Implement and monitor Appsec management at scale.
Necessities
Examined on
How you can set up
$ git clone [email protected]:mf-labs/witcher.git
$ cd witcher
$ npm i
Construct a Docker picture
$ git clone [email protected]:mf-labs/witcher.git
$ cd witcher
$ docker construct -t witcher .# Operating docker picture
$ docker run -e GITHUB_TOKEN=$GITHUB_TOKEN -e ORG=$ORG witcher -a standing -m ghas -r offsec-sast-testing
witcher’s options
➜ witcher git:(grasp) node witcher.js -h
utilization: witcher.js [-h] -m MODULE -a ACTION [--daily-summary] [--mass-action] [--slack] [--siem] [--jira]
[--jira-ticket JIRATICKET] [--org ORG] [-r REPO] [-b BRANCH]
[--workflow-file WORKFLOW] [--repo-file REPOFILE]witcher ....... you may't escape
non-obligatory arguments:
-h, --help present this assist message and exit
-m MODULE, --module MODULE
ghas, dependabot, secret-scanning, codeql, iac, workflows, ALL
-a ACTION, --action ACTION
allow, disbale, standing, alert, deploy, delete
--daily-summary Get the Every day Abstract
--mass-action Carry out motion (allow, deploy, delete) at scale
--slack Put up new alert(s) on Slack
--siem Log actions on SIEM
--jira Put up new vulnerability ticket on Jira
--jira-ticket JIRATICKET
Jira ticket ID (e.g. PROJECT-123)
Enter:
--org ORG Group Title
-r REPO, --repo REPO Repository Title, ALL
-b BRANCH, --branch BRANCH
Department Title
--workflow-file WORKFLOW
Workflow File Title
--repo-file REPOFILE Repo File Title
Required Surroundings Variable
Set the next atmosphere variable first
export GITHUB_TOKEN=YOUR_GITHUB_TOKEN
export GITHUB_USER=YOUR_GITHUB_USERNAME
export ORG=YOUR_GITHUB_ORGANIZATION# Elective to configure slack
export SLACK_BOT_TOKEN
export SLACK_SIGNING_SECRET
export SLACK_CHANNEL
# Elective to ship information to SIEM
export SERVERLESS_APP_URL
# Elective for Jira ticket creation
export JIRA_API_TOKEN
export JIRA_EMAIL
export JIRA_URL
export JIRA_PROJECT
export JIRA_ISSUE_TYPE
Exclusion
Replace the github/information/exclusion.json file with record of repositories excluded from Core Repositories / GHAS.
Command cheatsheet
# Listing repositories the place GHAS is disabled
$ node witcher.js -m ghas -a standing --repo All# Allow GHAS on sure repo
$ node witcher.js -m ghas -a allow --repo
# Disable GHAS on sure repo
$ node witcher.js -m ghas -a disable --repo
# Test GHAS standing on sure repo
$ node witcher.js -m ghas -a standing --repo
# Get newest code scanning vulnerability
$ node witcher.js -m codeql -a alert --slack // --slack to publish on slack
# Mass Motion
$ node witcher.js --mass-action -a allow -m ghas --repo-file mass_action.txt --jira-ticket PROJECT-123
Extra Instructions
Every day Routine
# Run Every day Abstract
$ node witcher.js --daily-summary -m ALL -a standing --slack --jira# Every day Abstract contains the checking of
# 1. GHAS standing on all repositories
# 2. Secret Scanning standing on all repositories
# 3. Test for Depenabot standing
# 4. Test for paused Dependabot
# 5. Code Scanning standing on relevant repositories
# 6. IaC Scanning standing on relevant repositories
# 7. Test alerts for any new vulnerability
# 8. Logged every day abstract on SIEM and posted on Slack
Disclaimer
- All public repositories are excluded from witcher
- All archived repositories are excluded from witcher
- All deprecated repositories are excluded from witcher
Roadmap
- Customized Safety Controls Monitoring: Add help for monitoring customized controls past CodeQL, IaC, and Dependabot.
- Customizable Every day Abstract: Permit customers so as to add further management statuses to every day studies.
- CLI & JSON Output Assist: Allow full output choices through CLI arguments for each CLI and JSON codecs.
