```
______ ______ ______ _____ _ _____
| ____| |___ / | ____| / ____| | | |_ _|
| |__ / / | |__ ______ | | | | | |
| __| / / | __| |______| | | | | | |
| |____ / /__ | |____ | |____ | |____ _| |_
|______| /_____| |______| \_____| |______| |_____|
```
<p align="center"><strong>The one stop solution for security testing in modern development</strong></p>
![GitHub](https://img.shields.io/github/license/riversafeuk/eze-cli?color=03ac13)
![GitHub tag (latest SemVer)](https://img.shields.io/github/v/tag/riversafeuk/eze-cli?label=release&logo=github)
[![Build Status](https://dev.azure.com/riversafe/DevSecOps/_apis/build/status/RiverSafeUK.eze-cli?branchName=develop)](https://dev.azure.com/riversafe/DevSecOps/_build/latest?definitionId=14&branchName=develop)
![GitHub issues](https://img.shields.io/github/issues/riversafeUK/eze-cli?style=rounded-square)
![Docker Pulls](https://img.shields.io/docker/pulls/riversafe/eze-cli?logo=docker)
![PyPI - Downloads](https://img.shields.io/pypi/dm/eze-cli?logo=pypi)
# Getting Started
Eze is the one stop solution developed by [RiverSafe Ltd](https://riversafe.co.uk/) for security testing in modern development.
Eze cli scans for vulnerable dependencies, insecure code, hardcoded secrets, and license violations across a range of languages
```bash
pip install eze-cli
eze test
```
**Features**:
- Quick setup via Dockerfile with preinstalled tools
- Auto-configures tools out the box, Supported languages: Python, Node and Java
- SAST tools for finding security anti-patterns
- SCA tools for finding vulnerable dependencies
- Secret tools for finding hardcoded passwords
- SBOM tools for generating a list of components
- License scanning for violations (aka [strong copyleft](https://en.wikipedia.org/wiki/Copyleft) usage)
- Extendable plugin architecture for adding new security tools
- Layering enterprise level reporting and auditing via the _Eze Management Console_ (PAID service offered by [RiverSafe](https://riversafe.co.uk/))
# Eze Usage
Just one command will run eze, and generate a configuration file _".ezerc.toml"_ based off the current codebase
## Install
via pip
```bash
pip install eze-cli
eze --version
```
download exe's from releases page and put on path
```bash
eze --version
```
## Run Scan
run all tools
```bash
cd path/to/src
eze test
```
just a single tool
```bash
cd path/to/src
# eze test -t <tool_name>
eze test -t semgrep
```
# Language Support
| Language | SBOM | SCA | SAST |
| --------- | ------------------- | ------------------- | ------------------- |
| Java | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Node | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Python | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| C# | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| Docker | :heavy_check_mark:* | :heavy_check_mark:* | :heavy_check_mark: |
| Terraform | :heavy_check_mark: | | :heavy_check_mark: |
| Go | | | :heavy_check_mark: |
| Ruby | | | :heavy_check_mark: |
| ocaml | | | :heavy_check_mark: |
| PHP | | | :heavy_check_mark: |
- Auto Configured = :heavy_check_mark:
- Manually Configured = :heavy_check_mark:*
future language support will be implemented according to popularity, see https://pypl.github.io/PYPL.html
# Configuring Eze
## Advanced Configuration: Autoconfig **.ezerc.toml**
When **.ezerc.toml** is not present, Eze will auto configure tools according to a "autoconfig.json" file, and generates a **.ezerc.toml** for you
The default autoconfig settings is in "eze/data/default_autoconfig.json"
Can be set to a custom file with ```--autoconfig``` flag
```eze test --autoconfig PATH```
### Custom Autoconfig configuration
Eze runs off a local **.ezerc.toml** file, when this config is not present, a sample config will be generated automatically by scanning the codebase (`eze test`). You can customise it to:
