Getting Started.
SOF Scanner is a powerful tool to help orchestration and report on your software security. It is comprised of 2 core components that come together to create a framework to capture, report and track code security issues.
- CLI Tool - this tool manages the execution of 3rd party scanning tools. This lives in your development environment or CI/CD pipeline.
- Reporting Server - this interface lets track and report on security issues
Setting up the Reporting Server
The reporting server contains three main components, a API server, a UI and a database. They can be either installed independently or via a set of containers. Our recommended approach is through containers with Docker Compose.
Setup via Docker Compose
- ensure docker is setup and installed.
- create a docker-compose.yml with the following contents
version: '3.8'
services:
postgres:
image: postgres:10.3
restart: always
environment:
- POSTGRES_USER=[UPDATE WITH USERNAME]
- POSTGRES_PASSWORD=[UPDATE WITH PASSWORD]
volumes:
- postgres:/var/lib/postgresql/data
ports:
- '5432:5432'
healthcheck:
test: ["CMD-SHELL", "pg_isready", "-d", "postgres"]
interval: 30s
timeout: 60s
retries: 5
start_period: 80s
api_server:
image: registry.gitlab.com/project-fey/sof_scanner/server:latest
ports:
- "8080:8080"
depends_on:
- postgres
environment:
- NODE_ENV="production"
- PORT="8080"
- HOST="localhost"
- CORS_ORIGIN="http://localhost:*"
- COMMON_RATE_LIMIT_WINDOW_MS="1000"
- COMMON_RATE_LIMIT_MAX_REQUESTS="1000"
- DATABASE_URL="postgresql://[update with db username]:[update with db password]@postgres:5432/[update with database]?schema=public"
- JWT_SIGNING_SECRET="[update with unique value]"
- EMAIL_SERVER=[update with email server]
- EMAIL_USER=[update with email user]
- EMAIL_PASS=[update with email password]
- EMAIL_PORT="465"
- FROM_EMAIL=[update with from email]
- PUBLIC_URL=[Update with public url]
- OPENAI_API_KEY=[UPDATE WITH OPENAI KEY IF WANT AI FEATURES]
ui_server:
image: registry.gitlab.com/project-fey/sof_scanner/ui:latest
ports:
- "5173:5173"
depends_on:
- postgres
environment:
- VITE_API_URL="http://localhost:8080"
volumes:
postgres:
- Update the compose file to replace everything in [] with appropriate values.
- execute docker-compose up -d to bring online.
- go to http://localhost:5173/login and register an account. The first account will be an admin
Setting up from Code
Another option is to run the code locally, to do this follow the below steps:
- ensure node is installed and on version 20 and you have a Postgres server running
- download the code from git
- navigate to the server folder
- copy the env.template file to .env and update values
- execute npm install and prisma commands
npm install
npx prisma migrate dev
npx prisma db seed
npm start
- ensure the webserver has come up by visiting http://localhost:8080
- in new terminal navigate to ui folder.
- copy the env.template file to .env and update values
- execute npm install and run
npm install
npm start
- go to http://localhost:5173/login and register an account. The first account will be an admin
Configuring Server
By default once the server is up and running - registration and submission are open to the plugin. To change that, login in with your first account (the admin) and click settings. From here you will be able too:
- enable / disable openAI integration
- enable / disable public signup
- enable / disable public issue submission
- generate private tokens for submissions
- manage users
Setting up the CLI Tool
The CLI tool is bundled as a NPM tool. To setup on a runner or developer environment execute:
- add the registry and install
echo @feya:registry=https://gitlab.com/api/v4/packages/npm/ >> .npmrc
npm install -g feya/sof_scanner
- create a configuration file in your code folder (for more information see configuring the CLI tool)
- execute sof_scanner with proper configuration
sof-scanner --server http://localhost:8080 -c .\sof-config.json -l .\output.json