AS{2} aims to provide visibility, compliance, alerting and reporting capabilities. The primary focus is to integrate open-source tools used by AppSec teams in one place with better visibility.
AS{2} leverages Gitleaks, an open-source tool, to identify hard-coded secrets from the bitbucket server repository. It helps you track overall compliance. The integration with JIRA and Slack would be helpful for the security and engineering team to track and address the vulnerabilities.
- HTML, JavaScript
- Python Flask
- Postgresql
- Redis
- Nginx
- Bitbucket server (on-premise)
- JIRA
- Slack
- Bitbucket server integration
- Hardoded-secrets integration
- Analysis view
- Bitbucket cloud integration
- GitHub integration
- SAST integration
- SCA integration
- DAST integration
- Store passwords in the secrets manager
- Docker
- Docker-compose
-
Clone the repository
cd /Data git clone https://github.com/govindasamyarun/application-security-suite.git
-
Suppose you wish to use a different username, password, and database. Edit docker-compose.yml to update the following values. If not, skip step 2.
pwd: /Data/application-security-suite vi docker-compose.yml
as2-db-service: environment: POSTGRES_DB: <<Enter DB name>> POSTGRES_USER: <<Enter DB username>> POSTGRES_PASSWORD: <<Enter DB password>> as2-app-service: environment: DB_USER: <<Enter DB username>> DB_PASSWORD: <<Enter DB password>> DB_DATABASE: <<Enter DB name>>
-
Start the containers
pwd: /Data/application-security-suite docker-compose up --detach
-
Access localhost on port 80
http://127.0.0.1/
-
By default, the AS{2} scan engine uses 50 threads
-
It can be controlled using the config file. If you wish to use more threads to speed up the scan process then the as2-app-service docker image needs to be rebuild
vi /Data/application-security-suite/as2-app-service/src/config.py
class gitLeaksConfig: scanner_results_config_file_path = "/usr/src/app/reports/scanner_results.csv" thread_count = << Enter a value >>
-
Navigate to settings tab
-
Enter Bitbucket hostname, username and authtoken
-
Make sure the authtoken does not contain any forward or backward slash
-
By default, Scan all branches, Slack & JIRA notifications are set to false
-
To enable Slack notifications, register an application
- https://api.slack.com/apps
- Set OAuth & Pernissions & Redirect URL
- Install the app in the workspace
- Set the scope:
- channels:read
- chat:write
- chat:write.public
- Copy the bot token
-
To enable JIRA notifications, you need an EPIC ID, username and authtoken
-
Scan output gets attached to the EPIC ticket
-
Save the settings
-
Navigate to Scan tab and initiate the scan
-
The frontend makes REST API call and updates the scan status every 30 seconds once
-
Once the scan is complete, you will be able to see the statistics in the home page
-
The previous scan results are shown in the home page
-
Use Reports tab to download the report in csv format
Use the issues tab to report any problems or issues.
Distributed under the MIT License. See LICENSE for more information.
Note: I’m a self-taught programmer. The frontend code was copied from online, and I tweaked it a bit to fit into the application logic. The backend code was written entirely by myself.