- Add/remove a scanning tool
- Customise the arguments passed to a specific tool
### Autoconfig JSON format
```json
{
"_help_message": "<DEVELOPER COMMENTS>",
"license": {
"_help_message": "eze.enums.LicenseScanType value",
"license_mode": "PROPRIETARY|PERMISSIVE|OPENSOURCE|OFF"
},
"tools": {
"<tool-id>": {
"_help_message": "<DEVELOPER COMMENTS>",
"enabled_always": "true or false",
"enable_on_file": [
"<LIST OF FILE NAMES IF FOUND WILL ENABLE TOOL>"
],
"enable_on_file_ext": [
"<LIST OF FILE EXTENSIONS IF FOUND WILL ENABLE TOOL>"
],
"config": {
"<FIELD>": "<VALUE>"
}
}
},
"reporters": {
"<reporter-id>": {
"_help_message": "LISTED REPORTERS ARE ALWAYS ENABLED",
"config": {
"<FIELD>": "<VALUE>"
}
}
}
}
```
## Advanced Configuration: .ezerc.toml
On top of the auto-configuration, you can edit your local **.ezerc.toml** to run custom tools with custom configuration
When a ```.ezerc.toml``` is present, this will be used instead of the autoconfiguration settings
see list of available tools and reporters using these commands
```bash
# which tools are available in eze
eze tools list
eze tools help <TOOL>
# which reporters are available in eze
eze reporters list
eze reporters help <TOOL>
# which projects are being detected by eze
eze projects
```
## Advanced Configuration: .ezerc.toml format
### basic .ezerc.toml TOML format
<https://en.wikipedia.org/wiki/TOML>
```toml
# create template with "eze housekeeping create-local-config'"
# ===================================
# GLOBAL CONFIG
# ===================================
[global]
# LICENSE_CHECK
LICENSE_CHECK = "PROPRIETARY|PERMISSIVE|OPENSOURCE|OFF"
# LICENSE_ALLOWLIST, list of licenses to exempt from license checks
LICENSE_ALLOWLIST = []
# LICENSE_DENYLIST, list of licenses to always report usage as a error
LICENSE_DENYLIST = []
# ========================================
# TOOL CONFIG
# ========================================
[TOOL_1]
# Full List of Fields and Tool Help available "docker run riversafe/eze-cli tools help <TOOL_NAME>"
TOOL_CONFIG_FIELD = "TOOL_CONFIG_VALUE"
[TOOL_2]
"..." = "..."
# ========================================
# REPORT CONFIG
# ========================================
[REPORTER_1]
# Full List of Fields and Reporter Help available "docker run riversafe/eze-cli reporters help REPORTER_NAME"
REPORTER_CONFIG_FIELD = "REPORTER_CONFIG_VALUE"
[REPORTER_2]
"..." = "..."
# ========================================
# SCAN CONFIG
# ========================================
[scan]
tools = ["TOOL_1","..."]
reporters = ["REPORTER_1", "..."]
```
# Tools and Reporters available
_Updated: 2023/01/25_
## Opensource Tools in Eze
| Type | Name | Version | License | Description |
| ------ | ---------------- | --------------- | ---------- | -------------------------------------------------------------------------------------- |
| SCA | anchore-grype | 0.54.0 (docker) | Apache-2.0 | Opensource multi-language SCA and container scanner |
| SBOM | anchore-syft | 0.64.0 (docker) | Apache-2.0 | Opensource multi-language and container bill of materials (SBOM) generation utility |
| SCA | container-trivy | 0.35.0 (docker) | Apache-2.0 | Opensource container scanner |
| SBOM | dotnet-cyclonedx | 2.3.0.0 | Apache-2.0 | Opensource utility for generating bill of materials (SBOM) in C#/dotnet projects |
| SAST | kics | 1.6.6 (docker) | Apache-2.0 | Opensource Infrastructure as a Code (IaC) scanner |
| SBOM | java-cyclonedx | 2.7.4 (docker) | Apache-2.0 | Opensource java bill of materials generator & open-source vulnerability detection tool |
| SCA | node-npmaudit | 9.2.0 | NPM | Opensource node SCA scanner |
| SAST | node-npmoutdated | 9.2.0 | NPM | Opensource tool for scanning Node.js projects and identifying outdated dependencies |
