关键词:策略|扫描|代码|1038|功能介绍|快速开始小编|编译|参考

代码即策略工作方案扫描汇报输出样版:专用工具搭建快速开始

  • 时间:
  • 浏览:49

文章内容文件目录

功能介绍代码即策略工作方案扫描汇报輸出样版:专用工具搭建快速开始新项目详细地址别的引入新项目

INTERCEPT是一套强劲的代码静态数据剖析财务审计策略,这套策略集简易实用,占有室内空间小,能够根据迅速且强劲的几行扫描专用工具来扫描你的代码库。此外,众多科学研究工作人员还能够将其做为数据采集终端和查验器,或把它作为一款混合开发的武器化ripgrep来应用。

INTERCEPT是一套强劲的代码静态数据剖析财务审计策略,这套策略集简易实用,占有室内空间小,能够根据迅速且强劲的几行扫描专用工具来扫描你的代码库。此外,众多科学研究工作人员还能够将其做为数据采集终端和查验器,或把它作为一款混合开发的武器化ripgrep来应用。

功能介绍

代码即策略;

粗粒度正则表达式策略;

好几个实行级別;

静态数据剖析,无守护进程;

低占有室内空间,可自身升级的二进制文件;

便于集成化在一切CI/CD管路上;

申明式策略,以减少多元性;

无自定策略語言;

代码即策略

“代码即策略”的观念来自策略的管理方法和自动化技术完成这些方面,根据将策略以YAML文档代码的方式来展现,是早已过认证的开发软件最佳实践,有利于科学研究工作人员完成版本控制、自动化测试和全自动布署。

工作方案

1、阻拦和剖析cmd插口代码;

2、YAML文档策略执行;

INTERCEPT会融合自然环境标识、YAML策略和可选择主要参数来转化成一个全局性环境变量,它能够递归扫描总体目标相对路径以搜索违背策略的代码,并转化成人们可写的详尽扫描及数据分析报告。

扫描汇报輸出样版:

专用工具搭建

# Standard package (intercept ripgrep) for individual platforms

-- core-intercept-rg-*.zip

# Cross Platform Full package (intercept ripgrep)

-- x-intercept.zip

# Build package to build on all platforms (Development)

-- setup-buildpack.zip

# Package of the latest compatible release of ripgrep (doesn't include intercept)

-- i-ripgrep-*.zip

快速开始

最先,依据自身的平台下载最新版的INTERCEPT:

--- Darwin

curl -fSL https://github.com/xfhg/intercept/releases/latest/download/intercept-darwin_amd64 -o intercept

--- Linux

curl -fSL https://github.com/xfhg/intercept/releases/latest/download/intercept-linux_amd64 -o intercept

--- Windows

curl -fSL https://github.com/xfhg/intercept/releases/latest/download/intercept-windows_amd64 -o intercept.exe

获得样版开展迅速扫描:

curl -fSLO https://github.com/xfhg/intercept/releases/latest/download/_examples.zip

如今,大家必须剖析的代码早已储存在一个examples/文件夹名称中了,在刚开始以前,大家必须查询策略文档中的可选择策略种类:

- scan : where we enforce breaking rules on matched patterns

- collect : where we just collect matched patterns

大家得出的演试示例可能做下列几个事儿:

1、扫描总体目标代码中是不是存有公钥:大家必须确保策略的fatal:true,而且不接纳一切出现异常,即enforcement:true。设定自然环境:确保此策略将在全部自然环境上申请强制执行。

2、扫描控制模块是不是来源于适配源而不是当地或git:大家必须确保策略的fatal:true,而且自然环境务必为PROD,即environment:prod。这一策略能够接纳当地出现异常:enforcement:false。

3、搜集控制模块应用以外的terraform资源案例。

包括所述扫描策略和搜集策略的策略文档以下(examples/policy/simple.yaml):

# This banner is shown on the start of the scanning report,

# use it to point out important documentation/warnings/contacts

Banner:

| Banner text here, drop documentation link or quick instructions on how to react to the report

Rules:

# This is the main policy block, all rules will be part of this array

# This is a rule structure block

# Each rule can have one or more patterns (regex)

# The rule is triggered by any of the patterns listed

#

# Essential settings :

# id : ( must be unique )

# type : ( scan | collect )

# fatal : ( true | false )

# enforcement : ( true | false )

# environment : ( all | anystring)

# All other settings are free TEXT to complement your final report

- name: Private key committed in code

id: 1

description: Private key committed to code version control

solution:

error: This violation immediately blocks your code deployment

type: scan

enforcement: true

environment: all

fatal: true

patterns:

- \s*(-----BEGIN PRIVATE KEY-----)

- \s*(-----BEGIN RSA PRIVATE KEY-----)

- \s*(-----BEGIN DSA PRIVATE KEY-----)

- \s*(-----BEGIN EC PRIVATE KEY-----)

- \s*(-----BEGIN OPENSSH PRIVATE KEY-----)

- \s*(-----BEGIN PGP PRIVATE KEY BLOCK-----)

# Another scan rule

- name: Compliant module source

id: 5

description: Modules should not be sourced locally nor from git

error: This breach blocks your deployment on production environments

type: scan

solution:

environment: prod

fatal: true

enforcement: false

patterns:

- source\s*.*\.git"

- \s source\s*=\s*"((?!https\:).)

# A different type of policy rule that just collects findings matched with the patterns listed

- name: Collect sparse TF resources outside of modules.

description: The following resources were detected outside of compliant module usage

type: collect

patterns:

- (resource)\s*"(.*)"

# These are the messages displayed at the end of the report

# Clean for no finds

# Warning for at least one non-fatal find

# Critical for at least one fatal find

ExitCritical: "Critical irregularities found in your code"

ExitWarning: "Irregularities found in your code"

ExitClean: "Clean report"

新项目详细地址

INTERCEPT:【GitHub传送器】

别的引入新项目

1、Ripgrep

2、Hashicorp Sentinel

3、Open Policy Agent

*参考来源于:xfhg,FB小编Alpha_h4ck编译,转截请标明来源于FreeBuf.COM

猜你喜欢