The security helper tool was created to help you reduce the probability of a security violation in a new code, infrastructure or IAM configuration by providing a fast and easy tool to conduct preliminary security check as early as possible within your development process.
- It is not a replacement of a human review nor standards.
- It uses light, open source tools to maintain its flexibility and ability to run from anywhere.
- ASH is cloning and running different open-source tools, such as: git-secrets, bandit, Semgrep, Grype, Syft, nbconvert, npm-audit, checkov, cdk-nag and cfn-nag. Please review the tools LICENSE before usage.
The security helper supports the following vectors:
- Code
- Git
- git-secrets - Find api keys, passwords, AWS keys in the code
- Python
- Jupyter Notebook
- nbconvert - converts Jupyter Notebook (ipynb) files into Python executables. Code scan with Bandit.
- JavaScript; NodeJS
- Go
- Bash
- Semgrep - finds common security issues in Bash code.
- C#
- Semgrep - finds common security issues in C# code.
- Java
- Git
- Infrastructure
To start using ash
please make sure to install and configure the following:
- Install Docker. You can refer to this installation guide
# Clone the repo
git clone URL/Automated-Security-Helper /DESTINATION/DIR
# Set the repo path in your shell for easier access
export PATH=$PATH:/DESTINATION/DIR
# Execute the helper tool
ash
# Getting help
ash -h
# Scan a directory
ash --source-dir /my/remote/files
# Save the final report to a different directory
ash --output-dir /my/remote/files
# Force rebuild the entire framework to obtain latests changes and up-to-date database
ash --force
# Force run scan for Python code
ash --source-dir . --ext py
* All commands can be used together.
NAME:
ash
SYNOPSIS:
ash [OPTIONS] --source-dir /path/to/dir --output-dir /path/to/dir
OPTIONS:
-v | --version Prints version number.
-p | --preserve-report Add timestamp to the final report file to avoid overriding it after multiple executions
-f | --finch Use finch instead of docker to run the containerized tools.
--source-dir Path to the directory containing the code/files you wish to scan. Defaults to $(pwd)
--output-dir Path to the directory that will contain the report of the scans. Defaults to $(pwd)
--ext | -extension Force a file extension to scan. Defaults to identify files automatically.
--force Rebuild the Docker images of the scanning tools, to make sure software is up-to-date.
-q | --quiet Don't print verbose text about the build process.
-
Q: How to run
ash
on a Windows machine
A: ASH on a windows machine- Install a Windows Subsystem for Linux (WSL) with an Ubuntu distribution. Be sure to use the WSL 2.
- Install Docker Desktop for windows and activate the integration the WSL
- Clone this git repository.
- Execute the helper tool from the folder downloaded in the previous step from the Ubuntu WSL.
-
Q: How to run
ash
with finch or another OCI compatible tool. A: You can configure the OCI compatible tool to use with by using the environment variableASH_OCI_RUNNER
. For example to runfinch
as the default container runner platform you can set up this value with:
export ASH_OCI_RUNNER=finch
See CONTRIBUTING for more information.
This library is licensed under the Apache 2.0 License. See the LICENSE file.