HuskyCI is an open source tool that orchestrates security tests and centralizes all results into a database for further analysis and metrics. It can perform static security analysis in Python (Bandit and Safety), Ruby (Brakeman), JavaScript (Npm Audit and Yarn Audit), Golang (Gosec), and Java (SpotBugs plus Find Sec Bugs). It can also audit repositories for secrets like AWS Secret Keys, Private SSH Keys, and many others using GitLeaks.
How does it work?
Developers can set up a new stage into their CI pipelines to check for vulnerabilities:
Also Read – Automatic API Attack Tool 2019
Installation
MongoDB
Set up a MongoDB using your desired OS/configuration (preferably secure).
Docker API (CentOS instructions)
Install docker API:
docker-engine
:yum install docker-engine
mkdir /etc/systemd/system/docker.service.d
vim /etc/systemd/system/docker.service.d/override.conf
[Service]ExecStart=ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376
systemctl daemon-reload
systemctl restart docker.service
curl localhost:2376/v1.24/version
Securing your Docker API (recommended):
mkdir /data/certs && cd /data/certs
Download create-certs.sh
script from it:
wget https://raw.githubusercontent.com/globocom/huskyCI/master/deployments/scripts/create-certs.sh
Set environment variables with certificate’s information:
echo ‘export CERT_PASSPHRASE=”mypassword$RANDOM”‘ > .env
echo ‘export CERT_DOCKER_API_HOST=”address.to.dockerapi.host”‘ >> .env
echo ‘export CERT_HUSKYCI_HOST=”address.to.huskyci.host”‘ >> .env
. .env
./create-certs.sh -m ca -pw $CERT_PASSPHRASE -t . -e 900
./create-certs.sh -m server -h $CERT_DOCKER_API_HOST -pw $CERT_PASSPHRASE -t . -e 365
./create-certs.sh -m client -h $CERT_HUSKYCI_HOST -pw $CERT_PASSPHRASE -t . -e 365
vim /etc/systemd/system/docker.service.d/override.conf
[Service]ExecStart=/usr/bin/dockerd –tlsverify –tlscacert=/data/certs/ca.pem –tlscert=/data/certs/server-cert.pem –tlskey=/data/certs/server-key.pem -H fd:// -H tcp://0.0.0.0:2376
systemctl daemon-reload
systemctl restart docker.service
curl -k https://localhost:2376/v1.24/version –cert /data/certs/client-cert.pem –key /data/certs/client-key.pem –cacert /data/certs/ca.pem
You need now to save ca.pem
, client-key.pem
and client-cert.pem
to be used in its host so it can connect to docker API securely! 🔒
Pulling images
After setting up the Docker API, you can pull huskyCI images into this host or let it do this automatically when receiving first requests (may take some time). If you prefer the first strategy, use the following commands:
docker pull huskyci/enry
docker pull huskyci/bandit
docker pull huskyci/safety
docker pull huskyci/brakeman
docker pull huskyci/gosec
docker pull huskyci/spotbugs
docker pull huskyci/npmaudit
docker pull huskyci/yarnaudit
docker pull huskyci/gitauthors
docker pull huskyci/gitleaks
API (tsuru PaaS instructions)
cd $GOPATH/src/github.com/globocom/huskyCI
api
folder:cp $MYCERTFOLDER/{ca.pem,client-key.pem,client-cert.pem} api/
Rename client-key.pem
and client-cert.pem
so it can read the right files when deploying:
mv client-key.pem key.pem
mv client-cert.pem cert.pem
make build
tsuru app-create huskyCI go
tsuru env-set MONGO_HOST=urlto.mongo.com -p
If you want it to use HTTPS, generate api-tls-cert.pem
and api-tls-key.pem
before deploying. Also, you should set HUSKY_API_ENABLE_HTTPS
environment variable to true
.
tsuru env-set -p -a <my-app’s-name> HUSKYCI_DOCKERAPI_CERT_FILE_VALUE=”$(cat /path/to/my/file)”
tsuru env-set -p -a <my-app’s-name> HUSKYCI_DOCKERAPI_CERT_KEY_VALUE =”$(cat /path/to/my/file)”
tsuru env-set -p -a <my-app’s-name> HUSKYCI_DOCKERAPI_CERT_CA_VALUE =”$(cat /path/to/my/file)”
tsuru app-deploy -a huskyCI api/huskyci api/config.yaml Procfile
tsuru env-set -p -a <my-app’s-name> HUSKYCI_DOCKERAPI_API_TLS_CERT_VALUE =”$(cat /path/to/my/file)”
tsuru env-set -p -a <my-app’s-name> HUSKYCI_DOCKERAPI_API_TLS_KEY_VALUE =”$(cat /path/to/my/file)”
tsuru app-deploy -a huskyCI api/huskyci api/config.yaml Procfile
Client (tsuru PaaS instructions)
make build-client-linux
tsuru app-create huskyCI-client static
tsuru app-deploy -a huskyCI-client huskyci-client
Developer’s CI
Ask kindly your development team to add a new stage into their project’s CI (.gitlab-ci.yml
example):
stages:
– huskyCI
huskyCI:
stage: huskyCI
variables:
HUSKYCI_CLIENT_URL: http://urlto.huskyci-client
HUSKYCI_CLIENT_API_ADDR: http://urlto.huskyci-API
HUSKYCI_CLIENT_REPO_URL: gitlab@gitlab.YOURORG.com:$CI_PROJECT_PATH.git
HUSKYCI_CLIENT_REPO_BRANCH: $CI_COMMIT_REF_NAME
HUSKYCI_CLIENT_API_USE_HTTPS: “false”
script:
– wget $HUSKYCI_CLIENT_URL/huskyci-client
– chmod +x huskyci-client
– ./huskyci-client
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…