| SBOM | node-cyclonedx | 3.10.6 (docker) | Apache-2.0 | Opensource node bill of materials (SBOM) generation utility |
| SCA | python-outdated | 3.10.1 (docker) | Apache-2.0 | Inbuilt python outdated dependency scanner |
| SAST | python-bandit | 1.7.4 (docker) | Apache-2.0 | Opensource python SAST scanner |
| SBOM | python-cyclonedx | 3.10.1 (docker) | Apache-2.0 | Opensource python bill of materials (SBOM) generation utility, also runs SCA via pypi |
| MISC | raw | 1.1.0 | inbuilt | Input for saved eze json reports |
| SAST | semgrep | 1.2.0 (docker) | LGPL | Opensource multi language SAST scanner |
| SECRET | trufflehog | 3.21.0 (docker) | GPL | Opensource secret scanner |
An updated list of tools, licenses, and sizes pre-installed in latest Eze Cli Docker image can be found using the command
```bash
eze tools list --include-version
eze tools help <tool-name>
# aka eze tools help trufflehog
```
## Reporters in Eze
| Name | Version | License | Description |
| -------- | ------- | ------- | ----------------------------------------- |
| console | 1.1.0 | inbuilt | Standard command line reporter |
| json | 1.1.0 | inbuilt | JSON output file reporter |
| eze | 1.1.0 | inbuilt | Eze management console reporter |
| bom | 1.1.0 | inbuilt | JSON cyclonedx bill of materials reporter |
| sarif | 1.1.0 | inbuilt | Sarif output file reporter |
| markdown | 1.1.0 | inbuilt | Markdown output file formatter |
| html | 1.1.0 | inbuilt | HTML output file formatter |
An updated list of reporters can be found using the command
```bash
eze reporters list
eze reporters help <reporter-name>
# aka eze reporters help console
```
# Running eze via docker
Starting from version 1, eze is now primarily a local executable or python script, docker is a legacy way of running eze in an monolithic container.
For most users, executable version much faster as only need to install docker images for languages being used, rather than all language tools.
This [docker image](https://hub.docker.com/repository/docker/riversafe/eze-cli) tool orchestrator is designed to be run by developers, security consultants, and ci pipelines
```bash
docker run -t -v FOLDER_TO_SCAN:/data riversafe/eze-cli test
```
## Eze Docker Usage
Just one line, via [docker](https://docs.docker.com/) will run eze, and generate a configuration file _".ezerc.toml"_ based off the current codebase
```bash
docker run -t -v FOLDER_TO_SCAN:/data riversafe/eze-cli test
```
_add `-t` to docker to enable terminal colours_
_add `--debug` to docker to enable terminal colours_
_for sysadmin and power users wanting to build their own images, see the [README-DEVELOPMENT.md](README-DEVELOPMENT.md)_
## Eze Docker cli shortcuts
These commands will run a security scan against code in the current folder
| CLI | Command |
| ----------- | ----------- |
| linux/mac os bash | ```docker run -it -v "$(pwd)":/data riversafe/eze-cli test```|
| windows git bash | ```docker run -it -v $(pwd -W):/data riversafe/eze-cli test```|
| windows powershell | ```docker run -it -v ${PWD}:/data riversafe/eze-cli test```|
| windows cmd | ```docker run -it -v %cd%:/data riversafe/eze-cli test```|
### Eze Docker and CI Servers: Howto detect Headless Git
Normally when a project is checked out of git, the location can be read from the .git folder.
For CI servers git is check out headlessly (with no .git) and environments are provided for git repo / build number etc, eze will read these environment variables when detecting headless git repos.
These environment variables will need to be fed to eze's docker image.
aka for ado pipeline
```bash
docker run --rm -e "BUILD_SOURCEBRANCHNAME=$BUILD_SOURCEBRANCHNAME" -e "BUILD_REPOSITORY_URI=$BUILD_REPOSITORY_URI" -e "SYSTEM_PULLREQUEST_SOURCEBRANCH=$SYSTEM_PULLREQUEST_SOURCEBRANCH" -v "$(pwd)":/data riversafe/eze-cli test
