Stacs-ci - A set of modules to enable integration of STACS with commonly used CI / CD systems

Related tags

Deep Learningstacs-ci
Overview

Shield Shield Shield Shield Shield Shield




Static Token And Credential Scanner
CI Integrations

What is it?

STACS is a YARA powered static credential scanner which supports source code, binary file formats, analysis of nested archives, composable rule-sets and ignore lists, and SARIF reporting.

This repository contains a set of modules to enable integration of STACS with commonly used CI / CD systems. Currently, supported is:

  • Github Actions

    • Fails the build on unsuppressed findings.
    • Automatically annotates pull requests with findings.
    • Automatically loads suppressions from a stacs.ignore.json in the root of the repository.
  • Generic CI Systems

    • Fails the build on unsuppressed findings.
    • Outputs findings to the console in formatted plain-text.
    • Automatically loads suppressions from a stacs.ignore.json in the scan directory.

Github Actions

This Github action enables running STACS as a Github action. This can be used to identify credentials committed in both source code, or even credentials accidentally compiled into binary artifacts - such as Android APKs, Docker images, RPM packages, ZIP files, and more!

If run as part of a pull request, this action automatically annotates a pull request with findings to allow simplified review integrated with existing code-review processes. As this integration does not use the Github security events framework, no additional subscription to Github is required, even for private repositories!

This action can also be used as part of a release event. Allowing scanning of binaries before publishing to catch credentials which may have been accidentally generated or included as part of the build process.

Additionally, this action can 'fail the build' if any static tokens and credentials are detected.

Appearance

If STACS detects a static credential during a pull request, a review comment will be added to the line containing the static credential:

Github Comment of finding

The STACS Github integration will even check the pull request to see whether there is an existing comment for this finding, preventing multiple comments being added to the same pull request on subsequent commits.

If the credential is found inside of an archive, in a part of a file not modified by the pull request, then a regular comment will be added to the triggering pull request.

Inputs

scan-directory

An optional sub-directory to scan, relative to the repository root. This allows scanning to be limited to a specific directory under the repository root.

Defaults to the repository root.

fail-build

Defines whether this action should 'fail the build' if any static token or credentials are detected. This will take any suppressed / ignore listed entries into account, allowing consumers to ignore known false positives - such as test fixtures.

Defaults to true

Example Usage

The following example scans the currently checked out commit and adds review comments for findings to an associated pull-request (see "Permissions" section below). If the trigger was not a pull-request, findings will instead be printed to the console and STACS CI will exit with a non-zero status (100) if unsupressed findings were present.

uses: stacscan/[email protected]

The following example scans a sub-directory in the repository. In this example the binaries/ sub-directory contains binary objects, compiled for release by another step of a Github actions pipeline.

uses: stacscan/[email protected]
with:
    scan-directory: 'binaries/'

The following example disables 'failing the build' if there are findings which have not been ignored / suppressed.

uses: stacscan/[email protected]
with:
    fail-build: false

Permissions

Please be aware that in order to annotate pull requests with comments, the action must also be granted write permissions to pull-requests. This can be done by adding the following to the respective job in your Github actions pipeline.

permissions:
    contents: read         # Required to read the repository contents (checkout).
    pull-requests: write   # Required to annotate pull requests with comments.

This is only required if running in response to pull-request triggers.

Generic CI

This repository can be integrated with a number of common CI systems using the provided Docker image, or Python module.

The pre-built Docker image greatly simplifies this process and provides a mechanism to quickly execute a STACS scan against a given directory, print the results in an actionable manner, and signal to the CI system that the build should fail on findings.

Appearance

If STACS detects a static credential, a results block will be printed to the console with information required to identify its location:

Terminal output of findings

If the credential is found within an archive, STACS will print a file tree to allow quick identification of exactly where the credential is.

Basic

The simplest form of executing the Generic CI integration can be performed using the following Docker command from the directory to be scanned. Using this default configuration Docker will complete with a non-zero exit code if any unsuppressed findings are found:

docker run -it -v $(pwd):/mnt/stacs/input stacscan/stacs-ci:latest

To prevent a non-zero exit code on unsuppressed findings, such as for initial 'dry run' style operation, the following command can be run:

docker run -it -e FAIL_BUILD=false -v $(pwd):/mnt/stacs/input stacscan/stacs-ci:latest

Jenkins

To be added.

