2 hour spike to investigate security scanning tools

[jmartin-sul]

[just in the argo repo for tracking purposes -- this is not strictly an argo issue, and applies to all our codebases]

We'd like to explore tools that check our repositories for inadvertently exposed credentials and/or other security issues.

When Sarav was working here, he and I briefly explored a couple of tools along these lines, and the most promising for credential exposure at the time seemed to be truffleHog: https://github.com/dxa4481/truffleHog

We think it might be worth a couple hours of developer time to explore that tool and maybe similar ones, as well as ways to sic them on our codebases in an automated fashion.

other tools that might be worth a look in the automated security scanning space:

• Brakeman -- Ruby on Rails static analysis security tool -- https://brakemanscanner.org/
• Github security and secret scanning (currently in semi-open beta?) -- marketing-ish copy: "Code scanning integrates the powerful semantic analysis capabilities of CodeQL into your developer workflow. With code scanning enabled, every git push is scanned for new security concerns and the results are displayed directly in your pull request diffs. We've partnered with researchers in the GitHub Security Lab to develop queries that protect you from common coding mistakes like buffer overruns, untrusted data deserialization, and many other OWASP top 10 vulnerabilities. In additional, you can develop your own custom queries, and all our default queries are open source." -- https://github.com/features/security/advanced-security/signup
  • probably requires opting the organization in, would be good to read the relevant Terms of Service first: https://help.github.com/articles/github-pre-release-program
• use CodeQL itself (what GH security scanning uses for its semantic analysis) -- https://securitylab.github.com/tools/codeql

GH security features landing page: https://github.com/features/security/

[peetucket]

I'm looking at brakeman right now as a start. Installed and ran against google-books (nothing of note, not surprising, since its a small app), and argo (found a few things, nothing jumped out as major). Definitely interesting, and pretty low overhead to run...just a gem and a single command. It ran through argo (pretty big app) in just a matter of seconds.

[peetucket]

Github's security scanning product (codeQL + LGTM) doesn't currently support Ruby, so may not be very useful for us.

see https://lgtm.com/help/lgtm/getting-started and https://help.semmle.com/codeql/codeql-cli/procedures/create-codeql-database.html