security/scan.sh

# Clean existing reports.
rm -r ./gitleaks;
rm -r ./trivy;
rm -r ./grype;
rm -r ./syft;
rm -r ./snyk;
rm -r ./deps;

# Create the directories for the reports.
mkdir ./gitleaks;
mkdir ./trivy;
mkdir ./grype;
mkdir ./syft;
mkdir ./snyk;
mkdir ./deps;

# Parse directories for all of the projects we "own".
repositories=($(find /home/naomi/code/naomi -maxdepth 1 -type d -not -name '.' -printf "%f\n" | sort));
html=();

for directory in "${repositories[@]}"; do
  if [ $directory == "naomi" ] || [ $directory == "security" ]; then
    continue;
  fi;
  echo "Scanning $directory";

  # Automated scanning tools
  gitleaks detect --source /home/naomi/code/naomi/$directory -r ./gitleaks/$directory.json --no-banner;
  trivy repo --format json --output ./trivy/$directory.json /home/naomi/code/naomi/$directory;
  grype -o json --file ./grype/$directory.json /home/naomi/code/naomi/$directory;
  syft scan /home/naomi/code/naomi/$directory -o json=./syft/$directory.json;

  # Need to move directories for Snyk to track the target correctly.
  cd /home/naomi/code/naomi/$directory;
  snyk monitor --dev --project-name=$directory --remote-repo-url=$(git remote get-url origin) /home/naomi/code/naomi/$directory;
  snyk test --dev --json --json-file-output=/home/naomi/code/naomi/security/snyk/$directory.json /home/naomi/code/naomi/$directory;
  cd /home/naomi/code/naomi/security;

  # Manual dependency version checks (no reliable package to do this for us :/ )
  echo "No supported package manager found in this project." > /home/naomi/code/naomi/security/deps/$directory.txt;
  if [ -f /home/naomi/code/naomi/$directory/package.json ]; then
    cd /home/naomi/code/naomi/$directory;
    pnpm outdated | grep -v "^WARN" > /home/naomi/code/naomi/security/deps/$directory.txt;
    cd /home/naomi/code/naomi/security;
  fi;
  if [ -f /home/naomi/code/naomi/$directory/Pipfile ]; then
    cd /home/naomi/code/naomi/$directory;
    pip list --outdated > /home/naomi/code/naomi/security/deps/$directory.txt;
    cd /home/naomi/code/naomi/security;
  fi;
  if [ -f /home/naomi/code/naomi/$directory/*.csproj ]; then
    cd /home/naomi/code/naomi/$directory;
    dotnet list package --outdated > /home/naomi/code/naomi/security/deps/$directory.txt;
    cd /home/naomi/code/naomi/security;
  fi;
  if [ -f /home/naomi/code/naomi/$directory/go.mod ]; then
    cd /home/naomi/code/naomi/$directory;
    go list -m -u all > /home/naomi/code/naomi/security/deps/$directory.txt;
    cd /home/naomi/code/naomi/security;
  fi;
  if [ -f /home/naomi/code/naomi/$directory/rockspec ]; then
    cd /home/naomi/code/naomi/$directory;
    luarocks list --outdated > /home/naomi/code/naomi/security/deps/$directory.txt;
    cd /home/naomi/code/naomi/security;
  fi;
  if [ -f /home/naomi/code/naomi/$directory/composer.json ]; then
    cd /home/naomi/code/naomi/$directory;
    composer outdated --format=json > /home/naomi/code/naomi/security/deps/$directory.json;
    cd /home/naomi/code/naomi/security;
  fi;
  if [ -f /home/naomi/code/naomi/$directory/Gemfile ]; then
    cd /home/naomi/code/naomi/$directory;
    bundle outdated > /home/naomi/code/naomi/security/deps/$directory.txt;
    cd /home/naomi/code/naomi/security;
  fi;
  if [ -f /home/naomi/code/naomi/$directory/Cargo.toml ]; then
    cd /home/naomi/code/naomi/$directory;
    cargo outdated > /home/naomi/code/naomi/security/deps/$directory.txt;
    cd /home/naomi/code/naomi/security;
  fi;
  html+=("<h2>$directory</h2><ul><li style='list-style-type: none;'><a href='./gitleaks/$directory.json'>Gitleaks</a></li><li style='list-style-type: none;'><a href='./trivy/$directory.json'>Trivy</a></li><li style='list-style-type: none;'><a href='./grype/$directory.json'>Grype</a></li><li style='list-style-type: none;'><a href='./syft/$directory.json'>Syft</a></li><li style='list-style-type: none;'><a href='./snyk/$directory.json'>Snyk</a></ul><li style='list-style-type: none;'><a href='./deps/$directory.txt'>Outdated Dependencies</a></ul>");
done;

