scanner-git-repo-scanner
10K+
OWASP secureCodeBox is an automated and scalable open source solution that can be used to integrate various security vulnerability scanners with a simple and lightweight interface. The secureCodeBox mission is to support DevSecOps Teams to make it easy to automate security vulnerability testing in different scenarios.
With the secureCodeBox we provide a toolchain for continuous scanning of applications to find the low-hanging fruit issues early in the development process and free the resources of the penetration tester to concentrate on the major security issues.
The secureCodeBox project is running on Kubernetes. To install it you need Helm, a package manager for Kubernetes. It is also possible to start the different integrated security vulnerability scanners based on a docker infrastructure.
You can find resources to help you get started on our documentation website including instruction on how to install the secureCodeBox project and guides to help you run your first scans with it.
latest (represents the latest stable release build)3.0.0, 2.9.0, 2.8.0, 2.7.0This scanner image is intended to work in combination with the corresponding parser image to parse the scanner findings to generic secureCodeBox results. For more information details please take a look at the project page or [documentation page][https://www.securecodebox.io/docs/scanners/git-repo-scanner].
docker pull securecodebox/scanner-git-repo-scanner
Git-Repo-Scanner is a small Go project which discovers repositories on GitHub or GitLab. The main purpose of this scanner is to provide a cascading input for the gitleaks and semgrep scanners.
The scanner options can be divided into two groups for Gitlab and GitHub. You can choose the git repository type with the option:
--git-type GitHub
or
--git-type GitLab
For type GitHub you can use the following options:
--organization: The name of the GitHub organization you want to scan.--url: The url of the api for a GitHub enterprise server. Skip this option for repos on https://github.com.--access-token: Your personal GitHub access token (needs full repo rights if you want to also find private repositories, otherwise repo:status and public_repo is sufficient).--ignore-repos: A list of GitHub repository ids you want to ignore--obey-rate-limit: True to obey the rate limit of the GitHub server (default), otherwise False--activity-since-duration: Return git repo findings with repo activity (e.g. commits) more recent than a specific date expressed by a duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each
with optional fraction and a unit suffix, such as '1h' or '2h45m'. Valid time units are 'm', 'h', 'd', 'w'.--activity-until-duration: Return git repo findings with repo activity (e.g. commits) older than a specific date expressed by a duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each with
optional fraction and a unit suffix, such as '1h' or '2h45m'. Valid time units are 'm', 'h', 'd', 'w'.--annotate-latest-commit-id: Set to True to annotate the results with the SHA1 of the latest commit on the main branch. Causes an extra API hit per repository. False by default.For now only organizations are supported, so the option is mandatory. We strongly recommend providing an access token for authentication, otherwise the API rate limiting will kick in after about 30 repositories scanned.
For type GitLab you can use the following options:
--url: The url of the GitLab server.--access-token: Your personal GitLab access token (needs at least read_api and read_repository scopes).--group: A specific GitLab group id you want to san, including subgroups.--ignore-groups: A list of GitLab group ids you want to ignore--ignore-repos: A list of GitLab project ids you want to ignore--obey-rate-limit: True to obey the rate limit of the GitLab server (default), otherwise False--activity-since-duration: Return git repo findings with repo activity (e.g. commits) more recent than a specific date expressed by a duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each
with optional fraction and a unit suffix, such as '1h' or '2h45m'. Valid time units are 'm', 'h', 'd', 'w'.--activity-until-duration: Return git repo findings with repo activity (e.g. commits) older than a specific date expressed by a duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each with
optional fraction and a unit suffix, such as '1h' or '2h45m'. Valid time units are 'm', 'h', 'd', 'w'.--annotate-latest-commit-id: Set to True to annotate the results with the SHA1 of the latest commit on the main branch. Causes an extra API hit per repository. False by default.For Gitlab, the url and the access token is mandatory. If you don't provide a specific group id, all projects on the Gitlab server are going to be discovered.
You are welcome, please join us on... 👋
secureCodeBox is an official OWASP project.
As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc from the base distribution, along with any direct or indirect dependencies of the primary software being contained).
As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within.
Content type
Image
Digest
sha256:113bdadbd…
Size
6.5 MB
Last updated
8 days ago
docker pull securecodebox/scanner-git-repo-scannerPulls:
1,406
Jun 29 to Jul 5