search

theredguild / DevSecOps-toolkit

Curation of DevSecOps tools that all work together inside the minimum amount of containers. Just run make exec and read the How To!
https://theredguild.org
2 stars 0 forks source link

Think of a way to avoid maintenance as much as possible #38

Open mattaereal opened 2 days ago

mattaereal commented 2 days ago

My current idea is to have the make file prompt you whether you want to try to pull the latest for each tool, or just the latest stable we've known worked for us.

Do you think you can do this?

I'm thinking make latest, make release-1 (for example). Although it might confuse people on differentiating our latest release versus the latest pull for each tool.

mattaereal commented 1 day ago

As per our previous conversation, I will be adding here the latest versions I've tried that work, so we can start creating a latest vs releases that worked with our deployment

mattaereal commented 1 day ago

Here they come! Btw, some of them can be directly downloaded from their releases, without the need to compile, should we pursue that instead of compiling? It does make sense in terms of speed, right?

  1. gitxray: ARG T_GITXRAY=1.0.15 RUN pipx run gitxray==1.0.15

  2. gh-repo-analyzer since this is a script, I say we download the latest from GitHub, already added a PR to install it easier and updated

  3. git-secrets same, it's by awslabs, and barely updated, I doubt any breaking change will happen soon.

  4. trufflehog ARG T_TRUFFLEHOG=3.82.8 https://github.com/trufflesecurity/trufflehog/releases/tag/v3.82.8 https://github.com/trufflesecurity/trufflehog/releases/latest

  5. gitleaks ARG T_GITLEAKS=8.21.0 https://github.com/gitleaks/gitleaks/releases/tag/v8.21.0 https://github.com/gitleaks/gitleaks/releases/latest

  6. 2ms ARG T_2MS=3.10.0 https://github.com/Checkmarx/2ms/releases/tag/v3.10.0 https://github.com/Checkmarx/2ms/releases/latest

  7. detect-secrets ARG T_DETECT_SECRETS=1.5.0 RUN pipx install detect-secrets==1.5.0 https://github.com/Yelp/detect-secrets/releases/tag/v1.5.0 https://github.com/Yelp/detect-secrets/releases/latest

  8. trivy ARG T_TRIVY=0.56.2 https://github.com/aquasecurity/trivy/releases/tag/v0.56.2 https://github.com/aquasecurity/trivy/releases/latest

  9. clair ARG T_CLAIR=4.8.0 https://github.com/quay/clair/releases/tag/v4.8.0 https://github.com/quay/clair/releases/latest

  10. snyk ARG T_SNYK=1.1293.1 RUN pnpm install -g snyk@1.1293.1 https://github.com/snyk/cli/releases/tag/v1.1293.1 https://github.com/snyk/cli/releases/latest

  11. grype ARG T_GRYPE=0.82.1 https://github.com/anchore/grype/releases/tag/v0.82.1 https://github.com/anchore/grype/releases/latest

  12. falco ARG T_FALCO=0.39.1 https://github.com/falcosecurity/falco/releases/tag/0.39.1 https://github.com/falcosecurity/falco/latest

  13. semgrep ARG T_SEMGREP=1.91.0 RUN pipx install semgrep==1.91.0 https://github.com/semgrep/semgrep/releases/tag/v1.91.0 https://github.com/semgrep/semgrep/releases/latest

  14. legitify ARG T_LEGITIFY=1.0.11 https://github.com/Legit-Labs/legitify/releases/tag/v1.0.11 https://github.com/Legit-Labs/legitify/releases/latest

  15. kics ARG T_KICS=2.1.3 https://github.com/Checkmarx/kics/releases/tag/v2.1.3 https://github.com/Checkmarx/kics/releases/latest

  16. checkov ARG T_CHECKOV=3.2.262 RUN pipx install checkov==3.2.262 https://github.com/bridgecrewio/checkov/releases/tag/3.2.262 https://github.com/bridgecrewio/checkov/releases/latest

  17. scoutsuite ARG T_SCOUTSUITE=5.15.0 RUN pipx install scoutsuite==5.15.0 https://github.com/nccgroup/ScoutSuite/releases/tag/5.14.0 https://github.com/nccgroup/ScoutSuite/releases/latest

  18. cloudsplaining ARG T_CLOUDSPLAINING=0.7.0 RUN pipx install cloudsplaining==0.7.0 https://github.com/salesforce/cloudsplaining/releases/tag/0.7.0 https://github.com/salesforce/cloudsplaining/latest

  19. hadolint ARG T_HADOLINT=2.12.0 https://github.com/hadolint/hadolint/releases/tag/v2.12.0 https://github.com/hadolint/hadolint/releases/latest

  20. dependency-check ARG T_DEPCHECK=10.0.4 https://github.com/jeremylong/DependencyCheck/releases/tag/v10.0.4 https://github.com/jeremylong/DependencyCheck/releases/latest

  21. nodejsscan ARG T_NODEJSSCAN=4.8 RUN pipx install nodejsscan==4.8 https://github.com/ajinabraham/nodejsscan/releases/tag/v4.8 https://github.com/ajinabraham/nodejsscan/releases/latest

  22. lavamoat this shouldn't be installed by default!

  23. retire ARG T_RETIRE=5.2.4 RUN pnpm install -g retire@5.2.4 https://github.com/RetireJS/retire.js/releases/tag/5.2.4 https://github.com/RetireJS/retire.js/releases/latest

mattaereal commented 1 day ago

Adding one more:

  1. dockle ARG T_DOCKLE=0.4.14 https://github.com/goodwithtech/dockle/releases/tag/v0.4.14 https://github.com/goodwithtech/dockle/releases/latest