Initial commit

Author: Arun Govindasamy

.gitignore

@@ -0,0 +1,11 @@
+*.ini
+*.pdf
+*.doc
+*.log
+*.csv
+!scanner_results.csv
+*.txt
+!requirements.txt
+backup
+data-volume
+*info

README.md

@@ -0,0 +1,146 @@
+# Application Security Suite - AS{2}
+
+<p align="center">
+  <img width="1730" alt="as2-screenshot" src="https://user-images.githubusercontent.com/69586504/199255441-4aa87712-063f-4340-be76-28065f7e09d0.png">
+</p>
+
+## About The Project
+
+AS{2} aims to provide visibility, compliance, alerting and reporting capabilities. The primary focus is to integrate open-source tools used by AppSec teams in one place with better visibility. 
+
+AS{2} leverages Gitleaks, an open-source tool, to identify hard-coded secrets from the bitbucket server repository. It helps you track overall compliance. The integration with JIRA and Slack would be helpful for the security and engineering team to track and address the vulnerabilities. 
+
+## Tech stack
+
+* HTML, JavaScript
+* Python Flask
+* Postgresql
+* Redis
+* Nginx
+
+## Integrations
+
+* Bitbucket server (on-premise)
+* JIRA
+* Slack
+
+## Roadmap 
+
+- [x] Bitbucket server integration
+- [x] Hardoded-secrets integration
+- [ ] Analysis view
+- [ ] Bitbucket cloud integration
+- [ ] GitHub integration
+- [ ] SAST integration
+- [ ] SCA integration
+- [ ] DAST integration
+- [ ] Store passwords in the secrets manager
+
+## Getting started
+
+### Prerequisites
+
+* Docker
+* Docker-compose
+
+### Installation
+
+1. Clone the repository
+
+   ```sh
+   cd /Data
+   git clone https://github.com/govindasamyarun/testrepo
+   ```
+   
+2. Suppose you wish to use a different username, password, and database. Edit docker-compose.yml to update the following values. If not, skip step 2. 
+
+   ```sh
+   pwd: /Data/application-security-suite
+   vi docker-compose.yml
+   ```
+
+   ```yaml
+    as2-db-service:
+      environment:
+        POSTGRES_DB: <<Enter DB name>>
+        POSTGRES_USER: <<Enter DB username>>
+        POSTGRES_PASSWORD: <<Enter DB password>>
+
+    as2-app-service:
+      environment:
+        DB_USER: <<Enter DB username>>
+        DB_PASSWORD: <<Enter DB password>>
+        DB_DATABASE: <<Enter DB name>>
+   ```
+   
+3. Start the containers
+
+   ```sh
+   pwd: /Data/application-security-suite
+   
+   docker-compose up --detach
+   ```
+
+## Application setup
+
+1. Access localhost on port 80 
+
+   ```sh
+   http://127.0.0.1/
+   ```
+   
+2. By default, the AS{2} scan engine uses 50 threads 
+3. It can be controlled using the config file. If you wish to use more threads to speed up the scan process then the as2-app-service docker image needs to be rebuild 
+
+   ```sh
+   vi /Data/application-security-suite/as2-app-service/src/config.py
+   ```
+   
+   ```py
+    class gitLeaksConfig:
+        scanner_results_config_file_path = "/usr/src/app/reports/scanner_results.csv"
+        thread_count = << Enter a value >>
+   ```
+   
+4. Navigate to settings tab
+5. Enter Bitbucket hostname, username and authtoken 
+6. Make sure the authtoken does not contain any forward or backward slash 
+7. By default, Scan all branches, Slack & JIRA notifications are set to false 
+8. To enable Slack notifications, register an application 
+   * https://api.slack.com/apps
+   * Set OAuth & Pernissions & Redirect URL
+   * Install the app in the workspace 
+   * Set the scope: 
+      * channels:read
+      * chat:write 
+      * chat:write.public
+   * Copy the bot token
+9. To enable JIRA notifications, you need an EPIC ID, username and authtoken 
+10. Scan output gets attached to the EPIC ticket 
+11. Save the settings
+12. Navigate to Scan tab and initiate the scan
+13. The frontend makes REST API call and updates the scan status every 30 seconds once 
+14. Once the scan is complete, you will be able to see the statistics in the home page
+15. The previous scan results are shown in the home page 
+16. Use Reports tab to download the report in csv format 
+
+## Support
+
+Use the issues tab to report any problems or issues.
+
+## License
+
+Distributed under the MIT License. See LICENSE for more information. 
+
+## Note
+
+Note: I’m a self-taught programmer. The frontend code was copied from online, and I tweaked it a bit to fit into the application logic. The backend code was written entirely by myself. 
+
+## Contact
+
+* [LinkedIn](https://www.linkedin.com/in/arungovindasamy/)
+* [Twitter](https://twitter.com/ArunGovindasamy)
+
+## Demo
+
+https://user-images.githubusercontent.com/69586504/199733400-9209cc3a-a505-4ad4-ac36-e5132dc8e82c.mp4

