GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → xfhg → intercept

xfhg / intercept

Licence: GPL-3.0 license
INTERCEPT / Policy as Code Static Analysis Auditing / SAST

Programming Languages

go
31211 projects - #10 most used programming language
Makefile
30231 projects

Labels

securityauditingscannerstatic-analysisauditpolicycompliancepolicy-evaluationenforcementpolicy-enginedevsecopspolicy-monitoringsastpolicy-as-code

Projects that are alternatives of or similar to intercept

Tfsec
Security scanner for your Terraform code
Stars: ✭ 3,622 (+6607.41%)
Mutual labels:  scanner, static-analysis, compliance, devsecops
Checkov
Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.
Stars: ✭ 3,572 (+6514.81%)
Mutual labels:  static-analysis, compliance, devsecops, policy-as-code
Terraform Security Scan
Run a security scan on your terraform with the very nice https://github.com/liamg/tfsec
Stars: ✭ 64 (+18.52%)
Mutual labels:  scanner, static-analysis, compliance
Nodejsscan
nodejsscan is a static security code scanner for Node.js applications.
Stars: ✭ 1,874 (+3370.37%)
Mutual labels:  static-analysis, devsecops, sast
Windows Secure Host Baseline
Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. #nsacyber
Stars: ✭ 1,288 (+2285.19%)
Mutual labels:  auditing, audit, compliance
policy-server
Webhook server that evaluates WebAssembly policies to validate Kubernetes requests
Stars: ✭ 111 (+105.56%)
Mutual labels:  policy, policy-as-code
dep-scan
Fully open-source security audit for project dependencies based on known vulnerabilities and advisories. Supports both local repos and container images. Integrates with various CI environments such as Azure Pipelines, CircleCI and Google CloudBuild. No server required!
Stars: ✭ 346 (+540.74%)
Mutual labels:  compliance, devsecops
lunasec
LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/
Stars: ✭ 1,261 (+2235.19%)
Mutual labels:  compliance, devsecops
nmap-formatter
A tool that allows you to convert NMAP results to html, csv, json, markdown, graphviz (dot). Simply put it's nmap converter.
Stars: ✭ 129 (+138.89%)
Mutual labels:  scanner, devsecops
Information Security Tasks
This repository is created only for infosec professionals whom work day to day basis to equip ourself with uptodate skillset, We can daily contribute daily one hour for day to day tasks and work on problem statements daily, Please contribute by providing problem statements and solutions
Stars: ✭ 108 (+100%)
Mutual labels:  auditing, compliance
rode
Rode facilitates Automated Governance in your software supply chain. This repository contains the rode API which is the primary interface between the rode UI or rode Collectors and metadata storage in Grafeas. The rode API provides functions for metadata search and storage as well as policy creation and evaluation.
Stars: ✭ 48 (-11.11%)
Mutual labels:  policy-evaluation, policy-as-code
prancer-compliance-test
This repository includes cloud security policies for IaC and live resources.
Stars: ✭ 32 (-40.74%)
Mutual labels:  policy, devsecops
prowler
Prowler is an Open Source Security tool for AWS, Azure and GCP to perform Cloud Security best practices assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.
Stars: ✭ 8,046 (+14800%)
Mutual labels:  compliance, devsecops
Laravel Auditing
Record the change log from models in Laravel
Stars: ✭ 2,210 (+3992.59%)
Mutual labels:  auditing, audit
cis benchmarks audit
Simple command line tool to check for compliance against CIS Benchmarks
Stars: ✭ 182 (+237.04%)
Mutual labels:  audit, compliance
Maplesyrup
Assesses CPU security of embedded devices. #nsacyber
Stars: ✭ 121 (+124.07%)
Mutual labels:  auditing, audit
audit
A common audit framework for java application
Stars: ✭ 28 (-48.15%)
Mutual labels:  auditing, audit
chimera-admission
A Kubernetes dynamic admission controller that uses WebAssembly policies to validate incoming requests
Stars: ✭ 25 (-53.7%)
Mutual labels:  policy, policy-as-code
polscan
Zero-setup SSH-based scanner with extensive visualizations for Debian server inventory, policy compliance and vulnerabilities
Stars: ✭ 57 (+5.56%)
Mutual labels:  auditing, scanner
awesome-policy-as-code
A curated list of policy-as-code resources like blogs, videos, and tools to practice on for learning Policy-as-Code.
Stars: ✭ 121 (+124.07%)
Mutual labels:  devsecops, policy-as-code
View All Similar Projects ➔

INTERCEPT

Stupidly easy to use, small footprint Policy as Code subsecond command-line scanner that leverages the power of the fastest multi-line search tool to scan your codebase. It can be used as a linter, guard rail control or simple data collector and inspector. Consider it a cross-platform weaponized ripgrep.


