From 742931772c56a5b46d502cc5280c6d5d4bd592fe Mon Sep 17 00:00:00 2001
From: Naomi Carrigan <commits@nhcarrigan.com>
Date: Fri, 27 Dec 2024 02:38:21 +0000
Subject: [PATCH] feat: create script (#1)

### Explanation

_No response_

### Issue

_No response_

### Attestations

- [x] I have read and agree to the [Code of Conduct](https://docs.nhcarrigan.com/community/coc/)
- [x] I have read and agree to the [Community Guidelines](https://docs.nhcarrigan.com/community/guide/).
- [x] My contribution complies with the [Contributor Covenant](https://docs.nhcarrigan.com/dev/covenant/).

### Dependencies

- [ ] I have pinned the dependencies to a specific patch version.

### Style

- [ ] I have run the linter and resolved any errors.
- [ ] My pull request uses an appropriate title, matching the conventional commit standards.
- [ ] My scope of feat/fix/chore/etc. correctly matches the nature of changes in my pull request.

### Tests

- [ ] My contribution adds new code, and I have added tests to cover it.
- [ ] My contribution modifies existing code, and I have updated the tests to reflect these changes.
- [ ] All new and existing tests pass locally with my changes.
- [ ] Code coverage remains at or above the configured threshold.

### Documentation

_No response_

### Versioning

_No response_

Reviewed-on: https://codeberg.org/nhcarrigan/security/pulls/1
Co-authored-by: Naomi Carrigan <commits@nhcarrigan.com>
Co-committed-by: Naomi Carrigan <commits@nhcarrigan.com>
---
 .gitignore |  7 +++++
 README.md  | 18 +++--------
 scan.sh    | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 98 insertions(+), 14 deletions(-)
 create mode 100644 .gitignore
 create mode 100755 scan.sh

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..492b277
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,7 @@
+trivy
+syft
+grype
+gitleaks
+deps
+snyk
+index.html
\ No newline at end of file
diff --git a/README.md b/README.md
index 47a840e..dad3a33 100644
--- a/README.md
+++ b/README.md
@@ -1,20 +1,10 @@
-# New Repository Template
+# Security Scanner
 
-This template contains all of our basic files for a new GitHub repository. There is also a handy workflow that will create an issue on a new repository made from this template, with a checklist for the steps we usually take in setting up a new repository.
-
-If you're starting a Node.JS project with TypeScript, we have a [specific template](https://github.com/naomi-lgbt/nodejs-typescript-template) for that purpose.
-
-## Readme
-
-Delete all of the above text (including this line), and uncomment the below text to use our standard readme template.
-
-<!-- # Project Name
-
-Project Description
+This is a bash script to scan all repositories on my local file system for security issues, generate reports, and publish a webpage with the reports on our servers.
 
 ## Live Version
 
-This page is currently deployed. [View the live website.]
+This page is currently deployed. [View the live website.](https://security.nhcarrigan.com)
 
 ## Feedback and Bugs
 
@@ -36,4 +26,4 @@ Copyright held by Naomi Carrigan.
 
