sul-dlss / argo

The administrative discovery interface for Stanford's Digital Object Registry
Other
21 stars 5 forks source link

2 hour spike to investigate security scanning tools #2113

Open jmartin-sul opened 4 years ago

jmartin-sul commented 4 years ago

[just in the argo repo for tracking purposes -- this is not strictly an argo issue, and applies to all our codebases]

We'd like to explore tools that check our repositories for inadvertently exposed credentials and/or other security issues.

When Sarav was working here, he and I briefly explored a couple of tools along these lines, and the most promising for credential exposure at the time seemed to be truffleHog: https://github.com/dxa4481/truffleHog

We think it might be worth a couple hours of developer time to explore that tool and maybe similar ones, as well as ways to sic them on our codebases in an automated fashion.

other tools that might be worth a look in the automated security scanning space:

GH security features landing page: https://github.com/features/security/

peetucket commented 4 years ago

I'm looking at brakeman right now as a start. Installed and ran against google-books (nothing of note, not surprising, since its a small app), and argo (found a few things, nothing jumped out as major). Definitely interesting, and pretty low overhead to run...just a gem and a single command. It ran through argo (pretty big app) in just a matter of seconds.

peetucket commented 4 years ago

Github's security scanning product (codeQL + LGTM) doesn't currently support Ruby, so may not be very useful for us.

see https://lgtm.com/help/lgtm/getting-started and https://help.semmle.com/codeql/codeql-cli/procedures/create-codeql-database.html