forked from boost-community/scanner-registry
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
BST-13481: add new baseline scanner (#182)
- Loading branch information
1 parent
5dcf392
commit 0b0f72f
Showing
5 changed files
with
177 additions
and
145 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| api_version: 1.0 | ||
|
|
||
|
|
||
| id: boostsecurityio/baseline | ||
| name: BoostSecurity Scanner | ||
| namespace: boostsecurityio/baseline | ||
| scan_types: | ||
| - sast | ||
| - cicd | ||
|
|
||
|
|
||
| config: | ||
| support_diff_scan: true | ||
|
|
||
|
|
||
| steps: | ||
| - scan: | ||
| command: | ||
| docker: | ||
| image: public.ecr.aws/boostsecurityio/boost-scanner-native:44a65bf@sha256:cefdba826edb2138b6d219d7ff398181158caac3755e6542171ba6d8c06e594f | ||
| command: scanner scan | ||
| workdir: /src | ||
| name: scanner | ||
| format: sarif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,131 @@ | ||
| rules: | ||
| cert-expired: | ||
| categories: | ||
| - ALL | ||
| - cloud-weak-configuration | ||
| description: Checks for expired X509 certificates. | ||
| group: cloud-weak-configuration | ||
| name: cert-expired | ||
| pretty_name: Cert Expired | ||
| ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expired.html' | ||
| cert-expires-soon: | ||
| categories: | ||
| - ALL | ||
| - cloud-weak-configuration | ||
| description: Checks for X509 certificates that will expire in a configured number | ||
| of days. | ||
| group: cloud-weak-configuration | ||
| name: cert-expires-soon | ||
| pretty_name: Cert Expires Soon | ||
| ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expires-soon.html' | ||
| cert-insecure-signing-algorithm: | ||
| categories: | ||
| - ALL | ||
| - cloud-weak-configuration | ||
| - boost-baseline | ||
| - boost-hardened | ||
| description: Checks for X509 certificates with insecure signing algorithms. | ||
| group: cloud-weak-configuration | ||
| name: cert-insecure-signing-algorithm | ||
| pretty_name: Cert Insecure Signing Algorithm | ||
| ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-insecure-signing-algorithm.html' | ||
| recommended: true | ||
| cert-insufficient-key-length: | ||
| categories: | ||
| - ALL | ||
| - cloud-weak-configuration | ||
| - boost-baseline | ||
| - boost-hardened | ||
| description: Checks for X509 certificates with insecure key lengths. | ||
| group: cloud-weak-configuration | ||
| name: cert-insufficient-key-length | ||
| pretty_name: Cert Insufficient Key Length | ||
| ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-insufficient-key-length.html' | ||
| recommended: true | ||
| cicd-binary-artifacts-stored-in-scm: | ||
| categories: | ||
| - ALL | ||
| - supply-chain | ||
| - supply-chain-missing-artifact-integrity-verification | ||
| - boost-baseline | ||
| - boost-hardened | ||
| description: Checks for binary / executable artifacts (ex. *.jar, *.class, *.so, | ||
| etc.) stored in the Git repository.Generally, such binary artifacts should not | ||
| be committed to Git and should be built with reproducible build system from | ||
| source. | ||
| group: supply-chain-missing-artifact-integrity-verification | ||
| name: cicd-binary-artifacts-stored-in-scm | ||
| pretty_name: CI/CD - Binary artifacts stored in SCM | ||
| ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-binary-artifacts-stored-in-scm.html' | ||
| recommended: true | ||
| cicd-circleci-unversioned-orb: | ||
| categories: | ||
| - ALL | ||
| - supply-chain | ||
| - supply-chain-cicd-weak-configuration | ||
| - boost-baseline | ||
| - boost-hardened | ||
| description: Checks for CircleCI workflows using unversioned Orbs. | ||
| group: supply-chain-cicd-weak-configuration | ||
| name: cicd-circleci-unversioned-orb | ||
| pretty_name: CI/CD - CircleCI Unversionned Orb | ||
| ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-circleci-unversioned-orb.html' | ||
| recommended: true | ||
| cicd-circleci-shell-injection: | ||
| categories: | ||
| - ALL | ||
| - supply-chain | ||
| - supply-chain-cicd-vulnerable-pipeline | ||
| - boost-baseline | ||
| - boost-hardened | ||
| description: Checks for CircleCI workflows where pipeline variables are used in shell commands. | ||
| group: supply-chain-cicd-vulnerable-pipeline | ||
| name: cicd-circleci-shell-injection | ||
| pretty_name: CI/CD - CircleCI Shell Injection | ||
| ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-circleci-shell-injection.html' | ||
| recommended: true | ||
| cicd-gha-unsecure-commands: | ||
