Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Run contextual analysis and secret detection in Docker scans #10

Merged
merged 1 commit into from
May 30, 2024

Conversation

guyshe-jfrog
Copy link
Contributor

@guyshe-jfrog guyshe-jfrog commented Jan 22, 2024

  • The pull request is targeting the dev branch.
  • The code has been validated to compile successfully by running go vet ./....
  • The code has been formatted properly using go fmt ./....
  • All static analysis checks passed.
  • All tests have passed. If this feature is not already covered by the tests, new tests have been added.

Ready to merge

Related issue #4
Depends on: jfrog/jfrog-cli-core#1146

Description:
This PR adds support for Jfrog Advanced Security (JAS) to the jfrog cli.

The following existing command will now also check if you are entitled for jas, and will use the new improved scanner to scan docker containers too.

jfrog docker scan [container]

Also note that you can use this to get the full SARIF with line numbers and more information:

jfrog docker scan --format=sarif [container]

The following options are also supported:

table, json, simple-json and sarif

Demo of feature:
asciicast

@attiasas attiasas added new feature Automatically generated release notes safe to test Approve running integration tests on a pull request labels Jan 25, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Jan 25, 2024
@attiasas attiasas marked this pull request as draft February 7, 2024 08:16
@guyshe-jfrog
Copy link
Contributor Author

guyshe-jfrog commented Feb 12, 2024

Need to add unit test and docs Done

@guyshe-jfrog guyshe-jfrog marked this pull request as ready for review February 19, 2024 10:02
guyshe-jfrog added a commit to guyshe-jfrog/jfrog-cli-security that referenced this pull request Feb 19, 2024
@attiasas attiasas added the safe to test Approve running integration tests on a pull request label Feb 20, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Feb 20, 2024
Copy link
Contributor

@attiasas attiasas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that the JAS content can be moved to its own package at the root project just like scangraph now that it is used not only at audit

Also make sure that when printing the result for the scan in 'table' format we are not printing tables for Iac and SAST, it will confuse the users that will think we support that.

In addition make sure that in other formats the results are visiable.

commands/audit/jas/applicability/applicabilitymanager.go Outdated Show resolved Hide resolved
commands/audit/jas/applicability/applicabilitymanager.go Outdated Show resolved Hide resolved
commands/audit/jas/secrets/secretsscanner.go Outdated Show resolved Hide resolved
commands/audit/jas/secrets/secretsscanner_test.go Outdated Show resolved Hide resolved
commands/scan/scan.go Outdated Show resolved Hide resolved
commands/scan/jasrunner_cves.go Outdated Show resolved Hide resolved
commands/scan/scan.go Outdated Show resolved Hide resolved
attiasas

This comment was marked as duplicate.

@guyshe-jfrog guyshe-jfrog added the safe to test Approve running integration tests on a pull request label May 30, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label May 30, 2024
@guyshe-jfrog
Copy link
Contributor Author

Merged in changes from #27

@attiasas attiasas self-requested a review May 30, 2024 10:14
Copy link
Contributor

@attiasas attiasas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make sure documentation is updated.
Update branch to dev

jas/secrets/secretsscanner.go Outdated Show resolved Hide resolved
jas/applicability/applicabilitymanager.go Outdated Show resolved Hide resolved
jas/applicability/applicabilitymanager_test.go Outdated Show resolved Hide resolved
jas/applicability/applicabilitymanager_test.go Outdated Show resolved Hide resolved
jas/applicability/applicabilitymanager_test.go Outdated Show resolved Hide resolved
commands/scan/scan.go Outdated Show resolved Hide resolved
commands/scan/scan.go Outdated Show resolved Hide resolved
commands/scan/scan.go Outdated Show resolved Hide resolved
commands/scan/scan.go Outdated Show resolved Hide resolved
commands/scan/scan.go Outdated Show resolved Hide resolved
guyshe-jfrog added a commit to guyshe-jfrog/jfrog-cli-security that referenced this pull request May 30, 2024
guyshe-jfrog added a commit to guyshe-jfrog/jfrog-cli-security that referenced this pull request May 30, 2024
@attiasas attiasas added the safe to test Approve running integration tests on a pull request label May 30, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label May 30, 2024
@guyshe-jfrog guyshe-jfrog added the safe to test Approve running integration tests on a pull request label May 30, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label May 30, 2024
Copy link

👍 Frogbot scanned this pull request and did not find any new security issues.


@attiasas attiasas merged commit d867456 into jfrog:dev May 30, 2024
9 checks passed
@attiasas attiasas mentioned this pull request Jun 6, 2024
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
new feature Automatically generated release notes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants