Command Line Interface (CLI) – DuckDefender

DuckDefender is a Flyingduck agent that performs various security scans on your code repository. It helps identify hardcoded secrets, analyze libraries, and perform static application security testing (SAST). DuckDefender can perform scans for:

SAST
SBOM Analysis
SCA
Secrets Detection

Each command has specific functionalities, and several flags can be used to customize the scans.

Software Requirements

Docker must be installed and running on the VM.
Install Docker (Official Documentation) (opens in a new tab)

Validate Docker Installation

docker run hello-world

If Docker is installed and running correctly, you should see output similar to:

Hello from Docker!
This message shows that your installation appears to be working correctly.
 
To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
 2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
    (amd64)
 3. The Docker daemon created a new container from that image which runs the
    executable that produces the output you are currently reading.
 4. The Docker daemon streamed that output to the Docker client, which sent it
    to your terminal.

Environment Variables

DuckDefender requires the FD_API_KEY for authentication. You can configure it as follows:

Temporary (Session-Based) Environment Variable

export FD_API_KEY=value

Docker Command

DuckDefender can run different scans on SBOM, SCA, Secrets, and SAST.

Preparing the Repository

Before running DuckDefender, download the repository locally:

# Clone the source code
git clone https://github.com/example/repo.git
 
cd repo

Running the Scan

Run DuckDefender from the root of your repository:

docker run --pull=always -e FD_API_KEY="${FD_API_KEY}" -v "${PWD}:/src" --entrypoint /bin/bash flyingduckio/duckdefender:latest -c "duckdefender code --all"

docker run --pull=always -e FD_API_KEY=FD_API_KEY_value -v "${PWD}:/src" --entrypoint /bin/bash flyingduckio/duckdefender:latest -c "duckdefender code --all"

Usage

To explore all available options, run:

duckdefender -h

You will see output similar to:

Usage:
  duckdefender [flags]
  duckdefender [command]
 
Available Commands:
  code        Performs secrets, library, and SAST scans in VM
  help        Help about any command
 
Flags:
  -k, --apikey string      Provide API key
  -c, --connector string   Enable connectors
  -d, --daemon             Run in daemon mode
      --exit-on-error      Stop on secrets detection
  -h, --help               Help for duckdefender
  -l, --loglevel string    Set logging level (debug, info, warn, error) (default "info")
      --pre-commit string  Perform secrets scan before committing in IDE
  -u, --user string        Specify username
  -v, --validate           Validate secrets found in the repository
 
Use "duckdefender [command] --help" for more details about a specific command.

Commands

Command	Description
help	Display usage and command information.
code	Inspect the codebase for secrets, library dependencies, and perform static security analysis on a VM.

Flags

Flag	Description
`-k, --apikey string`	Set the FD_API_KEY for user authentication with Flyingduck.
`-c, --connector string`	Enable connector threads in daemon mode.
`-d, --daemon`	Run DuckDefender in daemon mode to execute queued tasks.
`--exit-on-error`	Strict mode: detects and prints any secrets found.
`-h, --help`	Display detailed usage information.
`-l, --loglevel string`	Set logging level: debug, info, warn, error (default: info).
`--pre-commit string`	Scan for secrets in IDE before committing code.
`-u, --user string`	Specify the username.
`-v, --validate`	Validate any secrets found in the repository.

Deployment Options Workflows