A command line interface for scanning configuration files with CoGuard
Project description
CoGuard
Why CoGuard
Infrastructure as Code (IaC) is here to stay. The versioning and continuous scanning of every layer of your IT (on premise and cloud) infrastructure is crucial.
CoGuard's team observed that there are a lot of policy checks on the layers communicating to the cloud, but the configurations inside specific compute devices such as physical servers, virtual machines or containers are mostly neglected, or have silo-ed solutions at best.
In order to have static analysis practices for IaC that go as deep as the available tools for code, every layer needs to be equally addressed.
In our practice, we observed that, at times, even an awareness of locations of configuration files is lacking. This is why we created a command line tool helping with discovering those configurations, and scanning them.
As an initial starting point for the CLI, we chose Docker images. Modern container scanners check for versions of software and libraries installed on those containers, and establish if there are common known vulnerabilities and exposures (CVEs). The CoGuard CLI is trying to find known configuration files for e.g. web servers or databases, and scans these for security and best practice. Additionally, the last Docker file used to create an image is analyzed as well.
Introduction to the CoGuard CLI
CoGuard is a comprehensive static analysis tool for IT infrastructure configurations (cloud and on-premise).
This project is the command line interface to CoGuard, with additional auto-discovery functionality.
In its current release, it scans Docker images and its contents. In particular, it searches for known configuration files of different software packages (like webservers, databases, etc.), and scans these configurations for security and best practice.
How to install it
Pre-Requisites
You need to have python3
, pip3
and docker
installed on your system.
Here are the different operating systems and commands to be used for Python and Pip.
Ubuntu/Debian
sudo apt install -y python3 python3-pip
Alpine
apk add python3 py3-pip
CentOS/Fedora
sudo yum install -y python3 python3-pip
Arch Linux
sudo pacman -S python python-pip
Mac OS
Assuming you are using [Homebrew](https://brew.sh), you have to runbrew install python3
Windows
Download Python3 for Windows using this link, and install it.
Installation
CoGuard CLI can either be pulled from this repository and used
directly, or installed via pip
:
pip3 install coguard-cli
Keep in mind that it is a requirement to have Docker installed locally.
How to use it
After installing the CoGuard CLI, you can run a scan on your local images using
coguard docker-image [<YOUR-IMAGE-NAME-OR-ID>]
Remark: It may happen that the folder where pip
is installing packages is not
in included in PATH
. We have observed it on some Ubuntu installations, and on
Homebrew Mac installs. For the Linux case, such as Ubuntu,
you can find the binary usually under $HOME/.local/bin/coguard
, i.e. you run
$HOME/.local/bin/coguard docker-image [<YOUR-IMAGE-NAME-OR-ID>]
For the Mac case, it is often installed under ~/Library/Python/<YOUR_PYTHON_VERSION>/bin/coguard
, i.e. you would run
~/Library/Python/<YOUR_PYTHON_VERSION>/bin/coguard docker-image [<YOUR-IMAGE-NAME-OR-ID>]
If you omit the image ID parameter, CoGuard will scan all the images currently stored on your device.
This step requires you to create a CoGuard account. After completion, this image check will return the findings of CoGuard on this particular image. You can view the latest historical scan results when logging in to https://portal.coguard.io.
Here is a screenshot of a sample scan:
As you can see, CoGuard also analyzes the last Dockerfile used.
The checks are gathered from different security benchmarks, such as CIS, but also directly from the user manuals of these software projects. At times, known issues for certain versions and security remediations specific to a certain version are being taken into account as well.
Current support and future plans
The currently supported auto-discovery of configuration files inside Docker containers is limited to the finders in this folder. This list will expand in the future. In addition, we are scanning the Dockerfile used to create the images, and will add some Linux configuration files in the near future.
Learn more
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for coguard_cli-0.1.15-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 7b0209947df4f623cbe256fcc85b46b4e534d04f02438a8c9c69792798a9e41b |
|
MD5 | 31da5add7377e27bcdcfc7ae3017f5fc |
|
BLAKE2b-256 | f34119a3bb5bbb54cbd0177b218ad1160f767903d58dd2dfe6d3bc6e50b25943 |