| categories: | ||
| - ALL | ||
| - supply-chain | ||
| - supply-chain-cicd-weak-configuration | ||
| - supply-chain-cicd-severe-issues | ||
| - boost-baseline | ||
| - boost-hardened | ||
| description: Checks for GitHub Acton workflows that enables deprecated unsecure commands. | ||
| group: supply-chain-cicd-weak-configuration | ||
| name: cicd-gha-unsecure-commands | ||
| pretty_name: CI/CD - GitHub Action Unsecure Commands | ||
| ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-unsecure-commands.html' | ||
| recommended: true | ||
| cicd-unpinned-dependencies: | ||
| categories: | ||
| - ALL | ||
| - supply-chain | ||
| - supply-chain-missing-artifact-integrity-verification | ||
| - boost-baseline | ||
| - boost-hardened | ||
| description: Verifies the presence of dependency management manifests (e.g., | ||
| package.json, Gemfile, pyproject.toml, Pipfile, go.mod, etc.) without an | ||
| accompanying lockfile that cryptographically pins dependencies (e.g., | ||
| package-lock.json, Gemfile.lock, poetry.lock, Pipfile.lock, go.sum). | ||
| The absence of a lockfile increases the risk of dependency drift, | ||
| potentially introducing security vulnerabilities or compatibility issues into the project. | ||
| group: supply-chain-missing-artifact-integrity-verification | ||
| name: cicd-unpinned-dependencies | ||
| pretty_name: CI/CD - Missing Lockfile resulting in unpinned dependencies | ||
| ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-unpinned-dependencies.html' | ||
| recommended: true | ||
| cicd-gha-workflow-dispatch-inputs: | ||
| categories: | ||
| - ALL | ||
| - supply-chain | ||
| - supply-chain-cicd-weak-configuration | ||
| - boost-baseline | ||
| - boost-hardened | ||
| description: Checks for GitHub Action workflows defines workflow_dispatch inputs. | ||
| group: supply-chain-cicd-weak-configuration | ||
| name: cicd-gha-workflow-dispatch-inputs | ||
| pretty_name: CI/CD - GitHub Action uses inputs | ||
| ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-workflow-dispatch-inputs.html' | ||
| recommended: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,24 +1,23 @@ | ||
| api_version: 1.0 | ||
|
|
||
|
|
||
| group: boostsecurityio/scanner | ||
| id: boostsecurityio/scanner | ||
| name: BoostSecurity Scanner | ||
| namespace: boostsecurityio/scanner | ||
| scan_types: | ||
| - sast | ||
| - cicd | ||
|
|
||
|
|
||
| config: | ||
| support_diff_scan: true | ||
|
|
||
| scan_types: | ||
| - sast | ||
| - cicd | ||
| - metadata | ||
| - sca | ||
| - sci | ||
| - license | ||
|
|
||
| steps: | ||
| - scan: | ||
| command: | ||
| docker: | ||
| image: public.ecr.aws/boostsecurityio/boost-scanner-native:44a65bf@sha256:cefdba826edb2138b6d219d7ff398181158caac3755e6542171ba6d8c06e594f | ||
| command: scanner scan | ||
| workdir: /src | ||
| name: scanner | ||
| format: sarif | ||
| includes: | ||
| - boostsecurityio/baseline | ||
| - boostsecurityio/composition | ||
| - boostsecurityio/supply-chain-inventory |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,131 +1,9 @@ | ||
| rules: | ||
| cert-expired: | ||
| categories: | ||
| - ALL | ||
| - cloud-weak-configuration | ||
| description: Checks for expired X509 certificates. | ||
| group: cloud-weak-configuration | ||
| name: cert-expired | ||
| pretty_name: Cert Expired | ||
| ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expired.html' | ||
| cert-expires-soon: | ||
| categories: | ||
| - ALL | ||
| - cloud-weak-configuration | ||
| description: Checks for X509 certificates that will expire in a configured number | ||
| of days. | ||
| group: cloud-weak-configuration | ||
| name: cert-expires-soon | ||
| pretty_name: Cert Expires Soon | ||
| ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-expires-soon.html' | ||
| cert-insecure-signing-algorithm: | ||
| categories: | ||
| - ALL | ||
| - cloud-weak-configuration | ||
| - boost-baseline | ||
| - boost-hardened | ||
| description: Checks for X509 certificates with insecure signing algorithms. | ||
| group: cloud-weak-configuration | ||
| name: cert-insecure-signing-algorithm | ||
| pretty_name: Cert Insecure Signing Algorithm | ||
| ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-insecure-signing-algorithm.html' | ||
| recommended: true | ||
| cert-insufficient-key-length: | ||
| categories: | ||
| - ALL | ||
| - cloud-weak-configuration | ||
| - boost-baseline | ||
| - boost-hardened | ||
| description: Checks for X509 certificates with insecure key lengths. | ||
