#security-testing #static-analysis #security #yaml #cybersecurity #sast #sca

app Hela

This tool helps in running Static Code Analysis (SCA), Static Application Security Testing (SAST), Secret scanning, and License compliance scanning on your project. It also allows you to write your own policy files in YAML format to enforce blocking in pipelines when security issues are detected.

4 releases

0.1.4 Aug 31, 2023
0.1.3 Aug 29, 2023
0.1.1 Aug 29, 2023
0.1.0 Aug 29, 2023

#403 in Testing

MIT license

78KB
1K SLoC

Hela

This tool helps in running Static Code Analysis (SCA), Static Application Security Testing (SAST), Secret scanning, and License compliance scanning on your project. It also allows you to write your own policy files in YAML format to enforce blocking in pipelines when security issues are detected.

Docker Installation

To use the tool without building from the source and installing Rust dependencies, you can run it using Docker. Follow the instructions below:

  1. Pull the Docker image:
docker pull rohitcoder/hela
  1. Run the tool using Docker:
docker run rohitcoder/hela <tool-options>

Add any Docker options you may need (e.g., volume mounting), and with the desired tool options explained in the next section.

Usage

To run the Hela Tool, use the following command:

docker run rohitcoder/hela --path <path> --sast --sca --secret --license-compliance --policy-url <policy_url> --verbose

Replace <path> with the path to your project, which can be either a local folder path or a Git repository URL. If you want to use it with a private repository, provide the Git repository path with an access token.

Replace <policy_url> with the URL of your policy file in YAML format. This file defines rules for blocking pipelines when specific security issues are detected.

The tool will execute the specified scans (--license-compliance, --sast, --sca, --secret) on your project and enforce the policies defined in the policy file. Verbose mode (--verbose) will provide detailed output.

Note: The API endpoints and start-server functionality are currently in development and not available.

Building & Installation from Source

Clone and build the project:

git clone https://github.com/rohitcoder/hela.git
cd hela
cargo build --release

CLI Usage

To use the tool from the command line, run the following command:

cargo run -- [options]

Replace [options] with the desired options from the list below.

Options

Option Description
-v, --verbose Enable verbose mode.
-p , --code-path Pass the path of the project to scan (local path or HTTP Git URL).
-t , --rule-path Pass the path of the semgrep rules repository (local path or HTTP Git URL).
-n , --no-install Use this option to skip installation of project during SCA scan (Useful when you already have lock files in repo, and you want to save time).
-r , --root-only Pass this flag, if you want to run SCA for only root folder manifests.
-d , --build-args Provide any additional build arguments for SCA scan (This will be injected in build commands like mvn build or npm run)
- , --manifests Pass list of manifests type to scan (comma separated values). Example: --manifests packages-lock.json,requirements.txt
-i , --commit-id Pass the commit ID to scan (optional).
-b , --branch Pass the branch name to scan (optional).
-s, --sast Run SAST scan.
-u , --server-url Pass the server URL to post scan results.
-c, --sca Run SCA scan.
-e, --secret Run Secret scan.
-l, --license-compliance Run License Compliance scan.
-j, --json Print JSON output. Note: This won't work with pipeline check implementation.
-y , --policy-url Pass the policy URL to check if the pipeline should fail.

Write a Pipelien failure Policy Rule

You can use these policy to fail your pipleine builds in your CI/CD flow. Scanner will check for the conditions defined in the policy file and will fail the pipeline if any of the condition is met.

## list in which conditions our pipeline should fail
sast:
  critical_count:
    operator: greater_than ## supports greater_than, less_than, equal_to
    value: 2
  high_count:
    operator: greater_than
    value: 2

sca:
  critical_count:
    operator: greater_than
    value: 2
  high_count:
    operator: greater_than
    value: 1

secret:
  contains:
  - JDBC # supports abbysale,abstract,abuseipdb,accuweather,adafruitio,adobeio,adzuna,aeroworkflow,agora,aha,airbrakeprojectkey,airbrakeuserkey,airship,airtableapikey,airvisual,aiven,alchemy,alconost,alegra,aletheiaapi,algoliaadminkey,alibaba,alienvault,allsports,amadeus,ambee,amplitudeapikey,anypoint,apacta,api2cart,apideck,apiflash,apifonica,apify,apilayer,apimatic,apiscience,apitemplate,apollo,appcues,appfollow,appointedd,appsynergy,apptivo,artifactory,artsy,asanaoauth,asanapersonalaccesstoken,assemblyai,atera,audd,auth0managementapitoken,auth0oauth,autodesk,autoklose,autopilot,avazapersonalaccesstoken,aviationstack,aws,axonaut,aylien,ayrshare,azure,bannerbear,baremetrics,baseapiio,beamer,beebole,besnappy,besttime,billomat,bitbar,bitcoinaverage,bitfinex,bitlyaccesstoken,bitmex,blablabus,blazemeter,blitapp,blocknative,blogger,bombbomb,boostnote,borgbase,braintreepayments,brandfetch,browserstack,browshot,bscscan,buddyns,bugherd,bugsnag,buildkite,buildkitev2,bulbul,bulksms,buttercms,caflou,calendarific,c...e,telnyx,terraformcloudpersonaltoken,testingbot,text2data,textmagic,theoddsapi,thinkific,thousandeyes,ticketmaster,tickettailor,tiingo,timecamp,timezoneapi,tineswebhook,tly,tmetric,todoist,toggltrack,tokeet,tomorrowio,tomtom,tradier,transferwise,travelpayouts,travisci,trelloapikey,tru,trufflehogenterprise,twelvedata,twilio,twist,twitch,twitter,tyntec,typeform,typetalk,ubidots,uclassify,unifyid,unplugg,unsplash,upcdatabase,uplead,uploadcare,uptimerobot,upwave,uri,urlscan,user,userflow,userstack,vatlayer,vbout,vercel,verifier,verimail,veriphone,versioneye,viewneo,virustotal,visualcrossing,voicegain,voodoosms,vouchery,vpnapi,vultrapikey,vyte,walkscore,weatherbit,weatherstack,webex,webflow,webscraper,webscraping,websitepulse,wepay,whoxy,wistia,wit,worksnaps,workstack,worldcoinindex,worldweather,wrike,yandex,yelp,youneedabudget,yousign,youtubeapikey,zapierwebhook,zendeskapi,zenkitapi,zenrows,zenscrape,zenserp,zeplin,zerobounce,zipapi,zipbooks,zipcodeapi,zipcodebase,zonkafeedback,zulipchat

license:
  contains:
  - AGPL
  - GPL
  - LGPL

Example working command

docker run rohitcoder/hela --path https://github.com/appsecco/dvja --license-compliance --sast --sca --secret --license-compliance --policy-url https://raw.githubusercontent.com/rohitcoder/code-security-policies/main/policy-fail.yaml --verbose

💪 Contributors

Thank you for continuously making this tool better! 🙏

Contribute

Please go through the contributing guidelines before you start, and let us know if you have any challenges or questions.

Hela is maintained by Rohit Kumar (@rohitcoder)

Thank you!

Dependencies

~37–51MB
~1M SLoC