Skip to main content

Anteater - CI Validation Framework

Project description

Anteater - CI/CD Gate Check Framework

anteater

Build Status Documentation Status

Description

Anteater is an open framework to prevent the unwanted merging of nominated strings, filenames, binaries, depreciated functions, staging enviroment code / credentials etc. Anything that can be specified with regular expression syntax, can be sniffed out by anteater.

You tell anteater exactly what you don't want to get merged, and anteater looks after the rest.

If anteater finds something, it exits with a non-zero code which in turn fails the build of your CI tool, with the idea that it would prevent a pull request merging. Any false positives are easily negated by using the same RegExp framework to cancel out the false match.

Entire projects may also be scanned also, using a recursive directory walk.

With a few simple steps it can be easily implemented into a CI / CD workflow with tooling such as Travis CI, CircleCI, Gitlab CI/CD and Jenkins.

It is currently used in the Linux Foundations project 'OPNFV' as means to provide automated security checks at gate, but as shown in the examples below, it can be used for other scenarios.

Anteater also provides integrates with the Virus Total API, so any binaries, public IP addresses or URL's found by anteater, will be sent to the Virus Total API and a report will be returned. If any object is reported as malicous, it will fail the CI build job.

Example content is provided for those unsure of what to start with and its encouraged and welcomed to share any Anteater filter strings you find useful.

Why would I want to use this?

Anteater has many uses, and can easily be bent to cover your own specific needs.

First, as mentioned, it can be set up to block strings and files with a potential security impact or risk. This could include private keys, a shell history, aws credentials etc.

It is especially useful at ensuring that elements used in a staging / development enviroment don't find there way into a production enviroment.

Let's take a look at some examples:

apprun:
  regex: app\.run\s*\(.*debug.*=.*True.*\)
  desc: "Running flask in debug mode could potentially leak sensitive data"

The above will match code where a flask server is set to running in debug mode app.run(host='0.0.0.0' port=80 debug=true), which can be typical to a developers enviroment and mistakenly staged into production.

For a rails app, this could be:

regex: \<%=.*debug.*%>

Even more simple, look for the following in most logging frameworks:

regex: log\.debug

Need to stop developers mistakenly adding a private key?

  private_key:
    regex: -----BEGIN\sRSA\sPRIVATE\sKEY----
    desc: "This looks like it could be a private key"

How about credential files that would cause a job loss if ever leaked into production? Anteater works with file names too.

For Example:

jenkins\.plugins\.publish_over_ssh\.BapSshPublisherPlugin\.xml

Or even..

- \.pypirc
- \.gem\/credentials
- aws_access_key_id
- aws_secret_access_key
- LocalSettings\.php

If your app has its own custom secrets / config file, then its very easy to add your own regular expressions. Everything is set using YAML formatting, so no need to change anteaters code.

Depreciated functions, classes etc

Another use is for when a project depreciates an old function, yet developers might still make pull requests using the old function naming:

depreciated_function:``
  regex: depreciated_function\(.*\)
  desc: This function was depreciated in release X, use Y function.

Or perhaps stopping people from using 1.x versions of a framework:

<script.src.*="https:\/\/ajax\.googleapis\.com\/ajax\/libs\/angularjs\/1.*<\/script>

What if I get false postives?

Easy, you set a RegExp to stop the match , kind of like RegExp'ception.

Let's say we want to stop use of MD5:

md245:
  regex: md[245]
  desc: "Insecure hashing algorithm"

This then incorrectly gets matched to the following:

mystring = int(amd500) * 4

We set a specific ignore RegEx, so it matches and then is unmatched by the ignore entry.

mystring.=.int\(amd500\).*

Yet other instance of MD5 continue to get flagged.

Binaries

With anteater, if you pass the argument --binaries, any binary found causes a build failure on the originating pull request. It is not until a sha256 checksum is set within anteater's YAML ignore files, that the build is allowed to pass.

This means you can block people from checking in compiled objects, images, PDFs etc that may have an unknown origin or tampering with the existing binary files.

An example:

$ anteater --binaries --project myproj --patchset /tmp/patch
Non Whitelisted Binary file: /folder/to/repo/images/pal.png
Please submit patch with this hash: 3aeae9c71e82942e2f34341e9185b14b7cca9142d53f8724bb8e9531a73de8b2

Let's enter the hash::

binaries:
  images/pal.png:
    - 3aeae9c71e82942e2f34341e9185b14b7cca9142d53f8724bb8e9531a73de8b2

Run the job again::

$ anteater --binaries --project myproj --patchset /tmp/patch
Found matching file hash for: /folder/to/repo/images/pal.png

This way we can sure binaries are not tampered with by means of a failed cryptographic signature / checksum.

Any binaries not having a sha256 checksum will also be sent to the Virus Total API for scanning.

Virus Total API

If the following flags (combined or individually) --ips, -urls, --binaries are used, anteater will perform a lookup to the Virus Total API.

IP addresses, will be have their DNS history checked for any previous or present connection with known black listed domains marked as malicious or containing malware.

URLs, will be checked for any previous or present connection with known black listed domains marked as malicious or containing malware.

As mentioned, Binaries will be sent to Virus Total and verified as clean / infected.

For more details and indepth documentation, please visit readthedocs

Last of all, if you do use anteater, I would love to know (twitter: @decodebytes) and pull requests / issues are welcome!

Contribute

Contributions are welcome.

Please make a pull request in a new branch, and not master.

git checkout -b mypatch
git push origin mypatch

Unit tests and PEP8 checks are in tox, so simply run the tox command before pushing your code.

If your patch fixes and issue, please paste the issue url into the commit message.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

anteater-0.23.tar.gz (23.1 kB view details)

Uploaded Source

Built Distribution

anteater-0.23-py2-none-any.whl (22.8 kB view details)

Uploaded Python 2

File details

Details for the file anteater-0.23.tar.gz.

File metadata

  • Download URL: anteater-0.23.tar.gz
  • Upload date:
  • Size: 23.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.1 importlib_metadata/4.6.0 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.61.1 CPython/3.9.4

File hashes

Hashes for anteater-0.23.tar.gz
Algorithm Hash digest
SHA256 cfca0dffc73a2c753ab15b697c61508b339f462288140b492e99bc5b2789f956
MD5 a0e6b7fa8d047c632e30ea168478ba8d
BLAKE2b-256 dbfcbd474da27bdd961625c294c0f0f285e9875354e5f6742bfe5845a9da7022

See more details on using hashes here.

File details

Details for the file anteater-0.23-py2-none-any.whl.

File metadata

  • Download URL: anteater-0.23-py2-none-any.whl
  • Upload date:
  • Size: 22.8 kB
  • Tags: Python 2
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.1 importlib_metadata/4.6.0 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.61.1 CPython/3.9.4

File hashes

Hashes for anteater-0.23-py2-none-any.whl
Algorithm Hash digest
SHA256 726c023057e32cae4b97963d49367f68b405d0859ff9464bbadaff4ef8c00429
MD5 b8b35d0f0376c51138f2c14e1a670d2d
BLAKE2b-256 273e8f8d431711aed89a4ad35b71d1710e28b43f67dd974b6130244cb6277167

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page