We are continuously adding the listed features
CLI/CI Tool for Automating Vulnerability Management for Enhancing Software Supply Chain Security Measures.
Future goals:
- Visualize code call flow like call graph, context, AST, CFG, PDG, etc., as graph diagrams using code property graph concept and neo4j graph database. Also, show dependencies graph flow from static and run-time data collected by profiling tools & falco, along with vulnerabilities, plus historical data by mapping historical changes in the code flow & packages. Something like Graph Buddy and Context Buddy as IDE plug-ins.
- Another visualization is by showing graph flow of all the dependencies in the application, containers, k8s manifests, etc., with all the changes happening when scsctl is used for automation.
- Integration with deps.dev API to create graph view of the dependencies.
- Integration with Qualys, Nessus, Rapid 7, DeepFactor, etc.
- Productivity and User Experience - Previous & Updated Vulnerability detail views, Display of asset selection rules to view vulnerability details per service/node/cluster/namespace/pod/etc. and also overall view, etc.
- Risk-based Posture Management - Risk Configuration + Risk Customizations, EPSS factor in risk calculation, etc.
- Manage Vulnerabilities and Assets - Filter vulnerabilities by asset & vulnerability tags, export vulnerability data in csv or directly generate graphs using clickhouse/cassandra as datasource, Linking of Teams to Apps/Environments/Platforms/Clusters/Vulnerabilities/etc., multi-selection for varieties of filters to visualize the data in different charts, etc.
- Build features mentioned in these CycloneDX based reports :
- CycloneDX BOM server , CDXGen , CycloneDX Python lib for Programmatic purpose , CycloneDX Web Tool , SBOM-Utility API platform , eBay SBOM scorecard , Agentless Vuln. Scanner - Vuls , Generate VEX (Vulnerability Exploitability Exchange) CycloneDX documents , openSSF Scorecard API , same as Tally project with openSSF scorecard , SBOM dependency graph diagram similar to call graph diagram , Transform SBOM contents into Markdown , Scan K8s with Syft - SBOM Operator , GitHub Action / Tekton CI steps to show differences in SBOMs , SBOM publish, verify & share - this is perfect example on how we wanted to build certain feature
Before starting, make sure you have the following installed and configured:
ClickHouse (optional) - If you want to save the data collected by SCSCTL for historical analysis purpose, then make sure ClickHouse is up and running and you have the ClickHouse server URL and the database details
If you don't want to save the data, then you can skip this step.
If you want to save the data, then please set the following environment variables: The database name will be
scsctl
CLICKHOUSE_HOST
- The URL of the ClickHouse serverCLICKHOUSE_USER
- The username of the ClickHouse serverCLICKHOUSE_PASSWORD
- The password of the ClickHouse serverCLICKHOUSE_PORT
- The port of the ClickHouse server
scsctl
commandpython app.py
without building the wheel filescsctl has the following commands:
This command will scan the docker image and generate the reports
scsctl scan --pyroscope_app_name <pyroscope_app_name> --docker_image_name <docker_image_name> --pyroscope_url <pyroscope_url> --docker_file_folder_path <docker_file_folder_path> --falco_pod_name <falco_pod_name> --falco_target_deployment_name <app> --falco_enabled
Example:
scsctl scan --pyroscope_app_name dagflow-api --docker_image_name dagflow-app-with-db-url:latest --pyroscope_url http://localhost:4040 --docker_file_folder_path /home/jegath/Documents/intelops/sps/dagflow/app/ --falco_pod_name falco-mvnmt --falco_target_deployment_name app --falco_enabled
There is also an option to pass a yaml as a config file.
scsctl scan --config_file ./test.yaml
Sample yaml file
pyroscope_app_name: dagflow-api
docker_image_name: dagflow-app-with-db-url:latest
pyroscope_url: http://localhost:4040
falco_pod_name: falco-mvnmt
falco_target_deployment_name: app
db_enabled: true
falco_enabled: true
docker_file_folder_path: /home/jegath/Documents/intelops/sps/dagflow/app/
To run scsctl in ci/cd environment,
Example
name: scsctl_test
on:
push:
branches: [ main ]
jobs:
container-test-job:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Pull pyroscope/pyroscope:latest image
run: docker pull pyroscope/pyroscope:latest
- name: Install a python cli tool from test pypi and run it
run: |
python -m pip install --upgrade pip
python -m pip install --upgrade build
python -m pip install scsctl
- name: run scsctl tool
run: |
scsctl scan --pyroscope_app_name pyroscope.server --docker_image_name pyroscope/pyroscope:latest --pyroscope_url https://369d-111-92-44-131.ngrok-free.app --non_interactive