echo "<!DOCTYPE html><html><head><title>Security Audits</title><meta charset=\"utf-8\" /><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" /><meta name=\"description\" content=\"A collection of the various reporting tools we run against our repositories.\" /><script src=\"https://cdn.nhcarrigan.com/headers/index.js\" async defer></script></head><body><main><h1>Security Audits</h1><section><p>A collection of the various reporting tools we run against our repositories.</p><p>Contributions to resolve a reported issue are welcomed!</section><section>${html[*]}</section></main></body></html>" > ./index.html;

# Deploy the reports to the production server.
GLOBIGNORE='.git' scp -r ./* prod:/home/nhcarrigan/security
feat: create script (#1) ### Explanation _No response_ ### Issue _No response_ ### Attestations - [x] I have read and agree to the [Code of Conduct](https://docs.nhcarrigan.com/community/coc/) - [x] I have read and agree to the [Community Guidelines](https://docs.nhcarrigan.com/community/guide/). - [x] My contribution complies with the [Contributor Covenant](https://docs.nhcarrigan.com/dev/covenant/). ### Dependencies - [ ] I have pinned the dependencies to a specific patch version. ### Style - [ ] I have run the linter and resolved any errors. - [ ] My pull request uses an appropriate title, matching the conventional commit standards. - [ ] My scope of feat/fix/chore/etc. correctly matches the nature of changes in my pull request. ### Tests - [ ] My contribution adds new code, and I have added tests to cover it. - [ ] My contribution modifies existing code, and I have updated the tests to reflect these changes. - [ ] All new and existing tests pass locally with my changes. - [ ] Code coverage remains at or above the configured threshold. ### Documentation _No response_ ### Versioning _No response_ Reviewed-on: https://codeberg.org/nhcarrigan/security/pulls/1 Co-authored-by: Naomi Carrigan <commits@nhcarrigan.com> Co-committed-by: Naomi Carrigan <commits@nhcarrigan.com> 2024-12-27 02:38:21 +00:00			`# Clean existing reports.`
			`rm -r ./gitleaks;`
			`rm -r ./trivy;`
			`rm -r ./grype;`
			`rm -r ./syft;`
			`rm -r ./snyk;`
			`rm -r ./deps;`

			`# Create the directories for the reports.`
			`mkdir ./gitleaks;`
			`mkdir ./trivy;`
			`mkdir ./grype;`
			`mkdir ./syft;`
			`mkdir ./snyk;`
			`mkdir ./deps;`

			`# Parse directories for all of the projects we "own".`
			`repositories=($(find /home/naomi/code/naomi -maxdepth 1 -type d -not -name '.' -printf "%f\n" \| sort));`
			`html=();`

			`for directory in "${repositories[@]}"; do`
			`if [ $directory == "naomi" ] \|\| [ $directory == "security" ]; then`
			`continue;`
			`fi;`
			`echo "Scanning $directory";`

			`# Automated scanning tools`
			`gitleaks detect --source /home/naomi/code/naomi/$directory -r ./gitleaks/$directory.json --no-banner;`
			`trivy repo --format json --output ./trivy/$directory.json /home/naomi/code/naomi/$directory;`
			`grype -o json --file ./grype/$directory.json /home/naomi/code/naomi/$directory;`
			`syft scan /home/naomi/code/naomi/$directory -o json=./syft/$directory.json;`

			`# Need to move directories for Snyk to track the target correctly.`
			`cd /home/naomi/code/naomi/$directory;`
			`snyk monitor --dev --project-name=$directory --remote-repo-url=$(git remote get-url origin) /home/naomi/code/naomi/$directory;`
			`snyk test --dev --json --json-file-output=/home/naomi/code/naomi/security/snyk/$directory.json /home/naomi/code/naomi/$directory;`
			`cd /home/naomi/code/naomi/security;`

