From c87f9b3d1ee588b09b60f923c2d8a04aaa08fd44 Mon Sep 17 00:00:00 2001 From: Evan Lobeto Date: Wed, 4 Dec 2024 13:47:18 -0700 Subject: [PATCH] refactor scans --- .github/workflows/sftp-scanner.yaml | 6 +++--- scripts/scan.py | 3 +-- scripts/semgrep.sh | 24 ++++++++++++++++++++++++ 3 files changed, 28 insertions(+), 5 deletions(-) create mode 100755 scripts/semgrep.sh diff --git a/.github/workflows/sftp-scanner.yaml b/.github/workflows/sftp-scanner.yaml index 4f6b7f9..8dfc197 100644 --- a/.github/workflows/sftp-scanner.yaml +++ b/.github/workflows/sftp-scanner.yaml @@ -49,9 +49,9 @@ jobs: HBH_SCAN_SECRET: ${{ secrets.HBH_SCAN_SECRET }} run: | python ./scripts/scan.py + cp allcode/semgreptrivyoutput.txt . date=$(date '+%Y-%m-%d') - aws s3 cp nmapoutput.txt s3://prod-us-east-1-sftp/server-scans/${date}-sftpscan.txt - aws s3 cp trivyoutput.txt s3://prod-us-east-1-sftp/server-scans/${date}-trivyscan.txt - aws s3 cp sgoutput.txt s3://prod-us-east-1-sftp/server-scans/${date}-semgrepscan.txt + aws s3 cp nmapoutput.txt s3://prod-us-east-1-sftp/server-scans/${date}-sftp-scan.txt + aws s3 cp semgreptrivyoutput.txt s3://prod-us-east-1-sftp/server-scans/${date}-semgrep-trivy-scan.txt diff --git a/scripts/scan.py b/scripts/scan.py index 36fe31f..50d8514 100644 --- a/scripts/scan.py +++ b/scripts/scan.py @@ -67,6 +67,5 @@ def fetch_releases(oauth_token): else: os.system("cd allcode && git clone "+r["sshUrl"]) # run various scans. requires these utilities to be installed -os.system("cd allcode && trivy fs . > ../trivyoutput.txt") -os.system("cd allcode && semgrep scan . > ../sgoutput.txt") +os.system("cd allcode && ../scripts/semgrep.sh") os.system("nmap -sV --script ssh2-enum-algos -Pn -p 22 sftp.prod-useast1.heartbeathealth.com > nmapoutput.txt") \ No newline at end of file diff --git a/scripts/semgrep.sh b/scripts/semgrep.sh new file mode 100755 index 0000000..f0799ba --- /dev/null +++ b/scripts/semgrep.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +PARENT_DIR=${1:-$(pwd)} + +OUTPUT_FILE="semgreptrivyoutput.txt" + +> "$OUTPUT_FILE" + +# Loop through each subdirectory in the parent directory +for dir in "$PARENT_DIR"/*/; do + if [ -d "$dir" ]; then + echo "Entering directory: $dir" + cd "$dir" || continue + + semgrep scan . >> "$PARENT_DIR/$OUTPUT_FILE" 2>&1 + trivy fs . >> "$PARENT_DIR/$OUTPUT_FILE" 2>&1 + + echo "Command executed in $dir, output appended to $OUTPUT_FILE" + + cd "$PARENT_DIR" || exit + fi +done + +echo "Script completed. Output written to $OUTPUT_FILE." \ No newline at end of file