```
| CI server | Environment Variables |
| ------------------ | --------------------- |
| ADO | BUILD_SOURCEBRANCH BUILD_SOURCEBRANCHNAME SYSTEM_PULLREQUEST_SOURCEBRANCH |
| AWS Amplify | AWS_BRANCH |
| AWS Codebuild | AWS_BRANCH |
| JENKINS | GIT_LOCAL_BRANCH GIT_BRANCH |
| IBMCLOUD toolchain | GIT_BRANCH |
| GCP | BRANCH_NAME |
| Gitlab CI | CI_COMMIT_BRANCH CI_MERGE_REQUEST_TARGET_BRANCH_NAME CI_EXTERNAL_PULL_REQUEST_TARGET_BRANCH_NAME CI_DEFAULT_BRANCH |
| Github CI | GITHUB_REF |
# Other Common commands
## Stopping a docker image
Started a local eze scan but want to stop the scan without waiting the 30-40 seconds for the scan to complete
To immediately stop a docker image do the following
```bash
# get docker container id
$ docker stats
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
f0bef6e0bba7 optimistic_burnell 0.01% 104.8MiB / 12.33GiB 0.83% 221MB / 4.73MB 0B / 0B 17
# docker stop container id
$ docker stop -t 0 f0bef6e0bba7
```
### Dotnet sharing
Dotnet can be slow downloading all the artifacts it requires
When you provide a persistent .nuget/packages/ folder which will speed up scans
```bash
# example of sharing your local .nuget/packages/
docker run -t -v LOCATION:/data -v ~/.nuget/packages/:/home/ezeuser/.nuget/packages/ eze-cli test
```
### NPM cache sharing
NPM can be slow downloading all the artifacts it requires
When you provide a persistent .npm/ folder which will speed up scans
ps your local node_modules will help as well
```bash
# example of sharing your local .npm
docker run -t -v LOCATION:/data -v ~/.npm/:/home/ezeuser/.npm/ eze-cli test
```
### terraform cache sharing
terraform can be slow downloading all the artifacts it requires
When you provide a persistent .terraform.d/ folder which will speed up scans
ps your local node_modules will help as well
```bash
# example of sharing your local .terraform.d
docker run -t -v LOCATION:/data -v ~/.terraform.d/:/home/ezeuser/.terraform.d/ eze-cli test
```
# Developers Documentation
To add your own tools checkout [README-DEVELOPMENT.md], this will walk you through installing eze locally for local development.
# Contribute
To start contributing read [CONTRIBUTING.md]
Raw data
{
"_id": null,
"home_page": "https://github.com/RiverSafeUK/eze-cli",
"name": "eze-cli",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.7",
"maintainer_email": "",
"keywords": "eze,cli,eze-cli,security-testing,SCA,SAST,Secrets,Infrastructure-Scan",
"author": "RiverSafe,",
"author_email": "anthony.mckale@riversafe.co.uk,",
"download_url": "https://files.pythonhosted.org/packages/ff/dc/30b9773c3ea5904697e60e964eca6fc4098ef89494363a659204025dfe68/eze-cli-1.1.0.tar.gz",
"platform": null,
"description": "```\r\n\r\n ______ ______ ______ _____ _ _____ \r\n | ____| |___ / | ____| / ____| | | |_ _|\r\n | |__ / / | |__ ______ | | | | | | \r\n | __| / / | __| |______| | | | | | | \r\n | |____ / /__ | |____ | |____ | |____ _| |_ \r\n |______| /_____| |______| \\_____| |______| |_____|\r\n```\r\n\r\n<p align=\"center\"><strong>The one stop solution for security testing in modern development</strong></p>\r\n\r\n![GitHub](https://img.shields.io/github/license/riversafeuk/eze-cli?color=03ac13)\r\n![GitHub tag (latest SemVer)](https://img.shields.io/github/v/tag/riversafeuk/eze-cli?label=release&logo=github)\r\n[![Build Status](https://dev.azure.com/riversafe/DevSecOps/_apis/build/status/RiverSafeUK.eze-cli?branchName=develop)](https://dev.azure.com/riversafe/DevSecOps/_build/latest?definitionId=14&branchName=develop)\r\n![GitHub issues](https://img.shields.io/github/issues/riversafeUK/eze-cli?style=rounded-square)\r\n![Docker Pulls](https://img.shields.io/docker/pulls/riversafe/eze-cli?logo=docker)\r\n![PyPI - Downloads](https://img.shields.io/pypi/dm/eze-cli?logo=pypi)\r\n\r\n# Getting Started\r\n\r\nEze is the one stop solution developed by [RiverSafe Ltd](https://riversafe.co.uk/) for security testing in modern development.