shield_ast 1.3.2 → 1.3.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +5 -5
- data/lib/shield_ast/iac.rb +2 -2
- data/lib/shield_ast/sast.rb +4 -4
- data/lib/shield_ast/version.rb +1 -1
- data/lib/shield_ast.rb +4 -4
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 10303d978bc4075c8520765a20e7c2567417ef3f57b34d09ce333087a79e642d
|
|
4
|
+
data.tar.gz: 07bbfc2ffadf258e3ef0c241b03d6041616f61d6ee4de98cbf2e81cc5c523ab3
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 15aa323250b887ab2fbc48e65b7121d6788c4231f9c30b014bdb6fa5fe648218b63f22d754ac051c8f9dce504a93a24268d984b7ec1dd9953abe9e7942eb60d9
|
|
7
|
+
data.tar.gz: 421a506dc42faabdbe31749e57fcf9ccd8cda1124f77060f1147e8029e51ee9ed0154beb064129dd2111878405f9786a2c23f7b2312b7f14cf444da564da020e
|
data/README.md
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# Shield AST - Application Security Testing
|
|
1
|
+
# Shield AST - Application Security Testing
|
|
2
2
|
|
|
3
3
|
[](https://badge.fury.io/rb/shield_ast)
|
|
4
4
|
[](https://github.com/JAugusto42/shield_ast/actions)
|
|
@@ -41,9 +41,9 @@ ast [command] [options]
|
|
|
41
41
|
- **`help`** – Displays this help message.
|
|
42
42
|
|
|
43
43
|
### Options
|
|
44
|
-
- **`-s, --sast`** – Run SAST using [
|
|
44
|
+
- **`-s, --sast`** – Run SAST using [Opengrep](https://www.opengrep.dev/).
|
|
45
45
|
- **`-c, --sca`** – Run SCA using [OSV Scanner](https://osv.dev).
|
|
46
|
-
- **`-i, --iac`** – Run IaC analysis using [
|
|
46
|
+
- **`-i, --iac`** – Run IaC analysis using [Opengrep](https://www.opengrep.dev/) with infrastructure rules.
|
|
47
47
|
- **`-o, --output`** – Specify the output format (`json`, `sarif`, `console`).
|
|
48
48
|
- **`-h, --help`** – Show this help message.
|
|
49
49
|
- **`--version`** – Show the AST version.
|
|
@@ -99,9 +99,9 @@ ast report --output sarif
|
|
|
99
99
|
## 🛠 How It Works
|
|
100
100
|
|
|
101
101
|
AST integrates well-known open-source scanners into a single CLI tool:
|
|
102
|
-
- **SAST** – [
|
|
102
|
+
- **SAST** – [Opengrep](https://www.opengrep.dev/) for static code analysis
|
|
103
103
|
- **SCA** – [OSV Scanner](https://osv.dev) for dependency vulnerability scanning
|
|
104
|
-
- **IaC** – [
|
|
104
|
+
- **IaC** – [Opengrep](https://www.opengrep.dev/) rules for Infrastructure as Code
|
|
105
105
|
|
|
106
106
|
This unified approach streamlines security testing, enabling developers to catch security issues earlier in the development process.
|
|
107
107
|
|
data/lib/shield_ast/iac.rb
CHANGED
|
@@ -4,11 +4,11 @@ require "json"
|
|
|
4
4
|
require "open3"
|
|
5
5
|
|
|
6
6
|
module ShieldAst
|
|
7
|
-
# Wraps the logic for running Infrastructure as Code (IaC) scans using
|
|
7
|
+
# Wraps the logic for running Infrastructure as Code (IaC) scans using Opengrep.
|
|
8
8
|
class IaC
|
|
9
9
|
def self.scan(path)
|
|
10
10
|
cmd = [
|
|
11
|
-
"
|
|
11
|
+
"opengrep", "scan",
|
|
12
12
|
"--config", "r/terraform",
|
|
13
13
|
"--config", "r/kubernetes",
|
|
14
14
|
"--config", "r/docker",
|
data/lib/shield_ast/sast.rb
CHANGED
|
@@ -5,7 +5,7 @@ require "json"
|
|
|
5
5
|
require "open3"
|
|
6
6
|
|
|
7
7
|
module ShieldAst
|
|
8
|
-
# Wraps the logic for running SAST scan using
|
|
8
|
+
# Wraps the logic for running SAST scan using Opengrep.
|
|
9
9
|
class SAST
|
|
10
10
|
EXCLUDE_PATTERNS = %w[**/spec/ **/test/ **/tests/ **/features/ **/__tests__/ **/vendor/
|
|
11
11
|
**/node_modules/ **/*_spec.rb **/*_test.rb **/*.spec.js **/*.test.js
|
|
@@ -18,16 +18,16 @@ module ShieldAst
|
|
|
18
18
|
if status.success?
|
|
19
19
|
JSON.parse(stdout)
|
|
20
20
|
else
|
|
21
|
-
warn "
|
|
21
|
+
warn "Opengrep SAST scan failed! Exit Code: #{status.exitstatus}\nError: #{stderr}"
|
|
22
22
|
{ "results" => [] }
|
|
23
23
|
end
|
|
24
24
|
rescue JSON::ParserError => e
|
|
25
|
-
warn "Failed to parse
|
|
25
|
+
warn "Failed to parse Opengrep SAST output: #{e.message}"
|
|
26
26
|
{ "results" => [] }
|
|
27
27
|
end
|
|
28
28
|
|
|
29
29
|
def self.build_command(path)
|
|
30
|
-
base_cmd = %w[
|
|
30
|
+
base_cmd = %w[opengrep scan --config p/r2c-ci --config p/secrets --json --disable-version-check]
|
|
31
31
|
|
|
32
32
|
EXCLUDE_PATTERNS.each do |pattern|
|
|
33
33
|
base_cmd.push("--exclude", pattern)
|
data/lib/shield_ast/version.rb
CHANGED
data/lib/shield_ast.rb
CHANGED
|
@@ -25,9 +25,9 @@ module ShieldAst
|
|
|
25
25
|
def self.call(args)
|
|
26
26
|
banner
|
|
27
27
|
|
|
28
|
-
unless scanner_exists?("osv-scanner") && scanner_exists?("
|
|
28
|
+
unless scanner_exists?("osv-scanner") && scanner_exists?("opengrep")
|
|
29
29
|
puts "\e[31m[!] ERROR:\e[0m Required tools not found."
|
|
30
|
-
puts " Install: \e[33mosv-scanner\e[0m, \e[
|
|
30
|
+
puts " Install: \e[33mosv-scanner\e[0m, \e[33mopengrep\e[0m"
|
|
31
31
|
exit 1
|
|
32
32
|
end
|
|
33
33
|
|
|
@@ -395,9 +395,9 @@ module ShieldAst
|
|
|
395
395
|
report Generates a report from the last scan in JSON or PDF format.
|
|
396
396
|
help Shows this help message.
|
|
397
397
|
Options:
|
|
398
|
-
-s, --sast Run Static Application Security Testing (SAST) with
|
|
398
|
+
-s, --sast Run Static Application Security Testing (SAST) with Opengrep.
|
|
399
399
|
-c, --sca Run Software Composition Analysis (SCA) with OSV Scanner.
|
|
400
|
-
-i, --iac Run Infrastructure as Code (IaC) analysis with
|
|
400
|
+
-i, --iac Run Infrastructure as Code (IaC) analysis with Opengrep.
|
|
401
401
|
-o, --output Specify the output format for report (json or pdf, default: json).
|
|
402
402
|
-h, --help Show this help message.
|
|
403
403
|
--version Show the ast version.
|