Circle CI

To be added.

Comments
  • [0.1.6] Update to the latest STACS container.

    [0.1.6] Update to the latest STACS container.

    Overview

    Upgrades to the latest STACS container. See the STACS release notes for the new version for a list of changes in this container. Only changes to STACS-CI will be included below.

    πŸ› οΈ New Features

    • N/A

    🍩 Improvements

    • N/A

    πŸ› Bug Fixes

    • N/A
    opened by darkarnium 2
  • [0.1.5] Update to the latest STACS container.

    [0.1.5] Update to the latest STACS container.

    Overview

    PLEASE NOTE: There is a potentially breaking change as part of this update, as the Stripe rule has been relocated under SaaS. This modifies its reference to now be CredentialSaaSStripeAPI. Any previously suppressed findings for this rule will need to be updated to reflect this new identifier.

    πŸ› οΈ New Features

    • Upgrade to the latest STACS rules, which includes new rules for
      • PyPI Token
      • Slack Token
        • User (xoxp-...)
        • Bot (xoxb-...)
      • NPM
        • authToken
        • password
      • PKCS#12 / PFX
      • DER format RSA keys.
        • Detects keys with exponents 3 / 65537, and modulous sizes 64 / 128 / 256 / 512 / 1024.

    🍩 Improvements

    • Minor changes to AWS rule.
    • Simplify matching criteria for a number of rules.

    πŸ› Bug Fixes

    • N/A
    opened by darkarnium 2
  • [0.1.4] Github annotation off-by-one bug fix.

    [0.1.4] Github annotation off-by-one bug fix.

    Overview

    πŸ› οΈ New Features

    • N/A

    🍩 Improvements

    • Pulls in latest STACS rules (r57ce3ce).

    πŸ› Bug Fixes

    • Fix off-by-one edge case which caused Github pull-request annotation to fail.
      • This was triggered when a new file was added in a pull-request containing a credential on the first line.
    opened by darkarnium 1
  • [0.1.3] Update to the latest version of STACS.

    [0.1.3] Update to the latest version of STACS.

    Overview

    πŸ› οΈ New Features

    🍩 Improvements

    • Tweak to STACS-CI deployment pipeline to simplify testing prior to release.

    πŸ› Bug Fixes

    • N/A
    opened by darkarnium 1
  • [0.1.1] Use latest STACS release, absolute URLs for images

    [0.1.1] Use latest STACS release, absolute URLs for images

    Overview

    πŸ› οΈ New Features

    🍩 Improvements

    • N/A

    πŸ› Bug Fixes

    • Ensures that file with the finding appears in the change set.
      • This prevents attempts to add a review comment for a file which is already in the target branch.
      • In these cases a comment will be added instead.
    opened by darkarnium 1
  • [0.1.0] Change container tag format, add Action.

    [0.1.0] Change container tag format, add Action.

    Overview

    Unfortunately, Docker does not support + characters in tag names, so we cannot use semver package numbering to indicate rule version.

    πŸ› οΈ New Features

    • Add Github Action YAML.
    • Update STACS Rules on STACS CI release.

    🍩 Improvements

    • N/A

    πŸ› Bug Fixes

    • N/A
    opened by darkarnium 0
  • [0.1.0] Initial implementation of STACS CI

    [0.1.0] Initial implementation of STACS CI

    Overview

    Initial release of STACS CI Integrations.

    πŸ› οΈ New Features

    • Generic CI integration
    • Github Actions integration

    🍩 Improvements

    • N/A

    πŸ› Bug Fixes

    • N/A
    opened by darkarnium 0
  • Backport CI UI into STACS

    Backport CI UI into STACS

    Overview

    The STACS-CI UI should be moved back into STACS, removing th need for this repository to contain more than a Github action for STACS execution.

    opened by darkarnium 0
  • Documentation of the stacs.ignore.json

    Documentation of the stacs.ignore.json

    Hi!

    Great tool you are building here - happy with it working so well in a CI context and ease of config.

    I have searched a lot through your repos and am struggling to find docs on the ignore file? Some of the things you describe sound awesome but I am yet to find anything on how to do it :)

    Thanks in advance!

    documentation 
    opened by erzz 5
Releases(0.1.6)
  • 0.1.6(Mar 4, 2022)

    Overview

    Upgrades to the latest STACS container. See the STACS release notes for the new version for a list of changes in this container. Only changes to STACS-CI will be included below.

