Bash · C · C++ · Clojure · Dart · Dockerfile · Elixir · HTML · Julia · Jsonnet · Lisp ·
快速开始
# Install https://github.com/returntocorp/semgrep#option-1-getting-started-from-the-clibrewinstallsemgrep# Go to your repo code and scancdreposemgrepscan--configauto
# Run the paltform in dockerdockerrun-d--namesonarqube-eSONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true-p9000:9000sonarqube:latest# Install cli toolbrewinstallsonar-scanner# Go to localhost:9000 and login with admin:admin or admin:sonar# Generate a local project and then a TOKEN for it# Using the token and from the folder with the repo, scan itcdpath/to/reposonar-scanner \-Dsonar.projectKey=<project-name> \-Dsonar.sources=. \-Dsonar.host.url=http://localhost:9000 \-Dsonar.token=<sonar_project_token>
CodeQL
CodeQL有一个可安装的免费版本,但根据许可证,您只能在开源项目中使用免费的CodeQL版本。
安装
# Download your release from https://github.com/github/codeql-action/releases## Examplewgethttps://github.com/github/codeql-action/releases/download/codeql-bundle-v2.14.3/codeql-bundle-osx64.tar.gz# Move it to the destination foldermkdir~/codeqlmvcodeql-bundle*~/codeql# Decompress itcd~/codeqltar-xzvfcodeql-bundle-*.tar.gzrmcodeql-bundle-*.tar.gz# Add to pathecho'export PATH="$PATH:/Users/username/codeql/codeql"'>>~/.zshrc# Check it's correctly installed## Open a new terminalcodeqlresolveqlpacks#Get paths to QL packs
快速入门 - 准备数据库
你需要做的第一件事是准备数据库(创建代码树),以便稍后对其运行查询。
您可以允许 codeql 自动识别存储库的语言并创建数据库
codeqldatabasecreate<database>--language<language># Examplecodeqldatabasecreate/path/repo/codeql_db--source-root/path/repo## DB will be created in /path/repo/codeql_db
codeqldatabasecreate<database>--language<language>--source-root</path/to/repo># Examplecodeqldatabasecreate/path/repo/codeql_db--languagejavascript--source-root/path/repo## DB will be created in /path/repo/codeql_db
如果您的存储库使用多于1种语言,您还可以为每种语言创建1个数据库来指示每种语言。
export GITHUB_TOKEN=ghp_32849y23hij4...codeqldatabasecreate<database>--source-root/path/to/repo--db-cluster--language"javascript,python"# Exampleexport GITHUB_TOKEN=ghp_32849y23hij4...codeqldatabasecreate/path/repo/codeql_db--source-root/path/to/repo--db-cluster--language"javascript,python"## DBs will be created in /path/repo/codeql_db/*
export GITHUB_TOKEN=ghp_32849y23hij4...codeqldatabasecreate<database>--db-cluster--source-root</path/to/repo># Exampleexport GITHUB_TOKEN=ghp_32849y23hij4...codeqldatabasecreate/tmp/codeql_db--db-cluster--source-root/path/repo## DBs will be created in /path/repo/codeql_db/*
快速开始 - 分析代码
现在终于是分析代码的时候了
请记住,如果您使用了多种语言,每种语言一个数据库 将会在您指定的路径中创建。
# Default analysiscodeqldatabaseanalyze<database>--format=<format>--output=</out/file/path># Examplecodeqldatabaseanalyze/tmp/codeql_db/javascript--format=sarif-latest--output=/tmp/graphql_results.sarif# Specify QL pack to use in the analysiscodeqldatabaseanalyze<database> \<qls pack>--sarif-category=<language> \--sarif-add-baseline-file-info \ --format=<format> \--output=/out/file/path># Examplecodeqldatabaseanalyze/tmp/codeql_db \javascript-security-extended --sarif-category=javascript \--sarif-add-baseline-file-info --format=sarif-latest \--output=/tmp/sec-extended.sarif
快速开始 - 脚本化
export GITHUB_TOKEN=ghp_32849y23hij4...export REPO_PATH=/path/to/repoexport OUTPUT_DIR_PATH="$REPO_PATH/codeql_results"mkdir-p"$OUTPUT_DIR_PATH"export FINAL_MSG="Results available in: "echo"Creating DB"codeqldatabasecreate"$REPO_PATH/codeql_db"--db-cluster--source-root"$REPO_PATH"for db in`ls "$REPO_PATH/codeql_db"`; doecho"Analyzing $db"codeqldatabaseanalyze"$REPO_PATH/codeql_db/$db"--format=sarif-latest--output="${OUTPUT_DIR_PATH}/$db).sarif"FINAL_MSG="$FINAL_MSG ${OUTPUT_DIR_PATH}/$db.sarif ,"echo""doneecho $FINAL_MSG
# Installsudonpminstall-gsnyk# Authenticate (you can use a free account)snykauth# Test for open source vulns & license issuessnyktest [--all-projects]# Test for code vulnerabilities## This will upload your code and you need to enable this option in: Settings > Snyk Codesnyktestcode# Test for vulns in imagessnykcontainertest [image]# Test for IaC vulnssnykiactest
# Check the correct release for your environment$wgethttps://github.com/insidersec/insider/releases/download/2.1.0/insider_2.1.0_linux_x86_64.tar.gz$tar-xfinsider_2.1.0_linux_x86_64.tar.gz$chmod+xinsider$./insider--techjavascript--target<projectfolder>