1.3.3 • Published 2 years ago

@quantum-sec/ci-analysis-collector v1.3.3

Weekly downloads
-
License
Apache-2.0
Repository
github
Last release
2 years ago

Managed Security Platform Infrastructure by Quantum

ci-analysis-collector

Build Status License @quantum-sec/ci-analysis-core Maintained by quantum.security

Quantum's CI analysis collector utility is a wrapper for common security tools for normalizing results to rank and prioritize the remediation of vulnerabilities discovered in your applications and infrastructure.

This utility can be modified to be used with your own aggregation and analysis pipeline or used directly with the Quantum Security Platform.

Prerequisites

This utility requires Node.js and git. Additionally, you must install any tools you wish to use that are wrapped by this utility – each of which will have its own dependencies. Alternatively, Quantum supplies Docker containers for each of the officially supported tools.

Usage

Use npx to directly reference, install, and run this utility:

# npx <= 6
npx @quantum-sec/ci-analysis-collector [tool] [args]

# npx >= 7
npx --yes --package @quantum-sec/ci-analysis-collector \
  --call 'ci-analysis-collector [tool] [args]'

Where [tool] is the all lowercase name or "ID" of the tool (see the table of supported tools below) and where [args] are any of the following optional arguments:

Arguments

  • --path [path] – the path to source code being analyzed (default: "$PWD")
  • --soft-fail – when specified a zero exit code will be returned regardless of whether or not checks are failing (default: false)
  • --quiet – when specified, passing checks will be excluded from the printed output (default: false)
  • --log-level [LEVEL] – the log verbosity (one of error, warning, info, or debug) (default: info)
  • --webhook-url [URL] – the URL to which results will be PUT (defaults to the Quantum Platform webhook)

Environment Variables

  • QS_API_TOKEN – the API token associated with this analysis collection generated in the Quantum Security Console
  • QS_COLLECTOR_SOFT_FAIL – same as the --soft-fail argument above
  • QS_COLLECTOR_QUIET – same as the --quiet argument above
  • QS_COLLECTOR_WEBHOOK_URL – same as the --webhook-url argument above

Supported Tools

ToolAnalysis TypePlatforms / LanguagesContainer Runtime
checkovSASTTerraformCloudFormationARM TemplatesDockerfileKubernetesquantumsec/docker-pipeline-checkov
sonarqubeSAST, DASTC / C++ / Objective-CC#GoJavaJavaScript / TypeScriptKotlinPHPPythonRubyScalaSwiftVisual Basicquantumsec/docker-pipeline-sonarqube
trivySASTTerraformDockerfileKubernetesquantumsec/docker-pipeline-trivy
tfsec(Planned)SASTTerraformquantumsec/docker-pipeline-tfsec
ZAPSASTHTTPquantumsec/docker-pipeline-zap

Code of Conduct

Help us keep this project open and inclusive. Please read and follow our Code of Conduct.

License

This code is released under the Apache 2.0 License.

axioschalkdotenvsinontslibuuidyargs
@infinitebrahmanuniverse/nolb-_quan@everything-registry/sub-chunk-750
1.3.3

2 years ago

1.3.2

2 years ago

1.3.1

2 years ago

1.3.0

3 years ago

1.2.0

3 years ago

1.1.0

3 years ago

1.0.9

3 years ago

1.0.8

3 years ago

1.0.7

3 years ago

1.0.6

3 years ago

1.0.10

3 years ago

1.0.5

3 years ago

1.0.4

3 years ago

1.0.3

3 years ago

1.0.2

3 years ago

1.0.1

3 years ago

1.0.0

3 years ago