Intercept:一套強大的代碼靜態分析審計策略
INTERCEPT是一套強大的代碼靜態分析審計策略,這套策略集簡單易用,佔用空間小,可以通過快速且強大的多行掃描工具來掃描你的代碼庫。除此之外,廣大研究人員還可以將其作爲數據採集器和檢查器,或把它當作一款跨平臺的武器化ripgrep來使用。
功能介紹
代碼即策略;
細粒度正則策略;
多個執行級別;
靜態分析,無守護進程;
低佔用空間,可自我更新的二進制文件;
易於集成在任何CI/CD管道上;
聲明式策略,以降低複雜性;
無自定義策略語言;
代碼即策略
“代碼即策略”的思想來源於策略的管理和自動化實現這方面,通過將策略以YAML文件代碼的形式來呈現,是已經過驗證的軟件開發最佳實踐,有助於研究人員實現版本控制、自動測試和自動部署。
工作機制
1、攔截和分析命令行接口代碼; 2、YAML文件策略實施;
INTERCEPT會整合環境標記、YAML策略和可選參數來生成一個全局配置文件,它可以遞歸掃描目標路徑以查找違反策略的代碼,並生成人類可讀的詳細掃描及分析報告。
掃描報告輸出樣本:
工具構建
# Standard package (intercept + ripgrep) for individual platforms -- core-intercept-rg-*.zip # Cross Platform Full package (intercept + ripgrep) -- x-intercept.zip # Build package to build on all platforms (Development) -- setup-buildpack.zip # Package of the latest compatible release of ripgrep (doesn't include intercept) -- i-ripgrep-*.zip
快速開始
首先,根據自己的平臺下載最新版本的INTERCEPT:
--- Darwin curl -fSL https://github.com/xfhg/intercept/releases/latest/download/intercept-darwin_amd64 -o intercept --- Linux curl -fSL https://github.com/xfhg/intercept/releases/latest/download/intercept-linux_amd64 -o intercept --- Windows curl -fSL https://github.com/xfhg/intercept/releases/latest/download/intercept-windows_amd64 -o intercept.exe
獲取樣本進行快速掃描:
curl -fSLO https://github.com/xfhg/intercept/releases/latest/download/_examples.zip
現在,我們需要分析的代碼已經存儲在一個examples/文件夾中了,在開始之前,我們需要查看策略文件中的可選策略類型:
- scan : where we enforce breaking rules on matched patterns - collect : where we just collect matched patterns
我們給出的演示樣例將會做以下幾件事情:
1、掃描目標代碼中是否存在私鑰:我們需要保證策略的fatal:true,並且不接受任何異常,即enforcement:true。設置環境:保證此策略將在所有環境上強制執行。
2、掃描模塊是否來自兼容源而不是本地或git:我們需要保證策略的fatal:true,並且環境必須爲PROD,即environment:prod。這個策略可以接受本地異常:enforcement:false。
3、收集模塊使用之外的terraform資源實例。
包含上述掃描策略和收集策略的策略文件如下( examples/policy/simple.yaml ):
# This banner is shown on the start of the scanning report, # use it to point out important documentation/warnings/contacts
Banner: | Banner text here, drop documentation link or quick instructions on how to react to the report Rules: # This is the main policy block, all rules will be part of this array # This is a rule structure block # Each rule can have one or more patterns (regex) # The rule is triggered by any of the patterns listed #
# Essential settings : # id : ( must be unique ) # type : ( scan | collect ) # fatal : ( true | false ) # enforcement : ( true | false ) # environment : ( all | anystring) # All other settings are free TEXT to complement your final report - name: Private key committed in code id: 1 description: Private key committed to code version control solution: error: This violation immediately blocks your code deployment type: scan enforcement: true environment: all fatal: true
patterns: - \s*(-----BEGIN PRIVATE KEY-----) - \s*(-----BEGIN RSA PRIVATE KEY-----) - \s*(-----BEGIN DSA PRIVATE KEY-----) - \s*(-----BEGIN EC PRIVATE KEY-----) - \s*(-----BEGIN OPENSSH PRIVATE KEY-----) - \s*(-----BEGIN PGP PRIVATE KEY BLOCK-----)
# Another scan rule - name: Compliant module source id: 5 description: Modules should not be sourced locally nor from git error: This breach blocks your deployment on production environments type: scan solution: environment: prod fatal: true enforcement: false patterns: - source\s*.*\.git" - \s+source\s*=\s*"((?!https\:).)
# A different type of policy rule that just collects findings matched with the patterns listed - name: Collect sparse TF resources outside of modules. description: The following resources were detected outside of compliant module usage type: collect patterns: - (resource)\s*"(.*)"
# These are the messages displayed at the end of the report # Clean for no finds # Warning for at least one non-fatal find # Critical for at least one fatal find ExitCritical: "Critical irregularities found in your code" ExitWarning: "Irregularities found in your code" ExitClean: "Clean report"
項目地址
INTERCEPT:【 GitHub傳送門 】
其他引用項目
1、 Ripgrep
*參考來源: xfhg ,FB小編Alpha_h4ck編譯,轉載請註明來自FreeBuf.COM