Skip to content

kanopi/security-reports

Repository files navigation

Security Report Generator

SonarQube Report Generator

The following uses the SonarQube API to build an exportable report based on the items found within the scan. This works for both a hosted solution and a local copy.

Requirements

Docker is the only tool that is needed for this to run.

Generating Report

Using the Docker Image

Pull the latest docker image

docker pull devkteam/sonarqube-report:latest

Running the docker image can be as simple as running the following:

docker -it --rm \
  -v $(pwd):/mnt/reports \
  -e SONARQUBE_HOST="https://sonarcloud.io" \
  -e SONARQUBE_USER="user" \
  -e SONARQUBE_PASS="abc" \
  -e SONARQUBE_PROJECTS="project_test" \
  devkteam/sonarqube-report:latest

When running the following to pull from Sonarcloud.io a Token will need to be created.

Because some of the APIs are different than the local setup, an organization id is required for some of the endpoints. That can be passed in via the SONARQUBE_EXTRA_PARAMS variable.

docker pull devkteam/sonarqube-report:latest
export PROJECTID=<PROJECT_ID>
export SCTOKEN=<TOKEN>
docker run -it --rm \
  -v $(pwd):/mnt/reports \
  -e SONARQUBE_HOST="https://sonarcloud.io" \
  -e SONARQUBE_USER="$SCTOKEN" \
  -e SONARQUBE_PASS="" \
  -e SONARQUBE_PROJECTS="$PROJECTID" \
  -e SONARQUBE_EXTRA_PARAMS='{"global":{"organization":"<ORGANIZATION ID>"}}' \
  devkteam/sonarqube-report:latest
  
Environment Variables

Environment variables can be used by either exporting them, or by using a .env file.

Variable Default Description
USERNAME admin Username used for logging into SonarQube Service
PASSWORD password Password used for logging into SonarQube Service
HOST http://127.0.0.1:9000 Hostname to communicate with SonarQube from the host machine
SERVICE_NAME sonarqube When setting up locally what is the name of the service/container to use.
MAX_TRIES 3 How many attempts should be made before everything fails
SLEEPTIME 90 How long should the requests wait before they check again.
Used when setting up SonarQube locally.
SONARQUBE_SERVICE_IMAGE sonarqube:9-community SonarQube Docker image to use for local setup
PROJECT_DIRECTORY (current directory) Location to run the scan from
PROJECT_NAME (current directory) Name of the project to create in SonarQube service
PROJECT_KEY (uses project name) Project key within SonarQube service to pull data for
SONARQUBE_CLI_REMOTE_HOST http://sonarqube:9000 Remote host to use for sending code scan
SONARQUBE_CLI_IMAGE sonarsource/sonar-scanner-cli:latest Image name to use for running
SONARQUBE_REPORT_IMAGE devkteam/sonarqube-report:latest Docker image name to use for generating the report
CLEANUP (blank) If set will delete and remove all services after running
LOG_FILE /tmp/sonarqube.log Where should all output be sent to for reviewing
SONARQUBE_EXTRA_PARAMS (blank) JSON Structure where key is the endpoint. Additionally key 'global' is used for all requests.

Using PHP Source

Clone the source code

git clone git@github.com:kanopi/security-reports security-reports
cd security-reports

Run Composer Install

composer install

Create the .env file. Use this to modify any environment variables that should point to your SonarQube instance.

cp .env.dist .env

Run the run.php script

./run.php

Building From Source

To build the image from source.

make build

Running full process

Included as part of this is the full process of setting up a local instance of SonarQube and running the scanner on the current codebase.

bash <(curl -fsSL https://raw.githubusercontent.com/kanopi/security-reports/main/run.sh) run

Pantheon Log Report Generator

The following generates a report using GoAccess. The following will generate an HTML report.

Requirements

Docker is the only tool that is needed for this to run.

Running full process

SITE_UUID=1a5b3e19-01af-4f19-ad34-abe5489370d0 bash <(curl -fsSL https://raw.githubusercontent.com/kanopi/security-reports/main/collect-logs.sh)