Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
devsecops-engine-tools
Advanced tools
Tool that unifies the evaluation of the different devsecops practices being agnostic to the devops platform, using both open source and market tools.
📦 tools: DevSecOps Practice Modules
Here are the channels we use to communicate about the project:
1. Mailing list: You can join our mailing list to always be informed at the following link: CommunityDevsecopsEngine
2. Email: You can write to us by email: MaintainersDevsecopsEngine@googlegroups.com
pip3 install devsecops-engine-tools
devsecops-engine-tools --platform_devops ["local","azure","github"] --remote_config_repo ["remote_config_repo"] --remote_config_branch ["remote_config_branch"] --tool ["engine_iac", "engine_dast", "engine_secret", "engine_dependencies", "engine_container", "engine_risk", "engine_code"] --folder_path ["Folder path scan engine_iac, engine_code and engine_dependencies"] --platform ["k8s","cloudformation","docker", "openapi", "terraform"] --use_secrets_manager ["false", "true"] --use_vulnerability_management ["false", "true"] --send_metrics ["false", "true"] --token_cmdb ["token_cmdb"] --token_vulnerability_management ["token_vulnerability_management"] --token_engine_container ["token_engine_container"] --token_engine_dependencies ["token_engine_dependencies"] --token_external_checks ["token_external_checks"] --xray_mode ["scan", "audit"] --image_to_scan ["image_to_scan"]
📦Remote_Config
┣ 📂engine_core
┃ ┗ 📜ConfigTool.json
┣ 📂engine_risk
┃ ┗ 📜ConfigTool.json
┃ ┗ 📜Exclusions.json
┣ 📂engine_sast
┃ ┗ 📂engine_iac
┃ ┗ 📜ConfigTool.json
┃ ┗ 📜Exclusions.json
┃ ┗ 📂engine_secret
┃ ┗ 📜ConfigTool.json
┃ ┗ 📂engine_code
┃ ┗ 📜ConfigTool.json
┃ ┗ 📜Exclusions.json
┣ 📂engine_sca
┃ ┗ 📂engine_container
┃ ┗ 📜ConfigTool.json
┃ ┗ 📜Exclusions.json
┃ ┗ 📂engine_dependencies
┃ ┗ 📜ConfigTool.json
┃ ┗ 📜Exclusions.json
Module | Tool | Type |
---|---|---|
ENGINE_RISK | DEFECTDOJO | Free |
ENGINE_IAC | CHECKOV | Free |
KUBESCAPE | Free | |
KICS | Free | |
ENGINE_DAST | NUCLEI | Free |
ENGINE_SECRET | TRUFFLEHOG | Free |
ENGINE_CONTAINER | PRISMA | Paid |
TRIVY | Free | |
ENGINE_DEPENDENCIES | XRAY | Paid |
DEPENDENCY CHECK | Free | |
ENGINE_CODE | BEARER | Free |
Complete the value in .envdetlocal file a set in execution environment
$ set -a
$ source .envdetlocal
$ set +a
devsecops-engine-tools --platform_devops local --remote_config_repo DevSecOps_Remote_Config --tool engine_iac
Installation
docker pull bancolombia/devsecops-engine-tools
docker run --rm -v ./folder_to_analyze:/folder_to_analyze bancolombia/devsecops-engine-tools:latest devsecops-engine-tools --platform_devops local --remote_config_repo docker_default_remote_config --tool engine_iac --folder_path /folder_to_analyze
The docker image have it own default remote config with basic configuration called docker_default_remote_config, but you can define your own config and pass it as volume
docker run --rm -v ./folder_to_analyze:/folder_to_analyze -v ./custom_remote_config:/custom_remote_config bancolombia/devsecops-engine-tools:latest devsecops-engine-tools --platform_devops local --remote_config_repo custom_remote_config --tool engine_iac --folder_path /folder_to_analyze
The remote config should be in a Azure Devops repository.
Note: By default the tool gets the token from the SYSTEM_ACCESSTOKEN variable to get the remote configuration repository. You must ensure that this token has permission to access this resource.
name: $(Build.SourceBranchName).$(date:yyyyMMdd)$(rev:.r)
trigger:
branches:
include:
- trunk
- feature/*
stages:
- stage: engine_tools
displayName: Example Engine Tools
jobs:
- job: engine_tools
pool:
name: Azure Pipelines
steps:
- script: |
# Install devsecops-engine-tools
pip3 install -q devsecops-engine-tools
devsecops-engine-tools --platform_devops azure --remote_config_repo remote_config --tool engine_iac
displayName: "Engine Tools"
env:
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
The remote config should be in a GitHub repository, either public or private.
If the repository is public:
If the repository is private:
Create a personal access token with the necessary permissions to access the repository.
Add the token as a secret in the GitHub repository.
Configure the yml file containing the workflow using the created secret.
Example of the workflow yml:
name: DevSecOps Engine Tools
on:
push:
branches:
- feature/*
env:
GITHUB_ACCESS_TOKEN: ${{ secrets.GH_ACCESSTOKEN }} #In this case, the remote config repository is private
# When the remote config repository is public, the secret should be like this: ${{ secrets.GITHUB_TOKEN }}
jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Set up Python
run: |
# Install devsecops-engine-tools
pip3 install -q devsecops-engine-tools
output=$(devsecops-engine-tools --platform_devops github --remote_config_repo remote_config --tool engine_iac)
echo "$output"
if [[ $output == *"✘Failed"* ]]; then
exit 1
fi
With the flag --send_metrics true and the configuration of the AWS-METRICS_MANAGER driven adapter in ConfigTool.json of the engine_core the tool will send the report to bucket s3. In the metrics folder you will find the base of the cloud formation template to deploy the infra and dashboard in grafana.
To generate the ConfigTool.json file in a simple way, a web interface was created where you can configure each necessary parameter individually or use a base template that you want to modify. In the config tool generator folder you will find the code for the SPA created in Angular to run it local environment.
Review the issues, we hear new ideas. Read more Contributing
FAQs
Tool for DevSecOps strategy
We found that devsecops-engine-tools demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.