Security Compliance Reports with Scan

Security Compliance Reports with ShiftLeft Scan

This blog was originally published at

9:00 am

9:00 am — Start of your day

Picture this scenario. You are a Lead DevOps at your company with programming skills. Your new Head of Information Security just walked in and wants a quick catch up with your team. Before everyone could settle in, she starts with the most dreadful request.

“I want a full report of all security scan across all our repositories!”

There is absolute silence in the room. Before you could even digest and ask “What?”, she continued.

“We have an important ISO audit tomorrow and I want to find the exact security posture of all our dev teams. I want to know every single secret that is exposed in plain-text, software and open-source vulnerabilities and even license compliance related headaches. I want this report in my desk THIS AFTERNOON!”

Meme: AppSec reports by this afternoon

That sounds a bit harsh. How is this even possible in an afternoon? Surely, they should have given a heads-up month in advance so that all those security reviews, pen-test, and blue quack reports could have been collated and aggregated and printed off in a glossy stationary.

Well, my friend, what if I tell you that with ShiftLeft Scan, you can start and produce this full report by the afternoon and impress your boss!

9:10 am

ShiftLeft Scan is a free open-source DevSecOps tool that is packaged as a single docker container image. We are going to interactively scan the repositories on your PC and produce the required reports. Start with installing docker desktop by following the instructions here.

9:15 am

9:15 am — Scripting time

You need a list of all repositories belonging to your organization so that it can be cloned locally in your PC. Let’s assume that your organization use GitHub teams with private repositories. On GitHub settings, go to Developer Settings. Create a new personal access token with the following scope:

  • repo
  • read:packages
GitHub personal access token settings
GitHub personal access token for scan

Set this variable as an environment variable called GITHUB_TOKEN

9:18 am

We now need a script that should:

  • List all the repositories,
  • Clone them locally using git,
  • Invoke ShiftLeft Scan for each repo
  • Copy the reports into a separate directory

The below script should work with bash and tested on Linux, Mac, and with WSL on Windows.

If this script fails with ssh authentication errors, make sure that your ssh public key is added to GitHub and that you have the read access to the repositories.

The script will take some time depending on the number of repositories. For nearly 100 repositories, it took me just over an hour. So, take a break and get some fresh air while scan is performing its magic and does the following:

  • Scan for credentials leak
  • Static analysis-based vulnerability detection
  • Vulnerabilities with open-source dependencies
  • License compliance audits

The Best part is that all the scans are performed entirely locally on your computer. No source code, configuration or artifacts ever leave your computer.

10:15 am

As you wait to catch the lift back to your desk the Head of IS spots you from the distance. She wonders how the report is coming along.

Meme: How is my report coming along?
Meme: How is my report coming along?

You promise to do everything you can and silently head back. By now scan should have finished scanning all the repos.

Scan produces reports in a range of formats.

  • SARIF — Useful for integrating with other third-party SAST tools or to visualize using our free VS Code extension
  • HTML — Single page reports that can be simply emailed to your boss or security team
  • JSON — Full JSON report called (scan-full-report.json). Useful for aggregating multiple reports for summary and identifying insights

Our script has neatly copied all the reports into a new directory called “reports_dir”. Inside this directory, we will find directories for each repository and their scan reports.

10:35 am

It is now time to summarize all the reports to find a grand total as well as produce an overall executive summary. Let’s use something like python this time rather than just bash. The script below can be used as a starting point.

In addition to aggregating the findings, the to_html method in this script also produce a basic HTML table representation. In fact, this is exactly how scan produce those gorgeous looking HTML reports.

Scan HTML reports
Scan HTML report

12:00 am

With the summary HTML done we now have everything ready to present to the Head of IS. What seemed impossible the very morning was entirely achievable thanks to the open and flexible nature of the scan reports.

Meme: Easy compliance reports
Meme: Easy compliance reports

Thank you

This blog was inspired by a true event shared by one of the scan user. If you have such scan stories to share or would like to know more scan use cases, please join my weekly Office Hours webinar every Tuesday 10 am pacific / 6pm London.

Security Compliance Reports with Scan was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Prabhu Subramanian. Read the original post at: