@quantum-sec/ci-analysis-collector
v1.3.3
Published
Utility library used to collect security analysis results and upload them for correlation and reporting in the Quantum Security platform.
Downloads
92
Readme
ci-analysis-collector
Quantum's CI analysis collector utility is a wrapper for common security tools for normalizing results to rank and prioritize the remediation of vulnerabilities discovered in your applications and infrastructure.
This utility can be modified to be used with your own aggregation and analysis pipeline or used directly with the Quantum Security Platform.
Prerequisites
This utility requires Node.js and git. Additionally, you must install any tools you wish to use that are wrapped by this utility – each of which will have its own dependencies. Alternatively, Quantum supplies Docker containers for each of the officially supported tools.
Usage
Use npx
to directly reference, install, and run this utility:
# npx <= 6
npx @quantum-sec/ci-analysis-collector [tool] [args]
# npx >= 7
npx --yes --package @quantum-sec/ci-analysis-collector \
--call 'ci-analysis-collector [tool] [args]'
Where [tool]
is the all lowercase name or "ID" of the tool (see the table of supported tools below) and where [args]
are any of the following optional arguments:
Arguments
--path [path]
– the path to source code being analyzed (default:"$PWD"
)--soft-fail
– when specified a zero exit code will be returned regardless of whether or not checks are failing (default:false
)--quiet
– when specified, passing checks will be excluded from the printed output (default:false
)--log-level [LEVEL]
– the log verbosity (one oferror
,warning
,info
, ordebug
) (default:info
)--webhook-url [URL]
– the URL to which results will bePUT
(defaults to the Quantum Platform webhook)
Environment Variables
QS_API_TOKEN
– the API token associated with this analysis collection generated in the Quantum Security ConsoleQS_COLLECTOR_SOFT_FAIL
– same as the--soft-fail
argument aboveQS_COLLECTOR_QUIET
– same as the--quiet
argument aboveQS_COLLECTOR_WEBHOOK_URL
– same as the--webhook-url
argument above
Supported Tools
| Tool | Analysis Type | Platforms / Languages | Container Runtime | |------------------------------------------------------------------------|---------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | checkov | SAST | TerraformCloudFormationARM TemplatesDockerfileKubernetes | quantumsec/docker-pipeline-checkov | | sonarqube | SAST, DAST | C / C++ / Objective-CC#GoJavaJavaScript / TypeScriptKotlinPHPPythonRubyScalaSwiftVisual Basic | quantumsec/docker-pipeline-sonarqube | | trivy | SAST | TerraformDockerfileKubernetes | quantumsec/docker-pipeline-trivy | | tfsec(Planned) | SAST | Terraform | quantumsec/docker-pipeline-tfsec | | ZAP | SAST | HTTP | quantumsec/docker-pipeline-zap |
Code of Conduct
Help us keep this project open and inclusive. Please read and follow our Code of Conduct.
License
This code is released under the Apache 2.0 License.