Duckdefender
Duckdefender is an FlyingDuck agent that performs all the related scans on the provider to get the requiered outcome of secrets, sast and libraries. DuckDefender can be used to perform Docker, SAST, Library Scan, secrets etc related scans with the respective commands to which there are certain flags for different features. Each of the command has different functionalities to it.
USAGE
Lets say you want to explore for all available options are there to the DuckDefender. Then you can run the
" duckdefender -h" command.
Upon entering the above command you will able to see the options as shown in the below
Usage:
duckdefender [flags]
duckdefender [command]
Available Commands:
code Performs secrets, libraries and sast scans in VM
help Help about any command
library This scans a given repository for libraries
sast This will scan your application for any code findings
secrets Scans the repository for any secrets
Flags:
-k, --apikey string Provide API key
-c, --connector string Uses connectors
-d, --daemon This will make use of daemon
--exit-on-error Mask the contents
-h, --help help for duckdefender
-l, --loglevel string Set the logging level (debug, info, warn, error) (default "info")
--pre-commit string Performs secrets scan before commiting in IDE
-u, --user string Enter the username
-v, --validate This will validate the secrets found in the repository
Use "duckdefender [command] --help" for more information about a command.
Running the command "duckdefender [command] --help" provides comprehensive details about the available flags associated with the specified command. This helps you understand and utilize the various options and configurations available for that particular command.
Commands
sast : With this command our agent will scan static application for any of the code findings.
library : This command scans a given repository for any libraries and provides detailed information about them.
secrets : Secrets is a command to scan your repo for any hardcoded secrets.
help : Help command will give the usage of the mentioned command.
code : This involves inspecting the codebase to identify hardcoded secrets, checking for dependencies on libraries, and conducting static analysis to detect potential security vulnerabilities in virtual machine (VM).
Flags
Now lets just discuss in brief about each of the flags. There are a total of 9 flags that can be runned along with the command.
-
-k or --apikey string : Use this command to set the FD_API_KEY for user authentication with FlyingDuck.
-
-c or --connector string : This command will enable you to run connector threads in daemon mode.
-
-d or --daemon : This will utilize daemon mode, running as a thread to check for and execute any queued actions or tasks.
-
--exit-on-error : When the user wants strictness regarding secrets, this flag will find and print the detected secrets.
-
-h or --help : This will provide a detailed description of DuckDefender commands and flags.
-
-l or --loglevel string : Configure the logging level to one of the debug, info, warn, or error. The default level is "info".
-
--pre-commit string : This command performs a secrets scan within the IDE before allowing any commits, ensuring sensitive information is identified and managed before code is committed.
-
-u or --user string : It is used to provide the username
-
-v or --validate : This will validate the secrets found in the repository
Export the FD_API_KEY using the below command:
export FD_API_KEY=value (variable holds until session is active)
Examples
Here are some CLI commands to run different scans.
Before you run the code scan agent please follow the below instructions to download the code to your local machine.
# Create a temporary directory
mkdir /opt/code
# Change to the directory
cd /opt/code
# Clone the source code
git clone https://github.com/example/repo.git
cd repo
To find inventory of packages
docker run --pull=always --restart=always -e FD_API_KEY="${FD_API_KEY}" -v "${PWD}:/src" --entrypoint /bin/sh
flyingduckio/duckdefender:latest -c "duckdefender library --scan"
To scan for secrets
docker run --pull=always --restart=always -e FD_API_KEY="${FD_API_KEY}" -v "${PWD}:/src" --entrypoint /bin/sh
flyingduckio/duckdefender:latest -c "duckdefender secrets --scan"
To perform SAST
docker run --pull=always --restart=always -e FD_API_KEY="${FD_API_KEY}" -v "${PWD}:/src" --entrypoint /bin/sh
flyingduckio/duckdefender:latest -c "duckdefender sast --scan"
To perform scan for libraries, secrets and SAST
docker run --pull=always --restart=always -e FD_API_KEY="${FD_API_KEY}" -v "${PWD}:/src" --entrypoint /bin/sh
flyingduckio/duckdefender:latest -c "duckdefender code --all"