Scripts to run OWASP Dependency check, Trivy config and vulnerabilities check, and ClamAV antivirus check

readme.md

Security checks scripts

These scripts can be used to do some security checks in code, using tools as OWASP Dependency Check, Trivy, Sonarqube and others.

The scripts uses docker images for these tools, so it can be easier to keep them updated.

you can put these scripts in some folder in your PATH, so you can easily run them.

Update script

• update-checks

This script will update the latest docker images for Dependency Check, Trivy, Sonarqube and other tools used in the scripts. It will also update the db for Trivy

It is useful to run this script once a day

Dependency check

• dependency-check

This script will receive one parameter : The name of the project to be scanned (This is the title that will appear in the report)

It will run the dependency check against the package-lock.json file

Trivy image check

• trivy-check-img

This script will receive one parameter : The name of the docker image to be scanned

It will scan the specified image for CRITICAL, HIGH, MEDIUM, and LOW OS (Operating System) vulnerabilities in the image, while it will ignore unfixed vulnerabilities

There are two other Trivy scripts.
trivy-check-fs will check the package-lock.json file for vulnerabilities (similar to dependency-check)
trivy-check-conf will check for configuration problems (i.e in Dockerfile)

Sonarqube

• sonar-server
• sonar-check

These scripts will allow you to run a local Sonarqube server that will allow you to run and review sonar checks.

Sonarqube Server

The sonar-server script will run the local sonar server. It will set it to be restarted always, so you only have to run it once.

Once the server is running for the first tie, you have to configure it by login into

• url: http://localhost:9000
• login: admin
• password: admin

Sonarqube cli

The sonar-check script will run the sonar checks against your current folder. You will be able to see results in the local Sonarqube server.

You must update the script by setting the SONAR_LOGIN variable, to be the same as the acess token you generated in the local Sonarqube server.

You must have a sonar-project.properties file in the folder to be reviewed. You can guide yourself form the sample file provided.

Others

Detect secrets

• detect-secrets
• detect-secrets-all

Detect secrets

This script will check for secrets in the current commit

Detect secrets all

This script will check for secrets in the current folder.
It will check inside node_modules also, so be carefull

ClamAV antivirus

• virus-check

This script will check the local folder for viruses using the ClamAV antivirus.
The antivirus db is also updated with the update-checks script.

dependency-check.sh

#!/bin/bash
DEPCHECK_VERSION="latest"
DEPCHECK_PROJECT=$1

clear
echo "Dependency check start : " $(date)
echo "Analyzing folder: " $(pwd)
echo "running analysis"
echo

docker run --rm \
    -e user=$USER \
    -u $(id -u ${USER}):$(id -g ${USER}) \
    --volume $(pwd):/src:z \
    --mount type=volume,source=dependency-check-data,target=/usr/share/dependency-check/data \
    --mount type=tmpfs,target=/log \
    owasp/dependency-check:$DEPCHECK_VERSION \
    --format "HTML" \
    --project "$DEPCHECK_PROJECT" \
    --scan package-lock.json \
    --out /src \
    --log /log

echo
echo "Dependency check end : " $(date)

detect-secrets-all.sh

#!/bin/bash

clear
echo "Detect secrets start : " $(date)
echo "Analyzing folder: " $(pwd)
echo "running detect secrets"
echo

docker run \
   -it --rm \
   --volume $(pwd):/code:z \
   icr.io/git-defenders/detect-secrets:latest \
   scan --all-files

echo
echo "Detect secrets end : " $(date)

detect-secrets-audit.sh

#!/bin/bash

clear
echo "Detext secrets auditstart : " $(date)
echo "Analyzing folder: " $(pwd)
echo "running detect secrets audit"
echo

docker run \
   -it --rm \
   --volume $(pwd):/code:z \
   icr.io/git-defenders/detect-secrets:latest \
   audit \
   .secrets.baseline

echo
echo "Detect secrets audit start : " $(date)