\r\n\r\nEze cli scans for vulnerable dependencies, insecure code, hardcoded secrets, and license violations across a range of languages\r\n\r\n```bash\r\npip install eze-cli\r\neze test\r\n```\r\n\r\n**Features**:\r\n\r\n- Quick setup via Dockerfile with preinstalled tools\r\n- Auto-configures tools out the box, Supported languages: Python, Node and Java\r\n- SAST tools for finding security anti-patterns\r\n- SCA tools for finding vulnerable dependencies\r\n- Secret tools for finding hardcoded passwords\r\n- SBOM tools for generating a list of components\r\n- License scanning for violations (aka [strong copyleft](https://en.wikipedia.org/wiki/Copyleft) usage)\r\n- Extendable plugin architecture for adding new security tools\r\n- Layering enterprise level reporting and auditing via the _Eze Management Console_ (PAID service offered by [RiverSafe](https://riversafe.co.uk/))\r\n\r\n# Eze Usage\r\n\r\nJust one command will run eze, and generate a configuration file _\".ezerc.toml\"_ based off the current codebase\r\n\r\n## Install\r\n\r\nvia pip\r\n\r\n```bash\r\npip install eze-cli\r\neze --version\r\n```\r\n\r\ndownload exe's from releases page and put on path\r\n\r\n```bash\r\neze --version\r\n```\r\n\r\n## Run Scan\r\n\r\nrun all tools\r\n\r\n```bash\r\ncd path/to/src\r\neze test\r\n```\r\n\r\njust a single tool\r\n\r\n```bash\r\ncd path/to/src\r\n# eze test -t <tool_name>\r\neze test -t semgrep\r\n```\r\n\r\n# Language Support\r\n\r\n| Language | SBOM | SCA | SAST |\r\n| --------- | ------------------- | ------------------- | ------------------- |\r\n| Java | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\r\n| Node | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\r\n| Python | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\r\n| C# | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |\r\n| Docker | :heavy_check_mark:* | :heavy_check_mark:* | :heavy_check_mark: |\r\n| Terraform | :heavy_check_mark: | | :heavy_check_mark: |\r\n| Go | | | :heavy_check_mark: |\r\n| Ruby | | | :heavy_check_mark: |\r\n| ocaml | | | :heavy_check_mark: |\r\n| PHP | | | :heavy_check_mark: |\r\n\r\n- Auto Configured = :heavy_check_mark:\r\n- Manually Configured = :heavy_check_mark:*\r\n\r\nfuture language support will be implemented according to popularity, see https://pypl.github.io/PYPL.html\r\n\r\n# Configuring Eze\r\n\r\n## Advanced Configuration: Autoconfig **.ezerc.toml**\r\n\r\nWhen **.ezerc.toml** is not present, Eze will auto configure tools according to a \"autoconfig.json\" file, and generates a **.ezerc.toml** for you\r\n\r\nThe default autoconfig settings is in \"eze/data/default_autoconfig.json\"\r\n\r\nCan be set to a custom file with ```--autoconfig``` flag\r\n\r\n```eze test --autoconfig PATH```\r\n\r\n### Custom Autoconfig configuration\r\n\r\nEze runs off a local **.ezerc.toml** file, when this config is not present, a sample config will be generated automatically by scanning the codebase (`eze test`). You can customise it to:\r\n\r\n- Add/remove a scanning tool\r\n- Customise the arguments passed to a specific tool\r\n\r\n### Autoconfig JSON format\r\n\r\n```json\r\n{\r\n \"_help_message\": \"<DEVELOPER COMMENTS>\",\r\n \"license\": {\r\n \"_help_message\": \"eze.enums.LicenseScanType value\",\r\n \"license_mode\": \"PROPRIETARY|PERMISSIVE|OPENSOURCE|OFF\"\r\n },\r\n \"tools\": {\r\n \"<tool-id>\": {\r\n \"_help_message\": \"<DEVELOPER COMMENTS>\",\r\n \"enabled_always\": \"true or false\",\r\n \"enable_on_file\": [\r\n \"<LIST OF FILE NAMES IF FOUND WILL ENABLE TOOL>\"\r\n ],\r\n \"enable_on_file_ext\": [\r\n \"<LIST OF FILE