GithubHelp home page GithubHelp logo

clj-holmes / clj-holmes-action Goto Github PK

View Code? Open in Web Editor NEW
4.0 4.0 1.0 11 KB

Action to execute clj-holmes in Clojure/Clojurescript projects.

Dockerfile 22.07% Shell 77.93%
clojure code-scanning sast security

clj-holmes-action's Introduction

clj-holmes

A CLI SAST (Static application security testing) tool which was built with the intent of finding vulnerable Clojure code via rules that use a simple pattern language. Although finding vulnerabilities is its main purpose, clj-holmes can also be used to find any kind of code pattern.

Installation

Download the release for your OS (mac or linux), copy it to a directory in your $PATH and add executable permission to the binary.

Linux example

curl -L https://github.com/clj-holmes/clj-holmes/releases/latest/download/clj-holmes-ubuntu-latest -o /tmp/clj-holmes
sudo install -m 755 /tmp/clj-holmes /usr/local/bin/clj-holmes
rm /tmp/clj-holmes

Rules

All public rules can be found here. It is also possible to maintain your own set of rules.

clj-holmes currently supports the following rules sources:

GitHub

The GitHub wagon supports public and private repositories. In order to fetch rules from a private repository the environment GITHUB_TOKEN variable needs to be set.

To fetch a rule set clj-holmes expects a GitHub repository URL following the specification below:

git://username/project-name#branch-name

Fetching Rules

NAME:
 clj-holmes fetch-rules - Fetch rules from an external server

USAGE:
 clj-holmes fetch-rules [command options] [arguments...]

OPTIONS:
   -r, --repository S        git://clj-holmes/clj-holmes-rules#main  Repository to download rules
   -o, --output-directory S  /tmp/clj-holmes-rules/                  Directory to save rules
   -?, --help

In order to execute a scan it is necessary to fetch the rules first. This can be achieve with the following command.

clj-holmes fetch-rules

It's also possible to provide another source for a rule set by adding the -r or --repository parameter followed by the GitHub repository URL.

clj-holmes fetch-rules -r git://clj-holmes/clj-holmes-private-rules#main

Scanning a Project


NAME:
 clj-holmes scan - Performs a scan for a path

USAGE:
 clj-holmes scan [command options] [arguments...]

OPTIONS:
   -p, --scan-path S*                                                Path to scan
   -d, --rules-directory S              /tmp/clj-holmes-rules/       Directory to read rules
   -o, --output-file S                  clj_holmes_scan_results.txt  Output file
   -t, --output-type json|sarif|stdout  stdout                       Output type
   -T, --rule-tags S                                                 Only use rules with specified tags to perform the scan
   -S, --rule-severity S                                             Only use rules with specified severity to perform the scan
   -P, --rule-precision S                                            Only use rules with specified precision to perform the scan
   -i, --ignored-paths S                                             Regex for paths and files that shouldn't be scanned
   -f, --[no-]fail-on-result                                         Enable or disable fail if results were found (useful for CI/CD)
   -v, --[no-]verbose                                                Enable or disable scan process feedback.
   -?, --help

After fetching the rules, it is possible to execute a scan by providing the -p or --scan-path parameter followed by the path of the Clojure project to be scanned.

clj-holmes scan -p /tmp/clojure-project

Who uses it

Build

Steps necessary to build clj-holmes.

Dependencies

Install native image

gu install native-image

Download project dependencies

lein deps

Clean target directory

lein clean

Generate clj-holmes uberjar

lein uberjar

Generate clj-holmes native binary

lein native -H:Name=clj-holmes

clj-holmes-action's People

Contributors

mthbernardes avatar rafaeldelboni avatar rancorzinho avatar

Stargazers

avatar avatar avatar avatar

Watchers

avatar

Forkers

argvader

clj-holmes-action's Issues

Security Policy violation SECURITY.md

Allstar has detected that this repository’s SECURITY.md security policy is out of compliance. Status:
Security policy not enabled.
A SECURITY.md file can give users information about what constitutes a vulnerability and how to report one securely so that information about a bug is not publicly visible. Examples of secure reporting methods include using an issue tracker with private issue support, or encrypted email with a published key.

To fix this, add a SECURITY.md file that explains how to handle vulnerabilities found in your repository. Go to https://github.com/clj-holmes/clj-holmes-action/security/policy to enable.

For more information, see https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository.

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

No

No rules seem to be used when the default rules database is used.

Action setup:

      - name: Scan
        uses: clj-holmes/clj-holmes-action@main
        with:
     #     rules-repository: 'git://clj-holmes/clj-holmes-rules#main'
          output-type: 'sarif'
          output-file: 'clj-holmes-results.sarif'
          fail-on-result: 'false'
          verbose: 'true'
        env:
          GITHUB_TOKEN: ${{ secrets.TOKEN }}

The results don't show the rules used and as a result the are no violations found.

{"$schema":"https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"clj-holmes","informationUri":"https://github.com/clj-holmes/clj-holmes","version":"1.4.3","rules":[]}},"results":[]}]}

Security Policy violation Branch Protection

Allstar has detected that this repository’s Branch Protection security policy is out of compliance. Status:
No protection found for branch main

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.