detect-secrets-baseline.sh

#!/bin/bash

clear
echo "Detext secrets baseline start : " $(date)
echo "Analyzing folder: " $(pwd)
echo "running detect secrets baseline"
echo

docker run \
   -it --rm \
   --volume $(pwd):/code:z \
   icr.io/git-defenders/detect-secrets:latest \
   scan \
   --update .secrets.baseline

echo
echo "Detect secrets baseline end : " $(date)

sonar-check.sh

#!/bin/bash
SONARCLI_VERSION="latest"
SONAR_LOGIN="squ_86b70cd6aa261a5b281a1661b3f2611612baf8da"

clear
echo "Sonarqube check start : " $(date)
echo "Current folder: " $(pwd)
echo "running sonarqube analysis"
docker run \
    --rm \
    --mount type=volume,source=sonar-cli-data,target=/opt/sonar-scanner/.sonar/cache \
    -v $(pwd):/usr/src \
    -e SONAR_LOGIN=$SONAR_LOGIN \
    sonarsource/sonar-scanner-cli:$SONARCLI_VERSION \
    -Dsonar.host.url=http://host.docker.internal:9000

echo
echo "Sonarqube check end : " $(date)

sonar-project.properties.sample

sonar.host.url=http://...:9000 //it will be replaced in sonar-check script
sonar.projectName=projectName //as set in Sonarqube
sonar.projectKey=projectKey //as set in Sonarqube
sonar.language=js
sonar.sources=src
sonar.tests=src
sonar.javascript.lcov.reportPaths=coverage/lcov.info
sonar.exclusions=node_modules/
sonar.coverage.exclusions=**/*.test.js
sonar.test.inclusions=**/*.test.js%    

sonar-server.sh

#!/bin/bash
SONAR_VERSION="latest"

clear

echo "running sonarqube server"

docker run -itd \
   --name sonarqube \
   --restart=always \
   --mount type=volume,source=sonarqube-data,target=/opt/sonarqube/data \
   --mount type=volume,source=sonarqube-logs,target=/opt/sonarqube/logs \
   --mount type=volume,source=sonarqube-plugins,target=/opt/sonarqube/extensions \
   -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true \
   -p 9000:9000 \
   --stop-timeout 3600 \
   sonarqube:$SONAR_VERSION

trivy-check-conf.sh

#!/bin/bash
TRIVY_VERSION="latest"

clear
echo "Trivy conf check start : " $(date)
echo "Analyzing folder: " $(pwd)
	
echo
echo "running analysis CRITICAL"
docker run --rm \
  --volume $(pwd):/src:z \
  --mount type=volume,source=trivy-data,target=/root/.cache/ \
  aquasec/trivy:$TRIVY_VERSION conf \
  -f table \
  --severity CRITICAL \
  --skip-dirs node_modules \
  --skip-dirs deploy/local \
  /src

echo
echo "running analysis HIGH"
docker run --rm \
  --volume $(pwd):/src:z \
  --mount type=volume,source=trivy-data,target=/root/.cache/ \
  aquasec/trivy:$TRIVY_VERSION conf \
  -f table \
  --severity HIGH \
  --skip-dirs node_modules \
  --skip-dirs deploy/local \
  /src

echo
echo "running analysis MEDIUM"
docker run --rm \
  --volume $(pwd):/src:z \
  --mount type=volume,source=trivy-data,target=/root/.cache/ \
  aquasec/trivy:$TRIVY_VERSION conf \
  -f table \
  --severity MEDIUM \
  --skip-dirs node_modules \
  --skip-dirs deploy/local \
  /src

echo
echo "running analysis LOW"
docker run --rm \
  --volume $(pwd):/src:z \
  --mount type=volume,source=trivy-data,target=/root/.cache/ \
  aquasec/trivy:$TRIVY_VERSION conf \
  -f table \
  --severity LOW \
  --skip-dirs node_modules \
  --skip-dirs deploy/local \
  /src