EXTENSIONS IF FOUND WILL ENABLE TOOL>\"\r\n ],\r\n \"config\": {\r\n \"<FIELD>\": \"<VALUE>\"\r\n }\r\n }\r\n },\r\n \"reporters\": {\r\n \"<reporter-id>\": {\r\n \"_help_message\": \"LISTED REPORTERS ARE ALWAYS ENABLED\",\r\n \"config\": {\r\n \"<FIELD>\": \"<VALUE>\"\r\n }\r\n }\r\n }\r\n}\r\n```\r\n\r\n## Advanced Configuration: .ezerc.toml\r\n\r\nOn top of the auto-configuration, you can edit your local **.ezerc.toml** to run custom tools with custom configuration\r\n\r\nWhen a ```.ezerc.toml``` is present, this will be used instead of the autoconfiguration settings\r\n\r\nsee list of available tools and reporters using these commands\r\n\r\n```bash\r\n# which tools are available in eze\r\neze tools list\r\neze tools help <TOOL>\r\n\r\n# which reporters are available in eze\r\neze reporters list\r\neze reporters help <TOOL>\r\n\r\n# which projects are being detected by eze\r\neze projects\r\n```\r\n\r\n## Advanced Configuration: .ezerc.toml format\r\n\r\n### basic .ezerc.toml TOML format\r\n\r\n<https://en.wikipedia.org/wiki/TOML>\r\n\r\n```toml\r\n# create template with \"eze housekeeping create-local-config'\"\r\n\r\n# ===================================\r\n# GLOBAL CONFIG\r\n# ===================================\r\n[global]\r\n# LICENSE_CHECK\r\nLICENSE_CHECK = \"PROPRIETARY|PERMISSIVE|OPENSOURCE|OFF\"\r\n# LICENSE_ALLOWLIST, list of licenses to exempt from license checks\r\nLICENSE_ALLOWLIST = []\r\n# LICENSE_DENYLIST, list of licenses to always report usage as a error\r\nLICENSE_DENYLIST = []\r\n\r\n# ========================================\r\n# TOOL CONFIG\r\n# ========================================\r\n[TOOL_1]\r\n# Full List of Fields and Tool Help available \"docker run riversafe/eze-cli tools help <TOOL_NAME>\"\r\nTOOL_CONFIG_FIELD = \"TOOL_CONFIG_VALUE\"\r\n\r\n[TOOL_2]\r\n\"...\" = \"...\"\r\n\r\n# ========================================\r\n# REPORT CONFIG\r\n# ========================================\r\n[REPORTER_1]\r\n# Full List of Fields and Reporter Help available \"docker run riversafe/eze-cli reporters help REPORTER_NAME\"\r\nREPORTER_CONFIG_FIELD = \"REPORTER_CONFIG_VALUE\"\r\n\r\n[REPORTER_2]\r\n\"...\" = \"...\"\r\n\r\n# ========================================\r\n# SCAN CONFIG\r\n# ========================================\r\n[scan]\r\ntools = [\"TOOL_1\",\"...\"]\r\nreporters = [\"REPORTER_1\", \"...\"]\r\n```\r\n\r\n# Tools and Reporters available\r\n\r\n_Updated: 2023/01/25_\r\n\r\n## Opensource Tools in Eze\r\n\r\n| Type | Name | Version | License | Description |\r\n| ------ | ---------------- | --------------- | ---------- | -------------------------------------------------------------------------------------- |\r\n| SCA | anchore-grype | 0.54.0 (docker) | Apache-2.0 | Opensource multi-language SCA and container scanner |\r\n| SBOM | anchore-syft | 0.64.0 (docker) | Apache-2.0 | Opensource multi-language and container bill of materials (SBOM) generation utility |\r\n| SCA | container-trivy | 0.35.0 (docker) | Apache-2.0 | Opensource container scanner |\r\n| SBOM | dotnet-cyclonedx | 2.3.0.0 | Apache-2.0 | Opensource utility for generating bill of materials (SBOM) in C#/dotnet projects |\r\n| SAST | kics | 1.6.6 (docker) | Apache-2.0 | Opensource Infrastructure as a Code (IaC) scanner |\r\n| SBOM | java-cyclonedx | 2.7.4 (docker) | Apache-2.0 | Opensource java bill of materials generator & open-source vulnerability detection tool |\r\n| SCA | node-npmaudit | 9.2.0 | NPM | Opensource node SCA scanner |\r\n| SAST | node-npmoutdated | 9.2.0 | NPM | Opensource tool for scanning Node.js projects and identifying outdated dependencies |\r\n| SBOM | node-cyclonedx | 3.10.6 (docker) | Apache-2.0 | Opensource node bill of materials (SBOM) generation utility |\r\n| SCA | python-outdated | 3.10.1 (docker) | Apache-2.0 | Inbuilt python outdated dependency scanner |\r\n| SAST | python-bandit | 1.7.4 (docker) | Apache-2.0 | Opensource python SAST scanner |\r\n| SBOM | python-cyclonedx | 3.10.1 (docker) | Apache-2.0 | Opensource python bill of materials (SBOM) generation utility, also runs SCA via pypi |\r\n| MISC | raw | 1.1.0 | inbuilt | Input for saved eze json reports |\r\n| SAST | semgrep | 1.2.0 (docker) | LGPL | Opensource multi language SAST scanner |\r\n| SECRET | trufflehog | 3.21.0 (docker) | GPL | Opensource secret scanner |\r\n\r\n\r\nAn updated list of tools, licenses, and sizes pre-installed in latest Eze Cli Docker image can be found using the command\r\n\r\n```bash\r\neze tools list --include-version\r\neze tools help <tool-name>\r\n# aka eze tools help trufflehog\r\n```\r\n\r\n## Reporters in Eze\r\n\r\n| Name | Version | License | Description |\r\n| -------- | ------- | ------- | ----------------------------------------- |\r\n| console | 1.1.0 | inbuilt | Standard command line reporter |\r\n| json | 1.1.0 | inbuilt | JSON output file reporter |\r\n| eze | 1.1.0 | inbuilt | Eze management console reporter |\r\n| bom | 1.1.0 | inbuilt | JSON cyclonedx bill of materials reporter |\r\n| sarif | 1.1.0 | inbuilt | Sarif output file reporter |\r\n| markdown | 1.1.0 | inbuilt | Markdown output file formatter |\r\n| html | 1.1.0 | inbuilt | HTML output file formatter |\r\n\r\nAn updated list of reporters can be found using the command\r\n\r\n```bash\r\neze reporters list\r\neze reporters help <reporter-name>\r\n# aka eze reporters help console\r\n```\r\n\r\n# Running eze via docker\r\n\r\nStarting from version 1, eze is now primarily a local executable or python script, docker is a legacy way of running eze in an monolithic container.\r\n\r\nFor most users, executable version much faster as only need to install docker images for languages being used, rather than all language tools.\r\n\r\nThis [docker image](https://hub.docker.com/repository/docker/riversafe/eze-cli) tool orchestrator is designed to be run by developers, security consultants, and ci pipelines\r\n\r\n```bash\r\ndocker run -t -v FOLDER_TO_SCAN:/data riversafe/eze-cli test\r\n```\r\n\r\n## Eze Docker Usage\r\n\r\nJust one line, via [docker](https://docs.docker.com/) will run eze, and generate a configuration file _\".ezerc.toml\"_ based off the current codebase\r\n\r\n```bash\r\ndocker run -t -v FOLDER_TO_SCAN:/data riversafe/eze-cli test\r\n```\r\n\r\n_add `-t` to docker to enable terminal colours_\r\n\r\n_add `--debug` to docker to enable terminal colours_\r\n\r\n_for sysadmin and power users wanting to build their own images, see the [README-DEVELOPMENT.md](README-DEVELOPMENT.md)_\r\n\r\n## Eze Docker cli shortcuts\r\n\r\nThese commands will run a security scan against code in the current folder\r\n\r\n| CLI | Command |\r\n| ----------- | ----------- |\r\n| linux/mac os bash | ```docker run -it -v \"$(pwd)\":/data riversafe/eze-cli test```|\r\n| windows git bash | ```docker run -it -v $(pwd -W):/data riversafe/eze-cli test```|\r\n| windows powershell | ```docker run -it -v ${PWD}:/data riversafe/eze-cli test```|\r\n| windows cmd | ```docker run -it -v %cd%:/data riversafe/eze-cli test```|\r\n\r\n### Eze Docker and CI Servers: Howto detect Headless Git\r\n\r\nNormally when a project is checked out of git, the location can be read from the .git folder.\r\n\r\nFor CI servers git is check out headlessly (with no .git) and environments are provided for git repo / build number etc, eze will read these environment variables when detecting headless git repos.\r\n\r\nThese environment variables will need to be fed to eze's docker image.