Skip to content

Commit 4fe94a8

Browse files
fr4iser90fr4iser90
committed
Refactor security-check.sh and run_zap.sh for improved orchestration and logging. Update api-security.yml to enhance CORS rule with focus metavariable for better security checks. These changes aim to streamline security scanning processes and improve clarity in reporting.
1 parent eff1b08 commit 4fe94a8

4 files changed

Lines changed: 520 additions & 230 deletions

File tree

rules/api-security.yml

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -28,24 +28,24 @@ rules:
2828
severity: HIGH
2929

3030
- id: overly-permissive-cors
31+
focus-metavariable: $ORIGIN_SETTING
3132
patterns:
3233
- pattern-either:
3334
- pattern: |
34-
set_header("Access-Control-Allow-Origin", "*")
35+
set_header("Access-Control-Allow-Origin", $ORIGIN_SETTING)
3536
- pattern: |
36-
CORS(app, resources={r"/api/*": {"origins": "*"}})
37-
- focus-metavariable: $ORIGIN
38-
metavariable-regex:
39-
metavariable: $ORIGIN
40-
regex: \*
37+
CORS(..., resources={ $PATTERN_KEY: {"origins": $ORIGIN_SETTING, ...}, ...})
38+
- pattern: |
39+
CORS(..., origins=$ORIGIN_SETTING, ...)
40+
- metavariable-regex:
41+
metavariable: $ORIGIN_SETTING
42+
regex: '^(\"\\*\"|\\*)$'
4143
message: >-
4244
Overly permissive CORS policy detected (Access-Control-Allow-Origin: *).
4345
This can allow any domain to make requests to your API, potentially
4446
leading to security vulnerabilities. Restrict origins to trusted domains.
4547
languages:
4648
- python
47-
- javascript
48-
- go
4949
severity: MEDIUM
5050

