# ASTReviewer
**ASTReviewer** is a command-line integrator between _Application Security Testing tools_ (_AST_)
and _Source Control Management systems_ (SCM), _CI platforms_, _Ticket Systems_, etc.
Its main goal is to publish _AST_ findings (issues) as reviews in _SCM_ changes (or _PR_ reviews).
The base use case is running ASTs on build pipelines, making available their scan results
in the developer's tool of choice with instructions on how to mitigate the issues.
To accomplish that, **ASTReviewer** retrieves data from _ASTs_, parses, processes, modifies them, and
publishes the results to the chosen destination, usually the code review tool.
**Simple Scenario example**:
The team's _SCM_ is _Github_. The engineers make use of _Pull Requests_ (_PR_) for code
reviewing and triggering their build and test pipelines.
As part of the CI, they also run security scans using couple of tools.
As the PR is their tool for reviewing code and discussing issues, they want reviews from the _ASTs_ showing issues and mitigation as they would have from a peer.
The security tools can be, for example, a [SAST](https://en.wikipedia.org/wiki/Static_application_security_testing) tool such
[Fortify Source Code Analyzer](https://www.microfocus.com/en-us/support/Fortify%20Static%20Code%20Analyzer) and an
[SCA](https://en.wikipedia.org/wiki/Software_Composition_Analysis) tool like
[Nexus Lifecycle](https://www.sonatype.com/products/open-source-security-dependency-management).
When a developer creates a PR with a new feature, this will trigger the CI pipeline that will perform the build and test of the code with different tools. At some point, the pipeline will run the two security tools. The team will also configure **ASTReviewer** with its proper modules for each one of the tools.
For each one of the _ASTs_, **ASTReviewer** will retrieve both the scan results related to the _PR_
as the ones from its destination branch. It then compares both results.
If new issues exist in the _PR_ scan that are not present in the destination branch scan, it creates a
_review_ for the _PR_. After that, for each one of the new issues, it will add a comment under that _review_.
While processing the issues, **ASTReviewer** can retrieve information from other sources (_Knowledge Bases_) and add them to the review or comments. A good example is adding links to security training, ASVS requirements, OWASP Cheat Sheet pages, etc, related to the specific issue.
Depending on the tools and user configuration, the review can contain details such as specific location in the code where the issue was found, snippets of the code, images, etc. **ASTReviewer** uses templates to determine the format of the reviews and comments.
**ASTReviewer** is written in Python and is highly modular and extensible. Supporting a new AST, or SCM, or even
parsing data from another format or location (Key vault for example), it's a matter of writing a small
Python file (module) and reference it in the configuration file.
## Getting started
For instructions on setting up different production environments see: [Installing into Production](docs/install_production.md)
For development, the easiest way to get up and running is by creating a Python virtual environment and install the dependencies and the `astreviewer` package on it.
First step is to clone the repository:
```bash
$ git clone ssh://<youruser>@git.it.volvo.net:29418/Astreviewer astreviewer
```
Setting up the environment:
```bash
$ cd astreviewer
$ python3 -m venv env
$ pip install -U pip
$ pip install -e .
```
This will install only dependencies for a production environment.
Package management is done in the `requirements` directory and is explained in [Package Management](doc/astreviewer_pkg_mgt.md).
For installing useful tools for testing and development do:
```bash
$ cd requirements
$ make install_dev
```
## Testing
The tool is developed utilizing [TDD](https://en.wikipedia.org/wiki/Test-driven_development). Said so, both _Acceptance Tests_ and _Unit tests_ are provided and contributors are required to provide both.
Clean code is expected, including the test code.
Tests are implemented and run with [Pytest](https://docs.pytest.org/).
To test the application, run from the project root directory:
```bash
$ pytest
```
If you want to run only the unit tests:
```bash
$ pytest astreviewer
```
If you want to run only the acceptance ones:
```bash
$ pytest tests
```
## Currently Supported Tools
- **AST**
- **SAST**
- Microfocus Fortify Scan Central
- **SCA**
- Nexus IQ Server
- **SCM**
- Github
## Contributing
[See contribution guide](CONTRIBUTING.md)
Raw data
{
"_id": null,
"home_page": "https://github.com/VolvoGroup-Internal/devsecops-112511-astreviewer",
"name": "astreviewer",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.6",
"maintainer_email": "",
"keywords": "ast integration middleware scm security appsec github fortify",
"author": "Paulo Roberto Brand\u00e3o",
"author_email": "paulo.brandao@consultant.volvo.com",
"download_url": "",
"platform": null,
