Skip to content

CLI Tool

Part of SOF Scanner is a CLI tool that manages the execution of various open source scanning tools. Currently the following tools are supported:

  1. npm audit
  2. bearer
  3. cargo audit
  4. semgrep

To execute the scanner you can call it via the cli. 

sof-scanner -c {config_file} -s {reporting server} -r {optional: runid,} -t {token} -l {optional: file}
parmeter description
-c The configuration file to parse. See below for more information on this file
-s The URL of the API reporting server. For local configurations its http://localhost:8080
-r An optional runID, this will represent the run. In a CI/CD environment you may want to make this the code commit hash, or a unique runid
-t An optional token to authorize the run report. This is for servers who have run validation turned on (i.e. cant publicly submit runs)
-l An optional output file, this will output the raw scan results as a unified git-lab vulnerability report to be used in CI/CD.
-p Recursively search the supplied path for any scanners to load in, for more information see cli_plugins

Configuration File

The configuration file is a JSON file that defines the project, and the scans to execute. This project dogfoods it self, so you can see an example configuration in the root of sof-config.json

It follows the following format: 

{
    "project": {Name of Project},
    "scanners": [
        {
            "scanner": {One of [npm_audit, cargo-audit, semgrep, bearer]},
            "source": {root source folder to scan},
            "component": {component name}
            "options"": {optional arguments if required}
        },
        .....
    ]
}

Supported Runners

Currently SOF-Scanner supports several runners

Bearer

Bearer is a Free and Open source SAST scanning tool that supports several languages https://www.bearer.com/bearer-cli

It executes in docker inside SOF_Scanner and thus requires docker to be installed. 

{
    "scanner": "bearer",
    "source": ".",
    "component": "my component"
}

npm_audit

NPM audit is a tool by NPM that audits packages for any known vulnerabilities and recommends upgrades https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities

It executes using node, so ensure node is up to date and installed to use

{
    "scanner": "npm_audit",
    "source": ".",
    "component": "my component"
}

cargo_audit

Cargo Audit is an auditing tool that audits cargo packages (rust) for vulnerabilities https://crates.io/crates/cargo-audit

It executes using cargo, so ensure rust is up to date and installed to use

{
    "scanner": "cargo_audit",
    "source": ".",
    "component": "my component"
}

semgrep

A unified platform for SAST, secrets, and supply chain security. https://semgrep.dev/

It executes in docker inside SOF_Scanner and thus requires docker to be installed.

Semgrep requires the optional parameter to reflect which rule set to apply from here: https://semgrep.dev/explore

{
    "scanner": "cargo_audit",
    "source": ".",
    "component": "my component"
    "options": "p/ruby"
}