5151
- id: potential-missing-rate-limiting

scripts/OLD.sh

Lines changed: 179 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,179 @@
1+
#!/bin/bash
2+
# SecuLite Security Check Script
3+
# Usage:
4+
# ZAP_TARGET="http://dein-ziel:port" HTML_REPORT=1 ./scripts/security-check.sh
5+
# oder
6+
# ./scripts/security-check.sh [ZAP_TARGET_URL]
7+
# Default: http://localhost:8000
8+
9+
# === DEBUG: Print environment and ZAP script status ===
10+
echo "[DEBUG] PATH: $PATH"
11+
echo "[DEBUG] ls -l /usr/local/bin/"
12+
ls -l /usr/local/bin/
13+
echo "[DEBUG] ls -l /opt/ZAP_2.16.1/"
14+
ls -l /opt/ZAP_2.16.1/ || echo "/opt/ZAP_2.16.1/ not found"
15+
echo "[DEBUG] command -v zap-baseline.py: $(command -v zap-baseline.py || echo not found)"
16+
17+
# Check for python3 availability (required for ZAP)
18+
if ! command -v python3 &>/dev/null; then
19+
echo "[ERROR] python3 is not installed or not in PATH. ZAP scan cannot run. Please install python3." | tee -a "$LOG_FILE"
20+
# Do not exit, continue
21+
fi
22+
23+
# Ziel-URL für ZAP bestimmen
24+
ZAP_TARGET="${ZAP_TARGET:-${1:-http://localhost:8000}}"
25+
HTML_REPORT="${HTML_REPORT:-0}"
26+
27+
# Usage: ./scripts/security-check.sh [TARGET_PATH]
28+
# Set scan target to /target (App-Code im Container)
29+
TARGET_PATH="/target"
30+
RESULTS_DIR="/seculite/results"
31+
LOGS_DIR="/seculite/logs"
32+
LOG_FILE="$LOGS_DIR/security-check.log"
33+
SUMMARY_TXT="$RESULTS_DIR/security-summary.txt"
34+
SUMMARY_JSON="$RESULTS_DIR/security-summary.json"
35+
36+
# At the very top, after variable definitions
37+
LOCK_FILE="$RESULTS_DIR/.scan-running"
38+
touch "$LOCK_FILE"
39+
40+
mkdir -p "$RESULTS_DIR" "$LOGS_DIR"
41+
echo "[DEBUG] Listing $RESULTS_DIR before ZAP scan:"
42+
ls -l "$RESULTS_DIR"
43+
44+
# Clear previous results
45+
> "$SUMMARY_TXT"
46+
> "$SUMMARY_JSON"
47+
> "$LOG_FILE"
48+
49+
# Check for required tools
50+
MISSING_TOOLS=()
51+
for tool in semgrep trivy; do
52+
if ! command -v $tool &>/dev/null; then
53+
MISSING_TOOLS+=("$tool")
54+
fi
55+
done
56+
if [ ${#MISSING_TOOLS[@]} -ne 0 ]; then
57+
echo "[SecuLite] Missing required tools: ${MISSING_TOOLS[*]}" | tee -a "$LOG_FILE"
58+
echo "Please install all required tools before running the script." | tee -a "$LOG_FILE"
59+
# Do not exit, continue
60+
fi
61+
62+
# Ensure jq is installed
63+
if ! command -v jq &>/dev/null; then
64+
echo "[SecuLite] jq not found, installing jq..." | tee -a "$LOG_FILE"
65+
if command -v apt-get &>/dev/null; then
66+
sudo apt-get update && sudo apt-get install -y jq
67+
elif command -v yum &>/dev/null; then
68+
sudo yum install -y jq
69+
else
70+
echo "[SecuLite] Please install jq manually." | tee -a "$LOG_FILE"
71+
# Do not exit, continue
72+
fi
73+
fi
74+
75+
echo "[DEBUG] Testing write permissions in $RESULTS_DIR"
76+
touch "$RESULTS_DIR/test-write.txt" && echo "[DEBUG] Write test succeeded" || echo "[DEBUG] Write test FAILED"
77+
rm -f "$RESULTS_DIR/test-write.txt"
78+
79+
# Run ZAP Baseline Scan
80+
if command -v zap-baseline.py &>/dev/null; then
81+
export ZAP_PATH=/opt/ZAP_2.16.1
82+
export JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64
83+
echo "[ZAP] ENV: ZAP_PATH=$ZAP_PATH JAVA_HOME=$JAVA_HOME" | tee -a "$LOG_FILE"
84+
echo "[ZAP] Running baseline scan on $ZAP_TARGET..." | tee -a "$LOG_FILE"
85+
ZAP_REPORT_XML="$RESULTS_DIR/zap-report.xml"
86+
ZAP_REPORT_HTML="$RESULTS_DIR/zap-report.html"
87+
ZAP_REPORT_XMLHTML="$RESULTS_DIR/zap-report.xml.html"
88+
REL_ZAP_REPORT_XML="zap-report.xml"
89+
REL_ZAP_REPORT_HTML="zap-report.html"
90+
echo "[DEBUG] Running ZAP with absolute path: $ZAP_REPORT_XML"
91+
python3 /usr/local/bin/zap-baseline.py -d -t "$ZAP_TARGET" -x "$ZAP_REPORT_XML" 2>>"$LOG_FILE" || {
92+
echo "[ZAP] Scan failed (absolute path)" >> "$LOG_FILE"
93+
}
94+
# Fallback: search for zap-report.xml anywhere and copy to results if missing
95+
if [ ! -f "$ZAP_REPORT_XML" ]; then
96+
FOUND_XML=$(find / -type f -name 'zap-report.xml' 2>/dev/null | head -n 1)
97+
if [ -n "$FOUND_XML" ]; then
98+
cp "$FOUND_XML" "$ZAP_REPORT_XML"
99+
echo "[DEBUG] Copied fallback zap-report.xml from $FOUND_XML to $ZAP_REPORT_XML" >> "$LOG_FILE"
100+
else
101+
