ This tool uses other open-source tools to detect the vulnerabilities related wit How fafnir works? ------------------ -``fafnir`` +``fafnir-sec`` pulls the official Docker image of the security tools to analyze and detect vulnerabilities. + +First of all, ``fafnir-sec`` evaluates the programming languages, technologies and configuration files to choose the needed security tools in the best way. + +Then, ``fafnir-sec`` runs the security tools using official Docker images to detect all vulnerabilities from SAST, SCA, container analysis, secrets, IaC... + +Finally, the goal of ``fafnir-sec`` is group all vulnerabilities and report it in a standard and single way. diff --git a/src/main.py b/src/main.py index 1c56d22..96d2e8e 100644 --- a/src/main.py +++ b/src/main.py @@ -11,7 +11,7 @@ from .report.report import generate_report -VERSION = '1.0.0' +VERSION = '0.1.0' @click.command() diff --git a/src/report/generate_report/generate_sarif.py b/src/report/generate_report/generate_sarif.py index df5d588..4308f71 100644 --- a/src/report/generate_report/generate_sarif.py +++ b/src/report/generate_report/generate_sarif.py @@ -1,3 +1,4 @@ + def generate_report_sarif(scan_fullpath: str, report: dict) -> dict: """ Generates a SARIF report from the given report. From b8c982b37773868ad287d035965530fe3b1661d0 Mon Sep 17 00:00:00 2001 From: "Julian (syn-4ck)" <43778014+syn-4ck@users.noreply.github.com> Date: Tue, 20 Feb 2024 10:17:05 +0100 Subject: [PATCH 2/4] Update Dockerfile --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index eddaedb..baa0b74 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,7 +12,7 @@ RUN pip install --upgrade pip RUN pip install wheel RUN python setup.py bdist_wheel -RUN pip install dist/fafnir-${VERSION}-py3-none-any.whl +RUN pip install dist/fafnir-$VERSION-py3-none-any.whl RUN adduser -D fafnir -USER fafnir \ No newline at end of file +USER fafnir From 44f4ff49493210d2075a1b9d784762e53265f669 Mon Sep 17 00:00:00 2001 From: "Julian (syn-4ck)" <43778014+syn-4ck@users.noreply.github.com> Date: Tue, 20 Feb 2024 10:18:54 +0100 Subject: [PATCH 3/4] Update Dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index baa0b74..b1d0337 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ FROM python:3-alpine3.19 -ENV VERSION=1.0.0 +ARG VERSION=1.0.0 RUN apk update && apk upgrade From b3df3895fa97f7f92969faf55ad1823378b02e6d Mon Sep 17 00:00:00 2001 From: "Julian (syn-4ck)" <43778014+syn-4ck@users.noreply.github.com> Date: Tue, 20 Feb 2024 10:20:48 +0100 Subject: [PATCH 4/4] Update Dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index b1d0337..dc4d3e0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ FROM python:3-alpine3.19 -ARG VERSION=1.0.0 +ARG VERSION=0.1.0 RUN apk update && apk upgrade