Eze the one stop cli for security testing
Project description
______ ______ ______ _____ _ _____
| ____| |___ / | ____| / ____| | | |_ _|
| |__ / / | |__ ______ | | | | | |
| __| / / | __| |______| | | | | | |
| |____ / /__ | |____ | |____ | |____ _| |_
|______| /_____| |______| \_____| |______| |_____|
The one stop solution for security testing in modern development
Overview
Eze is the one stop solution for security testing in modern development.
This tool can be run locally on the cli by developers or security consultants, or deeply integrated into a team / organisations CI pipeline, with team and organisation management dashboards available for reviewing and monitoring the overall security of a organisation's estate.
Features:
- Quick setup via Dockerfile with preinstalled tools
- Simple multi-tool configuration via a single common configuration file
- Support for multiple targets: remote git repositories, containers
- Supports Python, Node and Java applications.
- Run multiple tools with one command
- Extendable plugin architecture for adding new security tools
- Improve uptake of security testing in modern development.
- Improve discovery and uptake of open source security tools
- Extends capabilities of raw opensource tools underneath (adding missing features like ignore patterns, version detection, and cve metadata annotation, as needed)
- Layering enterprise level reporting and auditing via the Eze Management Console (PAID service offered by RiverSafe)
Eze Usage
It is strongly* recommended most users run eze inside the docker image, this is the easiest way to get started with eze security scanning.
* For sysadmin and power users, see the README-DEVELOPMENT.md
Pull Docker image
Eze is inside this Docker image, the default Dockerfile contains the eze cli
running inside a default linux os with a selection of opensource security tools out of the box.
# Pull docker image
docker pull riversafe/eze-cli:latest
# Test docker running ok
docker run riversafe/eze-cli --version
Run security scan
This command will run a security scan against the current folder. Results will be in eze_report.json
# Scan code in current directory (cmd)
docker run --rm -v %cd%:/data riversafe/eze-cli test
# Scan code in current directory (powershell)
docker run --rm -v ${PWD}:/data riversafe/eze-cli test
# Scan code in current directory (git bash)
docker run --rm -v $(pwd -W):/data riversafe/eze-cli test
# Scan code in current directory (linux/mac os bash)
docker run --rm -v "$(pwd)":/data riversafe/eze-cli test
*For advanced users this Dockerfile image can be downloaded and tailored to optimise the size of the image / versions of tools.
Other Common commands
Detect tools locally installed
docker run riversafe/eze-cli tools list
Example
$ eze tools list
Available Tools are:
=======================
raw 0.6.1 input for saved eze json reports
trufflehog 2.0.5 opensource secret scanner
semgrep 0.53.0 opensource multi language SAST scanner
...
Configuring Eze
Custom configuration
Eze runs off a local .ezerc.toml file, when this config is not present, a sample config will be generated automatically by scanning the codebase (eze test
). You can customise it to:
- Add/remove a scanning tool
- Customise the arguments passed to a specific tool
Get Tool Configuration Help
To show information about a specific tool:
- What version if any is installed.
- Instructions how-to install it and configure
docker run riversafe/eze-cli tools help <TOOL>
Result
$ docker run riversafe/eze-cli tools help semgrep
Tool 'semgrep' Help
opensource multi language SAST scanner
=================================
Version: 0.52.0 Installed
Tool Configuration Instructions:
=================================
Configuration Format for SemGrep
[semgrep]
...
Developers Documentation
To add your own tools checkout [README-DEVELOPMENT.md], this will walk you through installing eze locally for local development.
Contribute
To start contributing read [CONTRIBUTING.md]
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.