			`# Manual dependency version checks (no reliable package to do this for us :/ )`
			`echo "No supported package manager found in this project." > /home/naomi/code/naomi/security/deps/$directory.txt;`
			`if [ -f /home/naomi/code/naomi/$directory/package.json ]; then`
			`cd /home/naomi/code/naomi/$directory;`
			`pnpm outdated \| grep -v "^WARN" > /home/naomi/code/naomi/security/deps/$directory.txt;`
			`cd /home/naomi/code/naomi/security;`
			`fi;`
			`if [ -f /home/naomi/code/naomi/$directory/Pipfile ]; then`
			`cd /home/naomi/code/naomi/$directory;`
			`pip list --outdated > /home/naomi/code/naomi/security/deps/$directory.txt;`
			`cd /home/naomi/code/naomi/security;`
			`fi;`
			`if [ -f /home/naomi/code/naomi/$directory/*.csproj ]; then`
			`cd /home/naomi/code/naomi/$directory;`
			`dotnet list package --outdated > /home/naomi/code/naomi/security/deps/$directory.txt;`
			`cd /home/naomi/code/naomi/security;`
			`fi;`
			`if [ -f /home/naomi/code/naomi/$directory/go.mod ]; then`
			`cd /home/naomi/code/naomi/$directory;`
			`go list -m -u all > /home/naomi/code/naomi/security/deps/$directory.txt;`
			`cd /home/naomi/code/naomi/security;`
			`fi;`
			`if [ -f /home/naomi/code/naomi/$directory/rockspec ]; then`
			`cd /home/naomi/code/naomi/$directory;`
			`luarocks list --outdated > /home/naomi/code/naomi/security/deps/$directory.txt;`
			`cd /home/naomi/code/naomi/security;`
			`fi;`
			`if [ -f /home/naomi/code/naomi/$directory/composer.json ]; then`
			`cd /home/naomi/code/naomi/$directory;`
			`composer outdated --format=json > /home/naomi/code/naomi/security/deps/$directory.json;`
			`cd /home/naomi/code/naomi/security;`
			`fi;`
			`if [ -f /home/naomi/code/naomi/$directory/Gemfile ]; then`
			`cd /home/naomi/code/naomi/$directory;`
			`bundle outdated > /home/naomi/code/naomi/security/deps/$directory.txt;`
			`cd /home/naomi/code/naomi/security;`
			`fi;`
			`if [ -f /home/naomi/code/naomi/$directory/Cargo.toml ]; then`
			`cd /home/naomi/code/naomi/$directory;`
			`cargo outdated > /home/naomi/code/naomi/security/deps/$directory.txt;`
			`cd /home/naomi/code/naomi/security;`
			`fi;`
			html+=("<h2>$directory</h2><ul><li style='list-style-type: none;'><a href='./gitleaks/$directory.json'>Gitleaks</a></li><li style='list-style-type: none;'><a href='./trivy/$directory.json'>Trivy</a></li><li style='list-style-type: none;'><a href='./grype/$directory.json'>Grype</a></li><li style='list-style-type: none;'><a href='./syft/$directory.json'>Syft</a></li><li style='list-style-type: none;'><a href='./snyk/$directory.json'>Snyk</a></ul><li style='list-style-type: none;'><a href='./deps/$directory.txt'>Outdated Dependencies</a></ul>");
			`done;`

			echo "<!DOCTYPE html><html><head><title>Security Audits</title><meta charset=\"utf-8\" /><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" /><meta name=\"description\" content=\"A collection of the various reporting tools we run against our repositories.\" /><script src=\"https://cdn.nhcarrigan.com/headers/index.js\" async defer></script></head><body><main><h1>Security Audits</h1><section><p>A collection of the various reporting tools we run against our repositories.</p><p>Contributions to resolve a reported issue are welcomed!</section><section>${html[*]}</section></main></body></html>" > ./index.html;

			`# Deploy the reports to the production server.`
			`GLOBIGNORE='.git' scp -r ./* prod:/home/nhcarrigan/security`