"description": "# ASTReviewer\n\n**ASTReviewer** is a command-line integrator between _Application Security Testing tools_ (_AST_)\nand _Source Control Management systems_ (SCM), _CI platforms_, _Ticket Systems_, etc.\nIts main goal is to publish _AST_ findings (issues) as reviews in _SCM_ changes (or _PR_ reviews).\n\nThe base use case is running ASTs on build pipelines, making available their scan results \nin the developer's tool of choice with instructions on how to mitigate the issues.\nTo accomplish that, **ASTReviewer** retrieves data from _ASTs_, parses, processes, modifies them, and\npublishes the results to the chosen destination, usually the code review tool.\n\n**Simple Scenario example**: \n\nThe team's _SCM_ is _Github_. The engineers make use of _Pull Requests_ (_PR_) for code\nreviewing and triggering their build and test pipelines.\nAs part of the CI, they also run security scans using couple of tools.\nAs the PR is their tool for reviewing code and discussing issues, they want reviews from the _ASTs_ showing issues and mitigation as they would have from a peer.\n\nThe security tools can be, for example, a [SAST](https://en.wikipedia.org/wiki/Static_application_security_testing) tool such\n[Fortify Source Code Analyzer](https://www.microfocus.com/en-us/support/Fortify%20Static%20Code%20Analyzer) and an \n[SCA](https://en.wikipedia.org/wiki/Software_Composition_Analysis) tool like \n[Nexus Lifecycle](https://www.sonatype.com/products/open-source-security-dependency-management).\n\nWhen a developer creates a PR with a new feature, this will trigger the CI pipeline that will perform the build and test of the code with different tools. At some point, the pipeline will run the two security tools. The team will also configure **ASTReviewer** with its proper modules for each one of the tools.\n\nFor each one of the _ASTs_, **ASTReviewer** will retrieve both the scan results related to the _PR_ \nas the ones from its destination branch. It then compares both results.\nIf new issues exist in the _PR_ scan that are not present in the destination branch scan, it creates a \n_review_ for the _PR_. After that, for each one of the new issues, it will add a comment under that _review_.\n\nWhile processing the issues, **ASTReviewer** can retrieve information from other sources (_Knowledge Bases_) and add them to the review or comments. A good example is adding links to security training, ASVS requirements, OWASP Cheat Sheet pages, etc, related to the specific issue.\n\n\n\nDepending on the tools and user configuration, the review can contain details such as specific location in the code where the issue was found, snippets of the code, images, etc. **ASTReviewer** uses templates to determine the format of the reviews and comments.\n\n\n\n\n**ASTReviewer** is written in Python and is highly modular and extensible. Supporting a new AST, or SCM, or even \nparsing data from another format or location (Key vault for example), it's a matter of writing a small \nPython file (module) and reference it in the configuration file.\n\n\n\n## Getting started\n\nFor instructions on setting up different production environments see: [Installing into Production](docs/install_production.md)\n\nFor development, the easiest way to get up and running is by creating a Python virtual environment and install the dependencies and the `astreviewer` package on it.\n\nFirst step is to clone the repository:\n\n```bash\n$ git clone ssh://<youruser>@git.it.volvo.net:29418/Astreviewer astreviewer\n```\n\nSetting up the environment:\n\n```bash\n$ cd astreviewer\n$ python3 -m venv env\n$ pip install -U pip\n$ pip install -e .\n```\n\nThis will install only dependencies for a production environment.\nPackage management is done in the `requirements` directory and is explained in [Package Management](doc/astreviewer_pkg_mgt.md).\n\nFor installing useful tools for testing and development do:\n\n```bash\n$ cd requirements\n$ make install_dev\n```\n\n## Testing\n\nThe tool is developed utilizing [TDD](https://en.wikipedia.org/wiki/Test-driven_development). Said so, both _Acceptance Tests_ and _Unit tests_ are provided and contributors are required to provide both.\nClean code is expected, including the test code.\n\nTests are implemented and run with [Pytest](https://docs.pytest.org/).\nTo test the application, run from the project root directory:\n\n```bash\n$ pytest\n```\n\nIf you want to run only the unit tests:\n\n```bash\n$ pytest astreviewer\n```\n\nIf you want to run only the acceptance ones:\n\n```bash\n$ pytest tests\n```\n\n## Currently Supported Tools\n\n- **AST**\n - **SAST**\n - Microfocus Fortify Scan Central \n - **SCA**\n - Nexus IQ Server\n- **SCM**\n - Github\n\n## Contributing\n\n[See contribution guide](CONTRIBUTING.md)\n",
"bugtrack_url": null,
"license": "",
"summary": "astreviewer is a command-line integrator for tools like Application Security Testing tools (AST)",
"version": "0.0.3",
"split_keywords": [
"ast",
"integration",
"middleware",
"scm",
"security",
"appsec",
"github",
"fortify"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "16aa2c9ff2628e220a1d76668e049675669033620e6e447b025653657b349830",
"md5": "5927a7ace0c2e19e7822ca67ecad3e2e",
"sha256": "6647e13b05383bea19b854a8aed238152ad7e0e0e208c39c6bf111e8e8c4f9c1"
},
"downloads": -1,
"filename": "astreviewer-0.0.3-py3-none-any.whl",
"has_sig": false,
"md5_digest": "5927a7ace0c2e19e7822ca67ecad3e2e",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.6",
"size": 5791,
"upload_time": "2023-01-05T16:34:46",
"upload_time_iso_8601": "2023-01-05T16:34:46.168859Z",
"url": "https://files.pythonhosted.org/packages/16/aa/2c9ff2628e220a1d76668e049675669033620e6e447b025653657b349830/astreviewer-0.0.3-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-01-05 16:34:46",
"github": true,
"gitlab": false,
"bitbucket": false,
"github_user": "VolvoGroup-Internal",
"github_project": "devsecops-112511-astreviewer",
"lcname": "astreviewer"
}
JSON