echo "[DEBUG] No zap-report.xml found anywhere in container." >> "$LOG_FILE"
102+
fi
103+
fi
104+
echo "[DEBUG] Running ZAP with relative path: $REL_ZAP_REPORT_XML"
105+
python3 /usr/local/bin/zap-baseline.py -d -t "$ZAP_TARGET" -r "$REL_ZAP_REPORT_XML" 2>>"$LOG_FILE" || {
106+
echo "[ZAP] Scan failed (relative path)" >> "$LOG_FILE"
107+
}
108+
python3 /usr/local/bin/zap-baseline.py -d -t "$ZAP_TARGET" -f html -o "$ZAP_REPORT_HTML" 2>>"$LOG_FILE" || echo "[ZAP] HTML report failed" >> "$LOG_FILE"
109+
echo "[DEBUG] Listing $RESULTS_DIR after ZAP scan:"
110+
ls -l "$RESULTS_DIR"
111+
echo "[DEBUG] Searching for any zap-report* files and copying to $RESULTS_DIR"
112+
find / -type f -name 'zap-report*' -exec cp --no-clobber {} "$RESULTS_DIR" \; 2>/dev/null
113+
ls -l "$RESULTS_DIR"
114+
if [ -f "$ZAP_REPORT_XML" ] || [ -f "$ZAP_REPORT_HTML" ] || [ -f "$ZAP_REPORT_XMLHTML" ]; then
115+
echo "[ZAP] Report(s) erfolgreich erzeugt:"
116+
[ -f "$ZAP_REPORT_XML" ] && echo " - $ZAP_REPORT_XML"
117+
[ -f "$ZAP_REPORT_HTML" ] && echo " - $ZAP_REPORT_HTML"
118+
[ -f "$ZAP_REPORT_XMLHTML" ] && echo " - $ZAP_REPORT_XMLHTML"
119+
else
120+
echo "[ZAP] ERROR: Kein Report wurde erzeugt!" | tee -a "$LOG_FILE"
121+
# Do not exit, continue
122+
fi
123+
echo "[ZAP] Baseline scan complete." | tee -a "$SUMMARY_TXT"
124+
else
125+
echo "[ZAP] zap-baseline.py not found, skipping ZAP scan." | tee -a "$LOG_FILE"
126+
fi
127+
128+
# Run Semgrep
129+
if command -v semgrep &>/dev/null; then
130+
echo "[Semgrep] Running code scan on $TARGET_PATH..." | tee -a "$LOG_FILE"
131+
semgrep --config /seculite/rules $TARGET_PATH --json > "$RESULTS_DIR/semgrep.json" 2>>"$LOG_FILE" || echo "[Semgrep] Scan failed" >> "$LOG_FILE"
132+
semgrep --config /seculite/rules $TARGET_PATH --text > "$RESULTS_DIR/semgrep.txt" 2>>"$LOG_FILE"
133+
echo "[Semgrep] Code scan complete." | tee -a "$SUMMARY_TXT"
134+
else
135+
echo "[Semgrep] semgrep not found, skipping code scan." | tee -a "$LOG_FILE"
136+
fi
137+
138+
# Run Trivy
139+
if command -v trivy &>/dev/null; then
140+
echo "[Trivy] Running dependency/container scan on $TARGET_PATH..." | tee -a "$LOG_FILE"
141+
trivy fs --config /seculite/trivy/config.yaml --format json -o "$RESULTS_DIR/trivy.json" $TARGET_PATH 2>>"$LOG_FILE"
142+
trivy fs --config /seculite/trivy/config.yaml --format table -o "$RESULTS_DIR/trivy.txt" $TARGET_PATH 2>>"$LOG_FILE"
143+
echo "[Trivy] Dependency/container scan complete." | tee -a "$SUMMARY_TXT"
144+
else
145+
echo "[Trivy] trivy not found, skipping dependency/container scan." | tee -a "$LOG_FILE"
146+
fi
147+
148+
# Aggregate Results
149+
{
150+
echo "==== ZAP Report (XML) ===="
151+
[ -f "$RESULTS_DIR/zap-report.xml" ] && cat "$RESULTS_DIR/zap-report.xml" || echo "No ZAP XML report."
152+
echo
153+
echo "==== ZAP Report (HTML) ===="
154+
[ -f "$RESULTS_DIR/zap-report.html" ] && cat "$RESULTS_DIR/zap-report.html" || echo "No ZAP HTML report."
155+
echo
156+
echo "==== ZAP Report (XMLHTML) ===="
157+
[ -f "$RESULTS_DIR/zap-report.xml.html" ] && cat "$RESULTS_DIR/zap-report.xml.html" || echo "No ZAP XMLHTML report."
158+
echo
159+
echo "==== Semgrep Findings ===="
160+
[ -f "$RESULTS_DIR/semgrep.txt" ] && cat "$RESULTS_DIR/semgrep.txt" || echo "No Semgrep findings."
161+
echo
162+
echo "==== Trivy Findings ===="
163+
[ -f "$RESULTS_DIR/trivy.txt" ] && cat "$RESULTS_DIR/trivy.txt" || echo "No Trivy findings."
164+
} > "$SUMMARY_TXT"
165+
166+
jq -s 'reduce .[] as $item ({}; . * $item)' "$RESULTS_DIR/semgrep.json" "$RESULTS_DIR/trivy.json" 2>/dev/null > "$SUMMARY_JSON" || echo '{"error": "Could not aggregate JSON results"}' > "$SUMMARY_JSON"
167+
168+
# Always generate the unified HTML report inside the container
169+
python3 /seculite/scripts/generate-html-report.py
170+
171+
echo "[SecuLite] Security checks complete. See $SUMMARY_TXT, $SUMMARY_JSON, and security-summary.html for results." | tee -a "$LOG_FILE"
172+
173+
# At the very end, before exit 0
174+
rm -f "$LOCK_FILE"
175+
176+
# Ensure webui.js is always present in the results directory
177+
cp /seculite/scripts/webui.js /seculite/results/webui.js 2>/dev/null || cp scripts/webui.js results/webui.js 2>/dev/null
178+
179+
exit 0

0 commit comments

Comments
 (0)