npm - @eurekadevsecops/radar - Versions diffs - 1.0.0 - Mend

@eurekadevsecops/radar 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

package/CONTRIBUTING.md +61 -0
package/LICENSE +674 -0
package/README.md +43 -0
package/cli.js +15 -0
package/package.json +36 -0
package/scanners/depscan/run.sh +8 -0
package/scanners/depscan/sarif.j2 +90 -0
package/scanners/gitleaks/run.sh +7 -0
package/scanners/opengrep/rules.yaml +69031 -0
package/scanners/opengrep/run.sh +7 -0
package/scanners/scanners.toml +20 -0
package/src/commands/index.js +5 -0
package/src/commands/scan.js +237 -0
package/src/commands/scanners.js +15 -0
package/src/index.js +21 -0
package/src/plugins/scanners.js +12 -0
package/src/util/humanize.js +23 -0
package/src/util/sarif/display_findings.js +6 -0
package/src/util/sarif/display_totals.js +5 -0
package/src/util/sarif/index.js +6 -0
package/src/util/sarif/levels.js +32 -0
package/src/util/sarif/merge.js +52 -0
package/src/util/sarif/summarize.js +40 -0

package/CONTRIBUTING.md ADDED Viewed

@@ -0,0 +1,61 @@
+# Scanners
+Scanner manifest file is located in `scanners/scanners.toml`. Every scanner has a section that looks a lot like this:
+```toml
+[[scanners]]
+name = "opengrep"
+title = "Opengrep"
+description = "Ultra-fast static analysis tool."
+categories = [ "SAST" ]
+cmd = "${assets}/run.sh ${target} ${assets} ${output}"
+```
+The `name` field contains the scanner identifier that radarctl uses internally. Any command-line arguments or options for radarctl that take in a scanner always expect this scanner identifier. The `categories` field is an array of categories that the scanner can be part of. Usually takes on one or more values of SCA, SAST, and DAST. The `cmd` field is the command to run to launch the scanner.
+Each scanner has its own subfolder with the `scanners` directory with the shell script that launches the scanner and any other files needed for scanner operation. An example shell script looks like this:
+```bash
+# Parameters:
+# $1 - Path to the source code folder that should be scanned
+# $2 - Path to the assets folder
+# $3 - Path to the output folder where scan results should be stored
+set -e
+docker run --rm -t -v $1:/app -v $2:/input -v $3:/home/output radar/opengrep:latest /app 2>&1
+```
+The assets folder is the scanner's subfolder within the `scanners` directory. The output folder is a system temporary folder that is deleted when the scan terminates, successfully or not.
+# Development flow
+## Linting
+With the trifecta of the development process nearly complete, let's talk about linting. The linter we run is [golangci-lint](https://golangci-lint.run/). It helps with finding potential bugs in programs, as well as helping you follow standard go conventions. To run it locally, just run `golangci-lint --path-prefix=. run`. If you'd like to run all of our [pre-commit lints](https://pre-commit.com/), then run `pre-commit run --all-files`
+# Cutting a release
+If you have write access to this repo, you can ship ...
+a patch release with:
+`npm version patch && npm publish`
+a minor release with:
+`npm version minor && npm publish`
+or a major release with:
+`npm version major && npm publish`
+# Committing to radarctl
+When committing to `radarctl`, there are a few important things to keep in mind:
+-   Keep commits small and focused, it helps greatly when reviewing larger PRs
+-   Make sure to use descriptive messages in your commit messages, it also helps future people understand why a change was made.
+-   PRs are squash merged, so please make sure to use descriptive titles