echo
echo "running analysis UNKNOWN"
docker run --rm \
  --volume $(pwd):/src:z \
  --mount type=volume,source=trivy-data,target=/root/.cache/ \
  aquasec/trivy:$TRIVY_VERSION conf \
  -f table \
  --severity UNKNOWN \
  --skip-dirs node_modules \
  --skip-dirs deploy/local \
  /src

echo
echo "Trivy conf check end : " $(date)

trivy-check-fs.sh

#!/bin/bash
TRIVY_VERSION="latest"

clear
echo "Trivy check start : " $(date)
echo "Analyzing folder: " $(pwd)
echo

echo "running analysis CRITICAL"
docker run --rm \
  --volume $(pwd):/src:z \
  --mount type=volume,source=trivy-data,target=/root/.cache/ \
  aquasec/trivy:$TRIVY_VERSION fs \
  --ignore-unfixed \
  --severity CRITICAL \
  /src/package-lock.json

echo
echo "running analysis HIGH"
docker run --rm \
  --volume $(pwd):/src:z \
  --mount type=volume,source=trivy-data,target=/root/.cache/ \
  aquasec/trivy:$TRIVY_VERSION fs \
  --ignore-unfixed \
  --severity HIGH \
  /src/package-lock.json

echo
echo "running analysis MEDIUM"
docker run --rm \
  --volume $(pwd):/src:z \
  --mount type=volume,source=trivy-data,target=/root/.cache/ \
  aquasec/trivy:$TRIVY_VERSION fs \
  --ignore-unfixed \
  --severity MEDIUM \
  /src/package-lock.json

echo
echo "running analysis LOW"
docker run --rm \
  --volume $(pwd):/src:z \
  --mount type=volume,source=trivy-data,target=/root/.cache/ \
  aquasec/trivy:$TRIVY_VERSION fs \
  --ignore-unfixed \
  --severity LOW \
  /src/package-lock.json

echo
echo "running analysis UNKNOWN"
docker run --rm \
  --volume $(pwd):/src:z \
  --mount type=volume,source=trivy-data,target=/root/.cache/ \
  aquasec/trivy:$TRIVY_VERSION fs \
  --ignore-unfixed \
  --severity UNKNOWN \
  /src/package-lock.json

echo
echo "Trivy check end : " $(date)

trivy-check-img.sh

#!/bin/bash
TRIVY_VERSION="latest"
TRIVY_DOCKERIMG=$1

clear
echo "Trivy image check start : " $(date)
echo "Analyzing image: " $TRIVY_DOCKERIMG
echo

echo "running analysis CRITICAL"
docker run --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  --mount type=volume,source=trivy-data,target=/root/.cache/ \
  aquasec/trivy:$TRIVY_VERSION image \
  --ignore-unfixed \
  --vuln-type os \
  --severity CRITICAL \
  $TRIVY_DOCKERIMG

echo
echo "running analysis HIGH"
docker run --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  --mount type=volume,source=trivy-data,target=/root/.cache/ \
  aquasec/trivy:$TRIVY_VERSION image \
  --ignore-unfixed \
  --vuln-type os \
  --severity HIGH \
  $TRIVY_DOCKERIMG

echo
echo "running analysis MEDIUM"
docker run --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  --mount type=volume,source=trivy-data,target=/root/.cache/ \
  aquasec/trivy:$TRIVY_VERSION image \
  --ignore-unfixed \
  --vuln-type os \
  --severity MEDIUM \
  $TRIVY_DOCKERIMG

echo
echo "running analysis LOW"
docker run --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  --mount type=volume,source=trivy-data,target=/root/.cache/ \
  aquasec/trivy:$TRIVY_VERSION image \
  --ignore-unfixed \
  --vuln-type os \
  --severity LOW \
  $TRIVY_DOCKERIMG

echo
echo "running analysis UNKNOWN"
docker run --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  --mount type=volume,source=trivy-data,target=/root/.cache/ \
  aquasec/trivy:$TRIVY_VERSION image \
  --ignore-unfixed \
  --vuln-type os \
  --severity UNKNOWN \
  $TRIVY_DOCKERIMG