as2-app-service/Dockerfile

@@ -0,0 +1,36 @@
+FROM python:3.9.1
+
+# Install dependencies 
+RUN apt-get update && apt-get install -y netcat
+
+# Create application user 
+RUN useradd -ms /bin/bash as2 && \
+    usermod -aG sudo as2
+
+# Copy the source code to application home directory 
+ADD . /usr/src/app/
+
+# Limit the application user privilege 
+RUN chown -R as2:as2 /usr/src/app && \
+    chmod -R 764 /usr/src/app
+
+# Run the container as non-root user 
+USER as2
+
+# Create empty directories 
+RUN mkdir -p /usr/src/app/gitleaks/ && \
+    mkdir -p /usr/src/app/downloads/
+
+# Download gitleaks 
+WORKDIR /usr/src/app/gitleaks/
+RUN wget https://github.com/zricethezav/gitleaks/releases/download/v8.11.2/gitleaks_8.11.2_linux_x64.tar.gz && \
+    tar -xvzf gitleaks_8.11.2_linux_x64.tar.gz
+
+# Set the working directory 
+WORKDIR /usr/src/app/
+
+# Install python dependencies 
+RUN pip install --trusted-host pypi.org --trusted-host pypi.python.org --trusted-host=files.pythonhosted.org --no-cache-dir -r /usr/src/app/requirements.txt
+
+# Start the application  
+ENTRYPOINT ["/usr/src/app/entrypoint.sh"]

as2-app-service/README.md

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+if [ "$DB_DATABASE" = "postgres" ]
+then
+    echo "INFO - Waiting for PostgreSQL DB"
+
+    while ! nc -z $DB_HOST $DB_PORT; do
+      sleep 0.1
+    done
+
+    echo "INFO - PostgreSQL DB started"
+fi
+
+python -u src/app.py
+
+exec "$@"

as2-app-service/entrypoint.sh

@@ -0,0 +1 @@
+"eventtime", "project", "repository", "slug", "ssh", "branch", "noOfSecrets", "StartLine", "EndLine", "StartColumn", "EndColumn", "File", "Author", "Email", "Date", "Message"

as2-app-service/reports/scanner_results.csv

@@ -0,0 +1,9 @@
+Flask
+waitress
+requests
+configparser
+schedule
+psycopg2
+Flask-SQLAlchemy
+Flask-Migrate
+redis

as2-app-service/requirements.txt

@@ -0,0 +1,62 @@
+from cgitb import text
+import os, sys, logging
+from flask import Flask
+from flask_migrate import Migrate
+import sqlalchemy
+from routes.gitLeaksRoute import gitLeaksRoute
+from routes.webRoute import webRoute
+from models.gitLeaksModel import gitLeaksDbHandler, gitLeaksSettingsTable
+from sqlalchemy import event, inspect
+from controllers.applicationSecuritySuite import as2LiteClass
+
+app = Flask(__name__)
+
+app.debug = False
+
+# DB and Redis config 
+app.config['SQLALCHEMY_DATABASE_URI'] = "postgresql://{}:{}@{}:{}/{}".format(os.environ['DB_USER'], os.environ['DB_PASSWORD'], os.environ['DB_HOST'], os.environ['DB_PORT'], os.environ['DB_DATABASE'])
+app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
+app.config['REDIS_HOST'] = os.environ['REDIS_HOST']
+app.config['REDIS_PORT'] = os.environ['REDIS_PORT']
+
+# Gitleaks DB handler 
+gitLeaksDbHandler.init_app(app)
+migrate = Migrate(app, gitLeaksDbHandler)
+
+with app.app_context():
+    # Creates tables if not exists 
+    gitLeaksDbHandler.create_all()
+    # Sets the cache to default during application startup process 
+    # CS - Current scan results
+    # PS - Previous scan results
+    as2LiteClass().write_to_cache('CS_Status', 'Not Started')
+    as2LiteClass().write_to_cache('CS_TotalRepos', '0')
+    as2LiteClass().write_to_cache('CS_NoOfReposScanned', '0')
+    as2LiteClass().write_to_cache('CS_ReposNonCompliant', '0')
+    as2LiteClass().write_to_cache('CS_NoOfSecretsFound', '0')
+    as2LiteClass().write_to_cache('CS_PercentageCompletion', '0')
+    as2LiteClass().write_to_cache('CS_ScanStartDate', '-')
+    as2LiteClass().write_to_cache('CS_ScanEndDate', '-')
+
+    as2LiteClass().write_to_cache('PS_TotalRepos', '0')
+    as2LiteClass().write_to_cache('PS_ReposCompliant', '0')
+    as2LiteClass().write_to_cache('PS_ReposNonCompliant', '0')
+    as2LiteClass().write_to_cache('PS_NoOfSecretsFound', '0')
+    as2LiteClass().write_to_cache('PS_ScanStartDate', '-')
+    as2LiteClass().write_to_cache('PS_ScanEndDate', '-')
+
+    # Sets default values to the DB during application startup 
+    if not gitLeaksDbHandler.session.query(gitLeaksSettingsTable).all():
+        add_record = gitLeaksSettingsTable(gitleaksPath='/usr/src/app/gitleaks/gitleaks', bitbucketLimit=100, scannerScanAllBranches='false', scannerPathToDownloadRepository='/usr/src/app/downloads/', scannerResultsDirectory='/usr/src/app/', slackEnable='false', jiraEnable='false')
+        gitLeaksDbHandler.session.add(add_record)
+        gitLeaksDbHandler.session.commit()
+
+# Routes to the html files
+app.register_blueprint(webRoute, url_prefix='/web')
+# Routes to the Gitelaks controller 
+app.register_blueprint(gitLeaksRoute, url_prefix='/gl')
+
+
+if __name__ == "__main__":
+    from waitress import serve
+    serve(app, host="0.0.0.0", port=8000)

as2-app-service/src/app.py

@@ -0,0 +1,3 @@
+class gitLeaksConfig:
+    scanner_results_config_file_path = '/usr/src/app/reports/scanner_results.csv'
+    thread_count = 50