    πŸ› οΈ New Features

    • N/A

    🍩 Improvements

    • N/A

    πŸ› Bug Fixes

    • N/A
    Source code(tar.gz)
    Source code(zip)
  • 0.1.5(Jan 18, 2022)

    Overview

    PLEASE NOTE: There is a potentially breaking change as part of this update, as the Stripe rule has been relocated under SaaS. This modifies its reference to now be CredentialSaaSStripeAPI. Any previously suppressed findings for this rule will need to be updated to reflect this new identifier.

    πŸ› οΈ New Features

    • Upgrade to the latest STACS rules, which includes new rules for
      • PyPI Token
      • Slack Token
        • User (xoxp-...)
        • Bot (xoxb-...)
      • NPM
        • authToken
        • password
      • PKCS#12 / PFX
      • DER format RSA keys.
        • Detects keys with exponents 3 / 65537, and modulous sizes 64 / 128 / 256 / 512 / 1024.

    🍩 Improvements

    • Minor changes to AWS rule.
    • Simplify matching criteria for a number of rules.

    πŸ› Bug Fixes

    • N/A
    Source code(tar.gz)
    Source code(zip)
  • 0.1.4(Jan 11, 2022)

    Overview

    πŸ› οΈ New Features

    • N/A

    🍩 Improvements

    • Pulls in latest STACS rules (r57ce3ce).

    πŸ› Bug Fixes

    • Fix off-by-one edge case which caused Github pull-request annotation to fail.
      • This was triggered when a new file was added in a pull-request containing a credential on the first line.
    Source code(tar.gz)
    Source code(zip)
  • 0.1.3(Jan 10, 2022)

    Overview

    πŸ› οΈ New Features

    🍩 Improvements

    • Tweak to STACS-CI deployment pipeline to simplify testing prior to release.

    πŸ› Bug Fixes

    • N/A
    Source code(tar.gz)
    Source code(zip)
  • 0.1.2(Jan 7, 2022)

  • 0.1.1(Jan 4, 2022)

    Overview

    πŸ› οΈ New Features

    🍩 Improvements

    • N/A

    πŸ› Bug Fixes

    • Ensures that file with the finding appears in the change set.
      • This prevents attempts to add a review comment for a file which is already in the target branch.
      • In these cases a comment will be added instead.
    Source code(tar.gz)
    Source code(zip)
  • 0.1.0(Jan 2, 2022)

    Overview

    Initial release of STACS CI Integrations.

    πŸ› οΈ New Features

    • Github Actions

      • Fails the build on unsuppressed findings.
      • Automatically annotates pull requests with findings.
      • Automatically loads suppressions from a stacs.ignore.json in the root of the repository.
    • Generic CI Systems

      • Fails the build on unsuppressed findings.
      • Outputs findings to the console in formatted plain-text.
      • Automatically loads suppressions from a stacs.ignore.json in the scan directory.

    🍩 Improvements

    • N/A

    πŸ› Bug Fixes

    • N/A
    Source code(tar.gz)
    Source code(zip)
Owner
STACS
Static Token And Credential Scanner
STACS
Code for the paper Relation Prediction as an Auxiliary Training Objective for Improving Multi-Relational Graph Representations (AKBC 2021).

Relation Prediction as an Auxiliary Training Objective for Knowledge Base Completion This repo provides the code for the paper Relation Prediction as

Facebook Research 85 Jan 02, 2023
[CVPR 2021] Pytorch implementation of Hijack-GAN: Unintended-Use of Pretrained, Black-Box GANs

Hijack-GAN: Unintended-Use of Pretrained, Black-Box GANs In this work, we propose a framework HijackGAN, which enables non-linear latent space travers

Hui-Po Wang 46 Sep 05, 2022
A pytorch implementation of Reading Wikipedia to Answer Open-Domain Questions.

DrQA A pytorch implementation of the ACL 2017 paper Reading Wikipedia to Answer Open-Domain Questions (DrQA). Reading comprehension is a task to produ

Runqi Yang 394 Nov 08, 2022
Implementation of Shape and Electrostatic similarity metric in deepFMPO.

