Open mattaereal opened 2 days ago
As per our previous conversation, I will be adding here the latest versions I've tried that work, so we can start creating a latest vs releases that worked with our deployment
Here they come! Btw, some of them can be directly downloaded from their releases, without the need to compile, should we pursue that instead of compiling? It does make sense in terms of speed, right?
gitxray:
ARG T_GITXRAY=1.0.15
RUN pipx run gitxray==1.0.15
gh-repo-analyzer since this is a script, I say we download the latest from GitHub, already added a PR to install it easier and updated
git-secrets same, it's by awslabs, and barely updated, I doubt any breaking change will happen soon.
trufflehog
ARG T_TRUFFLEHOG=3.82.8
https://github.com/trufflesecurity/trufflehog/releases/tag/v3.82.8
https://github.com/trufflesecurity/trufflehog/releases/latest
gitleaks
ARG T_GITLEAKS=8.21.0
https://github.com/gitleaks/gitleaks/releases/tag/v8.21.0
https://github.com/gitleaks/gitleaks/releases/latest
2ms
ARG T_2MS=3.10.0
https://github.com/Checkmarx/2ms/releases/tag/v3.10.0
https://github.com/Checkmarx/2ms/releases/latest
detect-secrets
ARG T_DETECT_SECRETS=1.5.0
RUN pipx install detect-secrets==1.5.0
https://github.com/Yelp/detect-secrets/releases/tag/v1.5.0
https://github.com/Yelp/detect-secrets/releases/latest
trivy
ARG T_TRIVY=0.56.2
https://github.com/aquasecurity/trivy/releases/tag/v0.56.2
https://github.com/aquasecurity/trivy/releases/latest
clair
ARG T_CLAIR=4.8.0
https://github.com/quay/clair/releases/tag/v4.8.0
https://github.com/quay/clair/releases/latest
snyk
ARG T_SNYK=1.1293.1
RUN pnpm install -g snyk@1.1293.1
https://github.com/snyk/cli/releases/tag/v1.1293.1
https://github.com/snyk/cli/releases/latest
grype
ARG T_GRYPE=0.82.1
https://github.com/anchore/grype/releases/tag/v0.82.1
https://github.com/anchore/grype/releases/latest
falco
ARG T_FALCO=0.39.1
https://github.com/falcosecurity/falco/releases/tag/0.39.1
https://github.com/falcosecurity/falco/latest
semgrep
ARG T_SEMGREP=1.91.0
RUN pipx install semgrep==1.91.0
https://github.com/semgrep/semgrep/releases/tag/v1.91.0
https://github.com/semgrep/semgrep/releases/latest
legitify
ARG T_LEGITIFY=1.0.11
https://github.com/Legit-Labs/legitify/releases/tag/v1.0.11
https://github.com/Legit-Labs/legitify/releases/latest
kics
ARG T_KICS=2.1.3
https://github.com/Checkmarx/kics/releases/tag/v2.1.3
https://github.com/Checkmarx/kics/releases/latest
checkov
ARG T_CHECKOV=3.2.262
RUN pipx install checkov==3.2.262
https://github.com/bridgecrewio/checkov/releases/tag/3.2.262
https://github.com/bridgecrewio/checkov/releases/latest
scoutsuite
ARG T_SCOUTSUITE=5.15.0
RUN pipx install scoutsuite==5.15.0
https://github.com/nccgroup/ScoutSuite/releases/tag/5.14.0
https://github.com/nccgroup/ScoutSuite/releases/latest
cloudsplaining
ARG T_CLOUDSPLAINING=0.7.0
RUN pipx install cloudsplaining==0.7.0
https://github.com/salesforce/cloudsplaining/releases/tag/0.7.0
https://github.com/salesforce/cloudsplaining/latest
hadolint
ARG T_HADOLINT=2.12.0
https://github.com/hadolint/hadolint/releases/tag/v2.12.0
https://github.com/hadolint/hadolint/releases/latest
dependency-check
ARG T_DEPCHECK=10.0.4
https://github.com/jeremylong/DependencyCheck/releases/tag/v10.0.4
https://github.com/jeremylong/DependencyCheck/releases/latest
nodejsscan
ARG T_NODEJSSCAN=4.8
RUN pipx install nodejsscan==4.8
https://github.com/ajinabraham/nodejsscan/releases/tag/v4.8
https://github.com/ajinabraham/nodejsscan/releases/latest
lavamoat this shouldn't be installed by default!
retire
ARG T_RETIRE=5.2.4
RUN pnpm install -g retire@5.2.4
https://github.com/RetireJS/retire.js/releases/tag/5.2.4
https://github.com/RetireJS/retire.js/releases/latest
Adding one more:
My current idea is to have the make file prompt you whether you want to try to pull the latest for each tool, or just the latest stable we've known worked for us.
Do you think you can do this?
I'm thinking
make latest
,make release-1
(for example). Although it might confuse people on differentiating our latest release versus the latest pull for each tool.