Go

GitHub release (latest by date) GitHub Release Date GitHub last commit GitHub commits since latest release (by date)

GitHub code size in bytes GitHub go.mod Go version GitHub issues GitHub pull requests


Features

  • Policy as Code
  • Fine-grained regex policies
  • Multiple enforcement levels
  • Static Analysis, no daemons
  • Low footprint, self-updatable binary
  • Easy to integrate on any CI/CD Pipeline
  • Declarative form policies / reduced complexity
  • No custom policy language

Policy as Code

Policy as code is the idea of writing code to manage and automate policies. By representing policies as code in YAML files, proven software development best practices can be adopted such as version control, automated testing, and automated deployment.

How it works

  • intercept CLI binary
  • policies YAML file

Intercept merges environment flags, policies YAML and optional exceptions YAML to generate a global config. It recursively scans a target path for policy breaches against your code and generates a human-readable detailed output of the findings.


Example Output


Use cases

  • Reduced complexity Hashicorp Sentinel drop-in alternative. Policies are just regular expressions, does not use a custom policy language.

  • Do you find Open Policy Agent rego files too much sugar for your pipeline?

  • Captures the patterns from git-secrets and trufflehog and can prevent sensitive information to run through your pipeline. (trufflehog regex)

  • Identifies policy breach (file path and line numbers), reports solutions/suggestions to its findings making it a great tool to ease onboarding developer teams to your unified deployment pipeline.

  • Can enforce style-guides, coding-standards, best practices and also report on suboptimal configurations.

  • Can collect patterns or high entropy data and output it in multiple formats.

  • Anything you can crunch on a regular expression can be actioned on.

Latest Release

# Standard package (intercept + ripgrep) for individual platforms
-- core-intercept-rg-*.zip

# Cross Platform Full package (intercept + ripgrep)
-- x-intercept.zip

# Build package to build on all platforms (Development)
-- setup-buildpack.zip

# Package of the latest compatible release of ripgrep (doesn't include intercept)
-- i-ripgrep-*.zip

Quick Start

Start by downloading intercept for your platform

--- Darwin
curl -fSL https://github.com/xfhg/intercept/releases/latest/download/intercept-darwin_amd64 -o intercept


--- Linux
curl -fSL https://github.com/xfhg/intercept/releases/latest/download/intercept-linux_amd64 -o intercept


--- Windows
curl -fSL https://github.com/xfhg/intercept/releases/latest/download/intercept-windows_amd64 -o intercept.exe

Let's grab some quick examples to scan

curl -fSLO https://github.com/xfhg/intercept/releases/latest/download/_examples.zip

Now we have our intercept binary ready plus an examples/ folder to play around.

Before we start looking in detail on policy files these are the types of policies available :

- scan : where we enforce breaking rules on matched patterns
- collect : where we just collect matched patterns

On our example intend to :

  • scan if private keys are present on infra code (rule id 1)

    • we want this policy to be fatal (fatal:true) and accept no exceptions (enforcement:true)
    • setting environment: all guaranteed this policy will be enforced on all environments

  • scan if modules are being sourced from its compliant source and not locally or from git (rule id 5)

    • we want this policy to be fatal (fatal:true) only when the environment is PROD (environment:prod)
    • this policy can accept local exceptions (enforcement:false)

  • collect instances of terraform resources detected outside of the module usage

Take a quick glance of what a policy file with 2 scan rules and 1 collect rule : (examples/policy/simple.yaml) (some text redacted for clarity) :

# This banner is shown on the start of the scanning report,
# use it to point out important documentation/warnings/contacts
Banner: |

| Banner text here, drop documentation link or quick instructions on how to react to the report

Rules:
# This is the main policy block, all rules will be part of this array

  # This is a rule structure block
  # Each rule can have one or more patterns (regex)
  # The rule is triggered by any of the patterns listed
  #
  # Essential settings :

  # id : ( must be unique )
  # type : ( scan | collect )
  # fatal : ( true | false )
  # enforcement : ( true | false )
  # environment : ( all | anystring)

  # All other settings are free TEXT to complement your final report
  - name: Private key committed in code
    id: 1
    description: Private key committed to code version control
    solution:
    error: This violation immediately blocks your code deployment
    type: scan
    enforcement: true
    environment: all
    fatal: true
    patterns:
      - \s*(-----BEGIN PRIVATE KEY-----)
      - \s*(-----BEGIN RSA PRIVATE KEY-----)
      - \s*(-----BEGIN DSA PRIVATE KEY-----)
      - \s*(-----BEGIN EC PRIVATE KEY-----)
      - \s*(-----BEGIN OPENSSH PRIVATE KEY-----)
      - \s*(-----BEGIN PGP PRIVATE KEY BLOCK-----)

  # Another scan rule
  - name: Compliant module source
    id: 5
    description: Modules should not be sourced locally nor from git
    error: This breach blocks your deployment on production environments
    type: scan
    solution:
    environment: prod
    fatal: true
    enforcement: false
    patterns:
      - source\s*.*\.git"
      - \s+source\s*=\s*"((?!https\:).)

