Docker makefile for a collection of static code analysis tools packaged together
- semgrep
- If this container needs to be brought to a non-internet connected box, you'll need the rules list downloaded and brought into the container in order to specify the rules location (normally it will pull from the internet). That can be found here
- graudit
- Ripgrep
- OWASP Dependency Check
- Go, Java, JS, JSON, Python, Ruby, TS, JSX, TSX
- Alpha: OCaml, PHP, C, YAML
- actionscript, android, asp, c, cobol, dotnet, exec, fruit, go, ios, java, js, perl, php, python, nim, ruby, secrets, spsqli, sql, strings, xss
- Java
- Really, all... Ripgrep provides dummy fast grepping through huge codebases, I use this every time for source code review.
- copy install.sh
- chmod +x install.sh
- ./install.sh
or
- git clone https://github.com/Fibbot/dockerCodeAudit.git
- mkdir -p scan/repos
- mkdir scan/results
- docker build -t staticaudit .
Throw the source files to be scanned into the scan/repos folder
docker run -v ${PWD}/scan:/scan --rm -i -t staticaudit bash
This drops you into /scan, throw any results into /scan/results to keep the results around on the host.
Inside the /scan folder you can run sg languageName eg. sg python in the directory of the source code and that will run semgrep with WARNING severity with all rules particular to that language then output json results to the /scan/results folder (how I use it most often)
Graudit is symlinked to be run with graudit with $GRDIR at the signatures folder and $RES for the /scan/results folder, so you could run something like graudit -d $GRDIR/python.db repos/ >> $RES/grauditResults.txt
DependencyCheck is symlinked with depcheck.
sg:semgrep --config=r/\$1 . --severity WARNING -o /scan/results/semgrepOutput.json --json$RES:/scan/results$GRDIR:/tools/graudit/signaturesgraudit:/bin/grauditdepcheck:/tools/dependency-check/bin/dependency-check.sh