 ## Contact
 
-We may be contacted through our [Chat Server](http://chat.nhcarrigan.com) or via email at `contact@nhcarrigan.com`. -->
+We may be contacted through our [Chat Server](http://chat.nhcarrigan.com) or via email at `contact@nhcarrigan.com`.
diff --git a/scan.sh b/scan.sh
new file mode 100755
index 0000000..ee6ef18
--- /dev/null
+++ b/scan.sh
@@ -0,0 +1,87 @@
+# Clean existing reports.
+rm -r ./gitleaks;
+rm -r ./trivy;
+rm -r ./grype;
+rm -r ./syft;
+rm -r ./snyk;
+rm -r ./deps;
+
+# Create the directories for the reports.
+mkdir ./gitleaks;
+mkdir ./trivy;
+mkdir ./grype;
+mkdir ./syft;
+mkdir ./snyk;
+mkdir ./deps;
+
+# Parse directories for all of the projects we "own".
+repositories=($(find /home/naomi/code/naomi -maxdepth 1 -type d -not -name '.' -printf "%f\n" | sort));
+html=();
+
+for directory in "${repositories[@]}"; do
+  if [ $directory == "naomi" ] || [ $directory == "security" ]; then
+    continue;
+  fi;
+  echo "Scanning $directory";
+
+  # Automated scanning tools
+  gitleaks detect --source /home/naomi/code/naomi/$directory -r ./gitleaks/$directory.json --no-banner;
+  trivy repo --format json --output ./trivy/$directory.json /home/naomi/code/naomi/$directory;
+  grype -o json --file ./grype/$directory.json /home/naomi/code/naomi/$directory;
+  syft scan /home/naomi/code/naomi/$directory -o json=./syft/$directory.json;
+
+  # Need to move directories for Snyk to track the target correctly.
+  cd /home/naomi/code/naomi/$directory;
+  snyk monitor --dev --project-name=$directory --remote-repo-url=$(git remote get-url origin) /home/naomi/code/naomi/$directory;
+  snyk test --dev --json --json-file-output=/home/naomi/code/naomi/security/snyk/$directory.json /home/naomi/code/naomi/$directory;
+  cd /home/naomi/code/naomi/security;
+
+  # Manual dependency version checks (no reliable package to do this for us :/ )
+  echo "No supported package manager found in this project." > /home/naomi/code/naomi/security/deps/$directory.txt;
+  if [ -f /home/naomi/code/naomi/$directory/package.json ]; then
+    cd /home/naomi/code/naomi/$directory;
+    pnpm outdated | grep -v "^WARN" > /home/naomi/code/naomi/security/deps/$directory.txt;
+    cd /home/naomi/code/naomi/security;
+  fi;
+  if [ -f /home/naomi/code/naomi/$directory/Pipfile ]; then
+    cd /home/naomi/code/naomi/$directory;
+    pip list --outdated > /home/naomi/code/naomi/security/deps/$directory.txt;
+    cd /home/naomi/code/naomi/security;
+  fi;
+  if [ -f /home/naomi/code/naomi/$directory/*.csproj ]; then
+    cd /home/naomi/code/naomi/$directory;
+    dotnet list package --outdated > /home/naomi/code/naomi/security/deps/$directory.txt;
+    cd /home/naomi/code/naomi/security;
+  fi;
+  if [ -f /home/naomi/code/naomi/$directory/go.mod ]; then
+    cd /home/naomi/code/naomi/$directory;
+    go list -m -u all > /home/naomi/code/naomi/security/deps/$directory.txt;
+    cd /home/naomi/code/naomi/security;
+  fi;
+  if [ -f /home/naomi/code/naomi/$directory/rockspec ]; then
+    cd /home/naomi/code/naomi/$directory;
+    luarocks list --outdated > /home/naomi/code/naomi/security/deps/$directory.txt;
+    cd /home/naomi/code/naomi/security;
+  fi;
+  if [ -f /home/naomi/code/naomi/$directory/composer.json ]; then
+    cd /home/naomi/code/naomi/$directory;
+    composer outdated --format=json > /home/naomi/code/naomi/security/deps/$directory.json;
+    cd /home/naomi/code/naomi/security;
+  fi;
+  if [ -f /home/naomi/code/naomi/$directory/Gemfile ]; then
+    cd /home/naomi/code/naomi/$directory;
+    bundle outdated > /home/naomi/code/naomi/security/deps/$directory.txt;
+    cd /home/naomi/code/naomi/security;
+  fi;
+  if [ -f /home/naomi/code/naomi/$directory/Cargo.toml ]; then
+    cd /home/naomi/code/naomi/$directory;
+    cargo outdated > /home/naomi/code/naomi/security/deps/$directory.txt;
+    cd /home/naomi/code/naomi/security;
+  fi;
+  html+=("<h2>$directory</h2><ul><li style='list-style-type: none;'><a href='./gitleaks/$directory.json'>Gitleaks</a></li><li style='list-style-type: none;'><a href='./trivy/$directory.json'>Trivy</a></li><li style='list-style-type: none;'><a href='./grype/$directory.json'>Grype</a></li><li style='list-style-type: none;'><a href='./syft/$directory.json'>Syft</a></li><li style='list-style-type: none;'><a href='./snyk/$directory.json'>Snyk</a></ul><li style='list-style-type: none;'><a href='./deps/$directory.txt'>Outdated Dependencies</a></ul>");
+done;
+
+echo "<!DOCTYPE html><html><head><title>Security Audits</title><meta charset=\"utf-8\" /><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" /><meta name=\"description\" content=\"A collection of the various reporting tools we run against our repositories.\" /><script src=\"https://cdn.nhcarrigan.com/headers/index.js\" async defer></script></head><body><main><h1>Security Audits</h1><section><p>A collection of the various reporting tools we run against our repositories.</p><p>Contributions to resolve a reported issue are welcomed!</section><section>${html[*]}</section></main></body></html>" > ./index.html;
+
+# Deploy the reports to the production server.
+GLOBIGNORE='.git' scp -r ./* prod:/home/nhcarrigan/security
\ No newline at end of file