# Create the directories for the reports. mkdir ./gitleaks; mkdir ./trivy; mkdir ./grype; mkdir ./syft; mkdir ./snyk; mkdir ./deps; # Parse directories for all of the projects we "own". repositories=($(find /home/naomi/code/naomi -maxdepth 1 -type d -not -name '.' -printf "%f\n" | sort)); html=(); current_dir=$(pwd); for directory in "${repositories[@]}"; do echo "Scanning $directory"; git clone https://git.nhcarrigan.com/nhcarrigan/$directory ./_repos/$directory; # Automated scanning tools gitleaks detect --source ./_repos/$directory -r ./gitleaks/$directory.json --no-banner; trivy repo --format json --output ./trivy/$directory.json ./_repos/$directory; grype -o json --file ./grype/$directory.json ./_repos/$directory; syft scan ./_repos/$directory -o json=./syft/$directory.json; # Need to move directories for Snyk to track the target correctly. cd ./_repos/$directory; snyk monitor --dev --project-name=$directory --remote-repo-url=$(git remote get-url origin) ./_repos/$directory; snyk test --dev --json --json-file-output=./_repos/security/snyk/$directory.json ./_repos/$directory; cd $current_dir; # Manual dependency version checks (no reliable package to do this for us :/ ) echo "No supported package manager found in this project." > ./_repos/security/deps/$directory.txt; if [ -f ./_repos/$directory/package.json ]; then cd ./_repos/$directory; pnpm outdated | grep -v "^WARN" > ./_repos/security/deps/$directory.txt; cd current_dir fi; if [ -f ./_repos/$directory/Pipfile ]; then cd ./_repos/$directory; pip list --outdated > ./_repos/security/deps/$directory.txt; cd current_dir fi; if [ -f ./_repos/$directory/*.csproj ]; then cd ./_repos/$directory; dotnet list package --outdated > ./_repos/security/deps/$directory.txt; cd current_dir fi; if [ -f ./_repos/$directory/go.mod ]; then cd ./_repos/$directory; go list -m -u all > ./_repos/security/deps/$directory.txt; cd current_dir fi; if [ -f ./_repos/$directory/rockspec ]; then cd ./_repos/$directory; luarocks list --outdated > ./_repos/security/deps/$directory.txt; cd current_dir fi; if [ -f ./_repos/$directory/composer.json ]; then cd ./_repos/$directory; composer outdated --format=json > ./_repos/security/deps/$directory.json; cd current_dir fi; if [ -f ./_repos/$directory/Gemfile ]; then cd ./_repos/$directory; bundle outdated > ./_repos/security/deps/$directory.txt; cd current_dir fi; if [ -f ./_repos/$directory/Cargo.toml ]; then cd ./_repos/$directory; cargo outdated > ./_repos/security/deps/$directory.txt; cd current_dir fi; html+=("

$directory

  • Outdated Dependencies"); # Remove just to be sure - I THINK runner cleans up after itself. rm -rf ./_repos/$directory; done; echo "Security Audits

    Security Audits

    A collection of the various reporting tools we run against our repositories.

    Contributions to resolve a reported issue are welcomed!

    ${html[*]}
    " > ./index.html; # Deploy the reports cp -r ./deps /home/nhcarrigan/security; cp -r ./gitleaks /home/nhcarrigan/security; cp -r ./trivy /home/nhcarrigan/security; cp -r ./grype /home/nhcarrigan/security; cp -r ./syft /home/nhcarrigan/security; cp -r ./snyk /home/nhcarrigan/security; cp ./index.html /home/nhcarrigan/security;