DuckDefender

Duckdefender

Duckdefender is an FlyingDuck agent that performs all the related scans on the provider to get the requiered outcome of secrets, sast and libraries. DuckDefender can be used to perform Docker, SAST, Library Scan, secrets etc related scans with the respective commands to which there are certain flags for different features. Each of the command has different functionalities to it.

USAGE

Lets say you want to explore for all available options are there to the DuckDefender. Then you can run the " duckdefender -h" command.
Upon entering the above command you will able to see the options as shown in the below


Usage:
  duckdefender [flags]
  duckdefender [command]
 
Available Commands:
  code        Performs secrets, libraries and sast scans in VM
  help        Help about any command
  library     This scans a given repository for libraries
  sast        This will scan your application for any code findings
  secrets     Scans the repository for any secrets
 
Flags:
  -k, --apikey string      Provide API key
  -c, --connector string   Uses connectors
  -d, --daemon             This will make use of daemon
      --exit-on-error      Mask the contents
  -h, --help               help for duckdefender
  -l, --loglevel string    Set the logging level (debug, info, warn, error) (default "info")
      --pre-commit string  Performs secrets scan before commiting in IDE
  -u, --user string        Enter the username
  -v, --validate           This will validate the secrets found in the repository
 
Use "duckdefender [command] --help" for more information about a command.

Running the command "duckdefender [command] --help" provides comprehensive details about the available flags associated with the specified command. This helps you understand and utilize the various options and configurations available for that particular command.

Commands

sast : With this command our agent will scan static application for any of the code findings.
library : This command scans a given repository for any libraries and provides detailed information about them.
secrets : Secrets is a command to scan your repo for any hardcoded secrets.
help : Help command will give the usage of the mentioned command.
code : This involves inspecting the codebase to identify hardcoded secrets, checking for dependencies on libraries, and conducting static analysis to detect potential security vulnerabilities in virtual machine (VM).

Flags

Now lets just discuss in brief about each of the flags. There are a total of 9 flags that can be runned along with the command.


  • -k or --apikey string : Use this command to set the FD_API_KEY for user authentication with FlyingDuck.

  • -c or --connector string : This command will enable you to run connector threads in daemon mode.

  • -d or --daemon : This will utilize daemon mode, running as a thread to check for and execute any queued actions or tasks.

  • --exit-on-error : When the user wants strictness regarding secrets, this flag will find and print the detected secrets.

  • -h or --help : This will provide a detailed description of DuckDefender commands and flags.

  • -l or --loglevel string : Configure the logging level to one of the debug, info, warn, or error. The default level is "info".

  • --pre-commit string : This command performs a secrets scan within the IDE before allowing any commits, ensuring sensitive information is identified and managed before code is committed.

  • -u or --user string : It is used to provide the username

  • -v or --validate : This will validate the secrets found in the repository

Export the FD_API_KEY using the below command:
export FD_API_KEY=value (variable holds until session is active)

Examples

Here are some CLI commands to run different scans.

Before you run the code scan agent please follow the below instructions to download the code to your local machine.


# Create a temporary directory
mkdir /opt/code
 
# Change to the directory
cd /opt/code
 
# Clone the source code
git clone https://github.com/example/repo.git
 
cd repo
To find inventory of packages
docker run -e FD_API_KEY="${FD_API_KEY}" -v "${PWD}:/src" --entrypoint /bin/sh
flyingduckio/duckdefender:latest -c "duckdefender library --scan"
To scan for secrets
docker run -e FD_API_KEY="${FD_API_KEY}" -v "${PWD}:/src" --entrypoint /bin/sh
flyingduckio/duckdefender:latest -c "duckdefender secrets --scan"
To perform SAST
docker run -e FD_API_KEY="${FD_API_KEY}" -v "${PWD}:/src" --entrypoint /bin/sh
flyingduckio/duckdefender:latest -c "duckdefender sast --scan"
To perform scan for libraries, secrets and SAST
docker run -e FD_API_KEY="${FD_API_KEY}" -v "${PWD}:/src" --entrypoint /bin/sh
flyingduckio/duckdefender:latest -c "duckdefender code --all"
AWSDeployment Options