DeepFMPO v3D Code accompanying the paper "On the value of using 3D-shape and electrostatic similarities in deep generative methods". The paper can be

34 Nov 28, 2022
This implements the learning and inference/proposal algorithm described in "Learning to Propose Objects, KrΓ€henbΓΌhl and Koltun"

Learning to propose objects This implements the learning and inference/proposal algorithm described in "Learning to Propose Objects, KrΓ€henbΓΌhl and Ko

Philipp KrΓ€henbΓΌhl 90 Sep 10, 2021
PyTorch implementation of Neural View Synthesis and Matching for Semi-Supervised Few-Shot Learning of 3D Pose

Neural View Synthesis and Matching for Semi-Supervised Few-Shot Learning of 3D Pose Release Notes The official PyTorch implementation of Neural View S

Angtian Wang 20 Oct 09, 2022
The ICS Chat System project for NYU Shanghai Fall 2021

ICS_Chat_System [Catenger] This is the ICS Chat System project for NYU Shanghai Fall 2021 Creators: Shavarsh Melikyan, Skyler Chen and Arghya Sarkar,

1 Dec 20, 2021
Robotics environments

Robotics environments Details and documentation on these robotics environments are available in OpenAI's blog post and the accompanying technical repo

Farama Foundation 121 Dec 28, 2022
a simple, efficient, and intuitive text editor

Oxygen beta a simple, efficient, and intuitive text editor Overview oxygen is a simple, efficient, and intuitive text editor designed as more featured

Aarush Gupta 1 Feb 23, 2022
v objective diffusion inference code for PyTorch.

v-diffusion-pytorch v objective diffusion inference code for PyTorch, by Katherine Crowson (@RiversHaveWings) and Chainbreakers AI (@jd_pressman). The

Katherine Crowson 635 Dec 30, 2022
Skipgram Negative Sampling in PyTorch

PyTorch SGNS Word2Vec's SkipGramNegativeSampling in Python. Yet another but quite general negative sampling loss implemented in PyTorch. It can be use

Jamie J. Seol 287 Dec 14, 2022
An unopinionated replacement for PyTorch's Dataset and ImageFolder, that handles Tar archives

Simple Tar Dataset An unopinionated replacement for PyTorch's Dataset and ImageFolder classes, for datasets stored as uncompressed Tar archives. Just

Joao Henriques 47 Dec 20, 2022
The fastest way to visualize GradCAM with your Keras models.

VizGradCAM VizGradCam is the fastest way to visualize GradCAM in Keras models. GradCAM helps with providing visual explainability of trained models an

58 Nov 19, 2022
Codes for our paper "SentiLARE: Sentiment-Aware Language Representation Learning with Linguistic Knowledge" (EMNLP 2020)

SentiLARE: Sentiment-Aware Language Representation Learning with Linguistic Knowledge Introduction SentiLARE is a sentiment-aware pre-trained language

74 Dec 30, 2022
ResNEsts and DenseNEsts: Block-based DNN Models with Improved Representation Guarantees

ResNEsts and DenseNEsts: Block-based DNN Models with Improved Representation Guarantees This repository is the official implementation of the empirica

Kuan-Lin (Jason) Chen 2 Oct 02, 2022
CLNTM - Contrastive Learning for Neural Topic Model

Contrastive Learning for Neural Topic Model This repository contains the impleme

Thong Thanh Nguyen 25 Nov 24, 2022
Semi-supervised Implicit Scene Completion from Sparse LiDAR

Semi-supervised Implicit Scene Completion from Sparse LiDAR Paper Created by Pengfei Li, Yongliang Shi, Tianyu Liu, Hao Zhao, Guyue Zhou and YA-QIN ZH

114 Nov 30, 2022
A model that attempts to learn and benefit from data collected on card counting.

A model that attempts to learn and benefit from data collected on card counting. A decision tree like model is built to win more often than loose and increase the bet of the player appropriately to c

1 Dec 17, 2021
This repo includes the supplementary of our paper "CEMENT: Incomplete Multi-View Weak-Label Learning with Long-Tailed Labels"

Supplementary Materials for CEMENT: Incomplete Multi-View Weak-Label Learning with Long-Tailed Labels This repository includes all supplementary mater

Zhiwei Li 0 Jan 05, 2022
Keras Realtime Multi-Person Pose Estimation - Keras version of Realtime Multi-Person Pose Estimation project

This repository has become incompatible with the latest and recommended version of Tensorflow 2.0 Instead of refactoring this code painfully, I create

M Faber 769 Dec 08, 2022