Copyright 2022 - Paul McCarty
This playbook will help you introduce effective DevSecOps practices in your company, regardless of size. We provide explicit guidance and actionable steps to introduce security controls, measure their effectiveness, and demonstrate value for money to your business leaders. Following this playbook will help teams build materially more secure applications, and that in the end, is the intent.
https://github.com/returntocorp/semgrep
Simple auto scan: semgrep --config auto
CI/CD scan: semgrep --config "p/r2c-ci"
OWASP Top Ten scan: semgrep --config "p/owasp-top-ten"
Generic security scan: semgrep --config "p/r2c-security-audit"
https://github.com/bearer/bearer
Simple auto scan: bearer scan ./ --scanner=sast
https://github.com/PyCQA/bandit
Simple auto scan: bandit -r ./myproject
https://github.com/presidentbeef/brakeman
Simple scan: brakeman
Specify path scan: brakeman -p ./path_to_rails_app/
https://github.com/nexB/scancode-toolkit
Simple scan: scancode --license --copyright --json-pp scancode_result.json ./
https://github.com/jeremylong/DependencyCheck
Simple auto scan: dependency-check --out . --scan ./ -f JSON
https://docs.npmjs.com/cli/v9/commands/npm-audit
Simple auto scan: npm audit
Forced fix scan: npm audit fix
https://github.com/aquasecurity/trivy
Simple auto scan: trivy fs --scanners vuln myproject/
https://github.com/aquasecurity/trivy
Simple auto scan: trivy image python:3.4-alpine
https://github.com/trufflesecurity/trufflehog
Scan a local filesystem: trufflehog filesystem --directory=./
Scan a remote git repo: trufflehog git https://github.com/securestack-training/juiceshop
https://github.com/zricethezav/gitleaks
gitleaks detect -v
https://github.com/zricethezav/gitleaks/releases/tag/v7.6.1
gitleaks7 -v -r https://github.com/securestack-training/juiceshop
https://github.com/aquasecurity/trivy
Simple auto scan: trivy fs --scanners secret myproject/
https://github.com/projectdiscovery/nuclei
Run kitchen sink nuclei scan: nuclei -u https://app.niftybank.org
Run faster nuclei scan: nuclei -silent -eid http-missing-security-headers -u https://app.niftybank.org
Find only criticals and highs: nuclei -silent -eid http-missing-security-headers -u https://app.niftybank.org
https://github.com/sullo/nikto
Simple Nikto scan: nikto -host app.niftybank.org
https://github.com/vulnersCom/nmap-vulners
Simple vulners scan: nmap -sV --script=nmap-vulners app.niftybank.org
Nmap - https://github.com/scipag/vulscan
Nmap NTLM scan: nmap -p 80 --script http-ntlm-info --script-args http-ntlm-info.root=/root/ cifs.niftybank.org
https://github.com/aquasecurity/trivy
Simple auto scan: trivy fs --scanners config myproject/
https://github.com/bin3xish477/ghast
Simple auto scan: ghast -d directory-with-actions/
Prowler
https://github.com/prowler-cloud/prowler
https://github.com/anchore/syft
Simple Syft scan: syft packages file:./package-lock.json
Simple node scan: cyclonedx-node --output bom.json
Simple npm scan: cyclonedx-npm --output-file ./npm.json
https://github.com/microsoft/sbom-tool
Simple Salus scan: microsoft-sbom-tool generate -bc ./ -b ./SPDX -pn app.niftybank.org -pv 1.0 -nsb https://app.niftybank.org -ps test
https://github.com/oss-review-toolkit/ort
Simple ORT scan:
https://github.com/aquasecurity/trivy
Simple auto scan: trivy fs --scanners vuln,secret,config myproject/
Single commit SCA scan: bloodhound-cli code -t node -a <app_id>
Secret scan: bloodhound-cli code -s -a <app_id>
Web vuln scan: bloodhound-cli recon -a <app_id>
SecureStack SBOM Generation: bloodhound-cli SBOM -r -a <app_id>
- map CIS section other than 16 to all items
- map remaining ISO 27001 Annex 14
My name is Paul McCarty and I'm the founder of SecureStack. I created this document as a way to capture in one place the steps I took to implement DevSecOps functions into my team. If you have any questions you can contact me at hello@securestack.com or on twitter @eastside-mccarty
Sponsored with 💜 by