  # A different type of policy rule that just collects findings matched with the patterns listed
  - name: Collect sparse TF resources outside of modules.
    description: The following resources were detected outside of compliant module usage
    type: collect
    patterns:
      - (resource)\s*"(.*)"

# These are the messages displayed at the end of the report
# Clean for no finds
# Warning for at least one non-fatal find
# Critical for at least one fatal find
ExitCritical: "Critical irregularities found in your code"
ExitWarning: "Irregularities found in your code"
ExitClean: "Clean report"

Scan a target repository

Let's take a real-world example and verify how the development teams are using our compliant terraform modules

On the folder examples/ we will scan the imaginary infra repo that contains terraform code at examples/target/

Integrity validation step: Before start

The following command will update your binary and its core tools to the latest version

intercept system --setup --update

1. Add the config file to intercept

intercept config -a examples/policy/simple.yaml

# you can also download config from remote endpoints

intercept config -a https://raw.githubusercontent.com/xfhg/intercept/master/examples/policy/simple.yaml

intercept will always create a config.yaml from the imported configuration files, at the moment it does not support merging of the same type of items


| INTERCEPT
|
| Policy file : config.yaml
|
| Config file updated

You can reset the config file with :

intercept config -r

2. Run the scan against target/ directory

This is the simplest call of audit:

intercept audit -t examples/target/

# you can merge the previous step with the audit by calling :

intercept audit -c examples/policy/simple.yaml -t examples/target/

Exiting with just a warning...

Adding prod as environment variable:

intercept audit -t examples/target/target/ -e prod

Notice the fatal exception and the exit code 1

3. Add more policies (examples/policy/complex.yaml)

Looks great so far... let's validate that networking resources are not being hardcoded and also intercept any module deployment with suboptimal configuration parameters.

  • scan if any SUBNET or VPC ids are being hardcoded instead of captured via data lookups (rule id 7)

    • we want this policy to be fatal (fatal:true) immediately on DEV environment (environment:dev)
    • accept no exceptions (enforcement:true)

  • scan if modules are being set up with suboptimal configuration parameters. (rule id 8)

    • we just want this policy to be a notice warning with fixing recommendation

Example patterns on file (some text redacted for clarity) :

- name: Hardcoded ids on code or variables
  id: 7
  description:
  solution:
  error:
  fatal: true
  environment: dev
  enforcement: true
  type: scan
  patterns:
    - (subnet_ids\s*=\s*\[\s*"\$\{v)
    - (subnet_ids\s*=\s*\[\s*"[s])
    - (subnet_ids\s*=\s*=\s*"\$\{v)
    - (subnet_id\s*=\s*"\s*[s])
    - (subnet_id\s*=\s*"\s*\$\{v)
    ...redacted for clarity

- name: Sub-optimal parameter on Module/Resource
  id: 8
  description:
  solution:
  environment:
  error:
  type: scan
  fatal: false
  patterns:
    - \s+healthcheck_target\s*=\s*"22"
    - \s+healthcheck_target\s*=\s*"3389"
    - \s+protocol\s*=\s*"-1"
    - \s+from_port\s*=\s*"-1"
    - \s+to_port\s*=\s*"-1"
    - ("0\.0\.0\.0)

Recompile the config file :

intercept config -a examples/policy/complex.yaml

Let's pretend to run the audit on DEV environment and check the differences on the report :

intercept audit -t examples/target/ -e dev

Redacted report:

4. Add local exceptions (examples/exception/local_exception.yaml)

Use case : If you parse the config file from a global location and need local (per repo/per CI/CD job) exceptions you can add a local YAML file and merge it to the main config.

We will try to have an exception on policy rule id 5 (accepts exceptions) and policy rule id 7 (doesn't accept exceptions)

Exceptions:
  - 5
  - 7

ExceptionMessage: "THIS RULE CHECK IS DEACTIVATED BY A LOCAL EXCEPTION REQUEST"
intercept config -a examples/exception/local_exception.yaml

Both files are merged and you can run the audit with the new exceptions in place

intercept audit -t examples/target/ -e dev

Redacted report:

As you can notice rule 5 activated the exception but rule 7 just ignore it and returned a FATAL breach.

