ShiftLeftSecurity / sast-scan

Scan is a free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies. CI and Git friendly.
https://discord.gg/DCNxzaeUpd
Apache License 2.0
804 stars 111 forks source link

scan-slim 'gitleaks' not found #302

Closed xortim closed 3 years ago

xortim commented 3 years ago

I noticed that when using the scan-slim container, gitleaks doesn't appear to be installed

[19:01:22] INFO     Scanning /app using plugins ['credscan', 'terraform', 'yaml']                                                           
           DEBUG    ⚡︎ Executing credscan "gitleaks --config-path=/usr/local/src/lib/../credscan-config.toml --path=/app --leaks-exit-code=0
                    --no-git --report=/app/reports/credscan-report.json"                                                                                                                                                                                
           DEBUG    [Errno 2] No such file or directory: 'gitleaks'

Is this expected?

prabhu commented 3 years ago

Hi @xortim , that is correct scan-slim doesn't include many tools. This is the dockerfile used - https://github.com/ShiftLeftSecurity/sast-scan/blob/master/ci/Dockerfile-dynamic-lang .

prabhu commented 3 years ago

@xortim gitleaks is now included in the scan-slim image. Could you kindly give it a try and let me know if it works for you?

xortim commented 3 years ago

Yup! Gitleaks works now, thank you!

xortim commented 3 years ago

Only one suggestion. The terraform lockfile is picked up by gitleaks due to the high entropy. Perhaps adjusting the default configuration to allow this and other common lockfiles.

xortim commented 3 years ago

I took a stab at it here #305

prabhu commented 3 years ago

Great PR! Thanks @xortim !