Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

SourceGuard - Source Code Security and Risk Analysis

Employee
Employee
10 5 74.7K

As developers we are all in charge of the security of our code. here at Check Point we have some strict policies requiring developers to go through review processes to make sure their code is secure from dependencies and other vulnerabilities.
With the transition to SaaS based development and continuous delivery, the need to run this review process quickly and automatically while making sure our code is secure and safe for use, brought us to develop an in-house tool designed to help our developers with source code security automation.

With the common use of 3rd party generated code, which may originate from different sources such as libraries, SDKs and other dependencies, an automatic vulnerability detection and remediation is required, which runs during and after the CI/CD pipeline in order to prevent threats that were discovered after deployment, as well as use new detection capabilities in retrospect.

post-image.png

The many incidents we have encountered of customers accidentally exposing keys, passwords and other secrets in their code, and eventually falling victim to instances abuse in their public cloud accounts by cryptominers, as well as being vulnerable due to use of vulnerable resources, is what encouraged us to open SourceGuard poc to a wider developer/DevSecOps community and external users to experiment with.
now available at: Check Point Infinity Portal 
we welcome feedback and participation. big traction and significant usage, will help turn this from poc into formal solution.

Built By Developers – For Developers

SourceGuard is designed to leverage Check Point's different prevention technologies and services, providing source-code security and visibility into the risk analysis of projects. With a simple, cross-platform CLI tool (Docker: sourceguard/sourceguard-cli:latest), users can customize exclusions and control ignore list (such as testdata and others) with easy integration to any pipeline.

Getting started:

  • Register, activate and login at:Check Point Infinity Portal 
  • From the available services menu, choose “SourceGuard” and hit “Try Now”.
  • Download and install SourceGuard CLI according to your OS.
  • Generate token, copy and save it.
  • Scan a project by running: sourceguard-cli --src <project path> 

 

5 Comments
Employee+
Employee+

@IMAR is there a way to disable specific checks for specific files?

 

Employee
Employee

Yes @Eyal_Balla there are two alternatives to exclude files like test data and such:

  • You could use a "-x" flag to your CLi command with the file/path to exclude
  • You could commit a file ".sgignore" to you repository and list your exclusions there

In both, the format is same as ".gitignore", for example: -x "testdata/**" -x "docs/**" -x "*_test.go"

Nickel
Hi, could you please provide more information about sourceguard? Where code is being analysed? On my computer or infinity servers? What checks are built in? What programming languages are supported? Best Regards Maciej
Admin
Admin

There's a little more about it in the CPX presentation, but I don't think it answers every question you have.

Admin
Admin

Actually, you can see how it works in the Infinity Portal (at least our internal version).
It requires a CLI command to be installed, which is available for Linux, Windows, and Mac.
This CLI command is executed against a build tree, with results visualized on the Infinity Portal.
You get an access key for SourceGuard from the Infinity portal.

Checks include, but may not be limited to:

  • Vulnerable dependencies

  • Leakage of sensitive data (keys, password, etc.)

  • Malicious resources (binaries, URLs, IPs)