5. Enforcing no exceptions flag

By activating the No Exceptions flag (-x) all the exceptions will be ignored.

intercept audit -t examples/target/ -e prod -x

6. Policy File Explained

policy/policy_rules.yaml

Banner: |

  MULTI LINE TXT

ExitCritical: CRITICAL_ERROR_EXIT_TEXT
ExitWarning: WARNING_EXIT_TEXT
ExitClean: CLEAN_EXIT_TEXT

Rules:
  # SCAN TYPE

  - id: 1

    name: NAME_TEXT
    description: DESCRIPTION_TEXT
    solution: SOLUTION_TEXT
    error: ERROR_TEXT
    type: scan
    fatal: BOOL
    environment: TXT
    enforcement: BOOL
    patterns:
      - regex_1
      - regex_2
      - regex_3

  # COLLECT TYPE

  - name: NAME_TEXT
    description: DESCRIPTION_TEXT
    type: collect
    patterns:
      - regex_4
      - regex_5

policy/policy_exceptions.yaml

Exceptions:
  - RULE_ID
  - RULE_ID

ExceptionMessage: TXT_MESSAGE

Policy Enforcement Levels

Enforcement levels are a first class concept in allowing pass/fail behavior to be associated separately from the policy logic. This enables any policy to be a warning, allow exceptions, or be absolutely mandatory. These levels can be coupled to environments, different uses of the same policy can have different enforcement levels per environment.

You can set three enforcement levels:

  • Advisory: The policy is allowed to fail. However, a warning will be shown to the user or logged.
  - fatal: false
  - enforcement: false
  - environment : (all | optional)
  • Soft Mandatory: The policy must pass unless an exception is specified. The purpose of this level is to provide a level of privilege separation for a behavior. Additionally, the exception provides non-repudiation since at least the primary actor was explicitly overriding a failed policy.
  - fatal: true
  - enforcement: false
  - environment : (all | optional)
  • Hard Mandatory: The policy must pass no matter what. The only way to override a hard mandatory policy is to explicitly remove the policy. It should be used in situations where an exception is not possible.
  - fatal: true
  - enforcement: true
  - environment : (all | optional)

Used in production

INTERCEPT was created to lint thousands of infra PRs and deployments a day with minor human intervention, the first MVP been running for more than a year saving countless hours of human debug/review time. Keep in mind INTERCEPT is not and does not pretend to be a security tool. It's easy to circumvent a regex pattern once you know it, but the main objective of this tool is to pro-actively help the developers fix their code and assist with style/rule suggestions to keep the codebase clean and avoid trivial support requests from the uneducated crowd.

Inspired by

Standing on the shoulders of giants

Why ripgrep ? Why is it fast?

  • It is built on top of Rust's regex engine. Rust's regex engine uses finite automata, SIMD and aggressive literal optimizations to make searching very fast. (PCRE2 support) Rust's regex library maintains performance with full Unicode support by building UTF-8 decoding directly into its deterministic finite automaton engine.

  • It supports searching with either memory maps or by searching incrementally with an intermediate buffer. The former is better for single files and the latter is better for large directories. ripgrep chooses the best searching strategy for you automatically.

  • Applies ignore patterns in .gitignore files using a RegexSet. That means a single file path can be matched against multiple glob patterns simultaneously.

  • It uses a lock-free parallel recursive directory iterator

Benchmark ripgrep

Tool Command Line count Time
ripgrep (Unicode) rg -n -w '[A-Z]+_SUSPEND' 450 0.106s
git grep LC_ALL=C git grep -E -n -w '[A-Z]+_SUSPEND' 450 0.553s
The Silver Searcher ag -w '[A-Z]+_SUSPEND' 450 0.589s
git grep (Unicode) LC_ALL=en_US.UTF-8 git grep -E -n -w '[A-Z]+_SUSPEND' 450 2.266s
sift sift --git -n -w '[A-Z]+_SUSPEND' 450 3.505s
ack ack -w '[A-Z]+_SUSPEND' 1878 6.823s
The Platinum Searcher pt -w -e '[A-Z]+_SUSPEND' 450 14.208s

Tools Reference


Tests

Test Suite runs with venom

venom run tests/suite.yml

Vulnerabilities

Scanned with Sonatype Nancy

make nancy
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary                       ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━┫
┃ Audited Dependencies    ┃ 62  ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━┫
┃ Vulnerable Dependencies ┃ 0   ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━━┛

from Sonatype OSS Index

Latest Changes:

  • complimentary JSON output

TODO

  • Complete the test suite

  • POST results (in JSON or YAML) to a configurable webhook or notification stream


PLAYGROUND

Full examples and functionality ready to mess around with :

Open in Gitpod

make setup-dev
make out-linux
cd release
./interceptl config -a ../examples/policy/simple.yaml
./interceptl audit -t ../examples/target
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].