echo
echo "Analyzed image: " $dockerimg
echo "Trivy check end : " $(date)

update-checks.sh

#!/bin/bash
CLAMAV_VERSION="latest_base"
DEPCHECK_VERSION="latest"
SONARCLI_VERSION="latest"
SONAR_VERSION="latest"
TRIVY_VERSION="latest"

clear
echo "Updating checks start : " $(date)
echo "*Updating docker images"
docker pull owasp/dependency-check:$DEPCHECK_VERSION
docker pull aquasec/trivy:$TRIVY_VERSION
docker pull sonarsource/sonar-scanner-cli:$SONARCLI_VERSION
docker pull sonarqube:$SONAR_VERSION
docker pull clamav/clamav:$CLAMAV_VERSION
docker pull icr.io/git-defenders/detect-secrets:latest
docker pull icr.io/git-defenders/detect-secrets-hook:latest

echo
echo "*Updating Trivy db"
docker run --rm \
  --mount type=volume,source=trivy-data,target=/root/.cache/ \
  aquasec/trivy:$TRIVY_VERSION image \
  --download-db-only

echo
echo "*Updating ClamAV db"
docker run --rm \
	-it \
	-e CLAMAV_NO_CLAMD=true \
	-e CLAMAV_NO_FRESHCLAMD=true \
	--mount type=volume,source=clamav-db-data,target=/var/lib/clamav \
	clamav/clamav:$CLAMAV_VERSION \
	freshclam

echo
echo "*Dependency check version"
docker run --rm \
    -e user=$USER \
    -u $(id -u ${USER}):$(id -g ${USER}) \
    --volume $(pwd):/src:z \
    --mount type=volume,source=dependency-check-data,target=/usr/share/dependency-check/data \
    --mount type=tmpfs,target=/log \
    owasp/dependency-check:$DEPCHECK_VERSION \
    --version

echo
echo "*Trivy version"
docker run --rm \
  --volume $(pwd):/src:z \
  --mount type=volume,source=trivy-data,target=/root/.cache/ \
  aquasec/trivy:$TRIVY_VERSION \
  --version

echo
echo "*Sonarqube cli version"
docker run \
    --rm \
    --mount type=volume,source=sonar-cli-data,target=/opt/sonar-scanner/.sonar/cache \
    -v $(pwd):/usr/src \
    -e SONAR_LOGIN=$SONAR_LOGIN \
    sonarsource/sonar-scanner-cli:$SONARCLI_VERSION \
	--version

echo
echo "*Sonarqube local server version"
curl http://localhost:9000/api/server/version 

echo
echo "*ClamAV version"
docker run --rm \
	-it \
	-e CLAMAV_NO_CLAMD=true \
	-e CLAMAV_NO_FRESHCLAMD=true \
	--mount type=volume,source=clamav-db-data,target=/var/lib/clamav \
	--mount type=tmpfs,target=/var/log \
    --volume $(pwd):/src:z \
	clamav/clamav:$CLAMAV_VERSION \
	clamscan \
	--version

echo
echo "Updating checks end : " $(date)

virus-check.sh

#!/bin/bash
CLAMAV_VERSION="latest_base"

clear
echo "Antivirus check start : " $(date)
echo "Current folder: " $(pwd)
echo "running antivirus check"
docker run --rm \
	-it \
	-e CLAMAV_NO_CLAMD=true \
	-e CLAMAV_NO_FRESHCLAMD=true \
	--mount type=volume,source=clamav-db-data,target=/var/lib/clamav \
	--mount type=tmpfs,target=/var/log \
    --volume $(pwd):/src:z \
	clamav/clamav:$CLAMAV_VERSION \
	clamscan \
	--recursive \
	--exclude-dir=node_modules \
	/src
	
echo
echo "Antivirus check end : " $(date)