\r\n\r\naka for ado pipeline\r\n\r\n```bash\r\ndocker run --rm -e \"BUILD_SOURCEBRANCHNAME=$BUILD_SOURCEBRANCHNAME\" -e \"BUILD_REPOSITORY_URI=$BUILD_REPOSITORY_URI\" -e \"SYSTEM_PULLREQUEST_SOURCEBRANCH=$SYSTEM_PULLREQUEST_SOURCEBRANCH\" -v \"$(pwd)\":/data riversafe/eze-cli test\r\n```\r\n\r\n| CI server | Environment Variables |\r\n| ------------------ | --------------------- |\r\n| ADO | BUILD_SOURCEBRANCH BUILD_SOURCEBRANCHNAME SYSTEM_PULLREQUEST_SOURCEBRANCH |\r\n| AWS Amplify | AWS_BRANCH |\r\n| AWS Codebuild | AWS_BRANCH |\r\n| JENKINS | GIT_LOCAL_BRANCH GIT_BRANCH |\r\n| IBMCLOUD toolchain | GIT_BRANCH |\r\n| GCP | BRANCH_NAME |\r\n| Gitlab CI | CI_COMMIT_BRANCH CI_MERGE_REQUEST_TARGET_BRANCH_NAME CI_EXTERNAL_PULL_REQUEST_TARGET_BRANCH_NAME CI_DEFAULT_BRANCH |\r\n| Github CI | GITHUB_REF |\r\n\r\n# Other Common commands\r\n\r\n## Stopping a docker image\r\n\r\nStarted a local eze scan but want to stop the scan without waiting the 30-40 seconds for the scan to complete\r\n\r\nTo immediately stop a docker image do the following\r\n\r\n```bash\r\n# get docker container id\r\n$ docker stats\r\nCONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS\r\nf0bef6e0bba7 optimistic_burnell 0.01% 104.8MiB / 12.33GiB 0.83% 221MB / 4.73MB 0B / 0B 17\r\n# docker stop container id\r\n$ docker stop -t 0 f0bef6e0bba7\r\n```\r\n\r\n### Dotnet sharing\r\n\r\nDotnet can be slow downloading all the artifacts it requires\r\n\r\nWhen you provide a persistent .nuget/packages/ folder which will speed up scans\r\n\r\n```bash\r\n# example of sharing your local .nuget/packages/\r\ndocker run -t -v LOCATION:/data -v ~/.nuget/packages/:/home/ezeuser/.nuget/packages/ eze-cli test\r\n```\r\n\r\n### NPM cache sharing\r\n\r\nNPM can be slow downloading all the artifacts it requires\r\n\r\nWhen you provide a persistent .npm/ folder which will speed up scans\r\n\r\nps your local node_modules will help as well\r\n\r\n```bash\r\n# example of sharing your local .npm\r\ndocker run -t -v LOCATION:/data -v ~/.npm/:/home/ezeuser/.npm/ eze-cli test\r\n```\r\n\r\n### terraform cache sharing\r\n\r\nterraform can be slow downloading all the artifacts it requires\r\n\r\nWhen you provide a persistent .terraform.d/ folder which will speed up scans\r\n\r\nps your local node_modules will help as well\r\n\r\n```bash\r\n# example of sharing your local .terraform.d\r\ndocker run -t -v LOCATION:/data -v ~/.terraform.d/:/home/ezeuser/.terraform.d/ eze-cli test\r\n```\r\n\r\n# Developers Documentation\r\n\r\nTo add your own tools checkout [README-DEVELOPMENT.md], this will walk you through installing eze locally for local development.\r\n\r\n# Contribute\r\n\r\nTo start contributing read [CONTRIBUTING.md]\r\n\r\n",
"bugtrack_url": null,
"license": "\"MIT license\"",
"summary": "Eze the one stop cli for security testing",
"version": "1.1.0",
"split_keywords": [
"eze",
"cli",
"eze-cli",
"security-testing",
"sca",
"sast",
"secrets",
"infrastructure-scan"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "ffdc30b9773c3ea5904697e60e964eca6fc4098ef89494363a659204025dfe68",
"md5": "6cf242f269a8fed1e2d4f88ed50d7926",
"sha256": "85a507cb9dedb6f4986397505353a0b632645e87807051f645077d0ca0d129c2"
},
"downloads": -1,
"filename": "eze-cli-1.1.0.tar.gz",
"has_sig": false,
"md5_digest": "6cf242f269a8fed1e2d4f88ed50d7926",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.7",
"size": 120232,
"upload_time": "2023-01-25T14:24:25",
"upload_time_iso_8601": "2023-01-25T14:24:25.676963Z",
"url": "https://files.pythonhosted.org/packages/ff/dc/30b9773c3ea5904697e60e964eca6fc4098ef89494363a659204025dfe68/eze-cli-1.1.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-01-25 14:24:25",
"github": true,
"gitlab": false,
"bitbucket": false,
"github_user": "RiverSafeUK",
"github_project": "eze-cli",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"requirements": [],
"lcname": "eze-cli"
}