Skip to content
This repository has been archived by the owner on Jan 16, 2024. It is now read-only.

Utility library used to collect security analysis results and upload them for correlation and reporting in the Quantum Security platform.

License

Notifications You must be signed in to change notification settings

quantum-sec/ci-analysis-collector

Managed Security Platform Infrastructure by Quantum

ci-analysis-collector

Build Status License @quantum-sec/ci-analysis-core Maintained by quantum.security

Quantum's CI analysis collector utility is a wrapper for common security tools for normalizing results to rank and prioritize the remediation of vulnerabilities discovered in your applications and infrastructure.

This utility can be modified to be used with your own aggregation and analysis pipeline or used directly with the Quantum Security Platform.

Prerequisites

This utility requires Node.js and git. Additionally, you must install any tools you wish to use that are wrapped by this utility – each of which will have its own dependencies. Alternatively, Quantum supplies Docker containers for each of the officially supported tools.

Usage

Use npx to directly reference, install, and run this utility:

# npx <= 6
npx @quantum-sec/ci-analysis-collector [tool] [args]

# npx >= 7
npx --yes --package @quantum-sec/ci-analysis-collector \
  --call 'ci-analysis-collector [tool] [args]'

Where [tool] is the all lowercase name or "ID" of the tool (see the table of supported tools below) and where [args] are any of the following optional arguments:

Arguments

  • --path [path] – the path to source code being analyzed (default: "$PWD")
  • --soft-fail – when specified a zero exit code will be returned regardless of whether or not checks are failing (default: false)
  • --quiet – when specified, passing checks will be excluded from the printed output (default: false)
  • --log-level [LEVEL] – the log verbosity (one of error, warning, info, or debug) (default: info)
  • --webhook-url [URL] – the URL to which results will be PUT (defaults to the Quantum Platform webhook)

Environment Variables

  • QS_API_TOKEN – the API token associated with this analysis collection generated in the Quantum Security Console
  • QS_COLLECTOR_SOFT_FAIL – same as the --soft-fail argument above
  • QS_COLLECTOR_QUIET – same as the --quiet argument above
  • QS_COLLECTOR_WEBHOOK_URL – same as the --webhook-url argument above

Supported Tools

Tool Analysis Type Platforms / Languages Container Runtime
checkov SAST Terraform
CloudFormation
ARM Templates
Dockerfile
Kubernetes
quantumsec/docker-pipeline-checkov
sonarqube SAST, DAST C / C++ / Objective-C
C#
Go
Java
JavaScript / TypeScript
Kotlin
PHP
Python
Ruby
Scala
Swift
Visual Basic
quantumsec/docker-pipeline-sonarqube
trivy SAST Terraform
Dockerfile
Kubernetes
quantumsec/docker-pipeline-trivy
tfsec
(Planned)
SAST Terraform quantumsec/docker-pipeline-tfsec
ZAP SAST HTTP quantumsec/docker-pipeline-zap

Code of Conduct

Help us keep this project open and inclusive. Please read and follow our Code of Conduct.

License

This code is released under the Apache 2.0 License.

About

Utility library used to collect security analysis results and upload them for correlation and reporting in the Quantum Security platform.

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Packages

No packages published