| group: cloud-weak-configuration | ||
| name: cert-insufficient-key-length | ||
| pretty_name: Cert Insufficient Key Length | ||
| ref: '{BOOSTSEC_DOC_BASE_URL}/rules/x509-cert-insufficient-key-length.html' | ||
| recommended: true | ||
| cicd-binary-artifacts-stored-in-scm: | ||
| categories: | ||
| - ALL | ||
| - supply-chain | ||
| - supply-chain-missing-artifact-integrity-verification | ||
| - boost-baseline | ||
| - boost-hardened | ||
| description: Checks for binary / executable artifacts (ex. *.jar, *.class, *.so, | ||
| etc.) stored in the Git repository.Generally, such binary artifacts should not | ||
| be committed to Git and should be built with reproducible build system from | ||
| source. | ||
| group: supply-chain-missing-artifact-integrity-verification | ||
| name: cicd-binary-artifacts-stored-in-scm | ||
| pretty_name: CI/CD - Binary artifacts stored in SCM | ||
| ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-binary-artifacts-stored-in-scm.html' | ||
| recommended: true | ||
| cicd-circleci-unversioned-orb: | ||
| categories: | ||
| - ALL | ||
| - supply-chain | ||
| - supply-chain-cicd-weak-configuration | ||
| - boost-baseline | ||
| - boost-hardened | ||
| description: Checks for CircleCI workflows using unversioned Orbs. | ||
| group: supply-chain-cicd-weak-configuration | ||
| name: cicd-circleci-unversioned-orb | ||
| pretty_name: CI/CD - CircleCI Unversionned Orb | ||
| ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-circleci-unversioned-orb.html' | ||
| recommended: true | ||
| cicd-circleci-shell-injection: | ||
| categories: | ||
| - ALL | ||
| - supply-chain | ||
| - supply-chain-cicd-vulnerable-pipeline | ||
| - boost-baseline | ||
| - boost-hardened | ||
| description: Checks for CircleCI workflows where pipeline variables are used in shell commands. | ||
| group: supply-chain-cicd-vulnerable-pipeline | ||
| name: cicd-circleci-shell-injection | ||
| pretty_name: CI/CD - CircleCI Shell Injection | ||
| ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-circleci-shell-injection.html' | ||
| recommended: true | ||
| cicd-gha-unsecure-commands: | ||
| categories: | ||
| - ALL | ||
| - supply-chain | ||
| - supply-chain-cicd-weak-configuration | ||
| - supply-chain-cicd-severe-issues | ||
| - boost-baseline | ||
| - boost-hardened | ||
| description: Checks for GitHub Acton workflows that enables deprecated unsecure commands. | ||
| group: supply-chain-cicd-weak-configuration | ||
| name: cicd-gha-unsecure-commands | ||
| pretty_name: CI/CD - GitHub Action Unsecure Commands | ||
| ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-unsecure-commands.html' | ||
| recommended: true | ||
| cicd-unpinned-dependencies: | ||
| categories: | ||
| - ALL | ||
| - supply-chain | ||
| - supply-chain-missing-artifact-integrity-verification | ||
| - boost-baseline | ||
| - boost-hardened | ||
| description: Verifies the presence of dependency management manifests (e.g., | ||
| package.json, Gemfile, pyproject.toml, Pipfile, go.mod, etc.) without an | ||
| accompanying lockfile that cryptographically pins dependencies (e.g., | ||
| package-lock.json, Gemfile.lock, poetry.lock, Pipfile.lock, go.sum). | ||
| The absence of a lockfile increases the risk of dependency drift, | ||
| potentially introducing security vulnerabilities or compatibility issues into the project. | ||
| group: supply-chain-missing-artifact-integrity-verification | ||
| name: cicd-unpinned-dependencies | ||
| pretty_name: CI/CD - Missing Lockfile resulting in unpinned dependencies | ||
| ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-unpinned-dependencies.html' | ||
| recommended: true | ||
| cicd-gha-workflow-dispatch-inputs: | ||
| categories: | ||
| - ALL | ||
| - supply-chain | ||
| - supply-chain-cicd-weak-configuration | ||
| - boost-baseline | ||
| - boost-hardened | ||
| description: Checks for GitHub Action workflows defines workflow_dispatch inputs. | ||
| group: supply-chain-cicd-weak-configuration | ||
| name: cicd-gha-workflow-dispatch-inputs | ||
| pretty_name: CI/CD - GitHub Action uses inputs | ||
| ref: '{BOOSTSEC_DOC_BASE_URL}/rules/cicd-gha-workflow-dispatch-inputs.html' | ||
| recommended: true | ||
| import: | ||
| - boostsecurityio/baseline | ||
| - boostsecurityio/cicd | ||
| - boostsecurityio/composition | ||
| - boostsecurityio/oss-license | ||
| - boostsecurityio/sbom-sca | ||
| - boostsecurityio/sci | ||
| - boostsecurityio/sci-sca | ||
| - boostsecurityio/supply-chain-inventory |