Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

SourceGuard - Source Code Security and Risk Analysis

ilavender
Employee Alumnus
Employee Alumnus
10 6 84.4K

As developers we are all in charge of the security of our code. here at Check Point we have some strict policies requiring developers to go through review processes to make sure their code is secure from dependencies and other vulnerabilities.
With the transition to SaaS based development and continuous delivery, the need to run this review process quickly and automatically while making sure our code is secure and safe for use, brought us to develop an in-house tool designed to help our developers with source code security automation.

With the common use of 3rd party generated code, which may originate from different sources such as libraries, SDKs and other dependencies, an automatic vulnerability detection and remediation is required, which runs during and after the CI/CD pipeline in order to prevent threats that were discovered after deployment, as well as use new detection capabilities in retrospect.

post-image.png

The many incidents we have encountered of customers accidentally exposing keys, passwords and other secrets in their code, and eventually falling victim to instances abuse in their public cloud accounts by cryptominers, as well as being vulnerable due to use of vulnerable resources, is what encouraged us to open SourceGuard poc to a wider developer/DevSecOps community and external users to experiment with.
now available at: Check Point Infinity Portal 
we welcome feedback and participation. big traction and significant usage, will help turn this from poc into formal solution.

Built By Developers – For Developers

SourceGuard is designed to leverage Check Point's different prevention technologies and services, providing source-code security and visibility into the risk analysis of projects. With a simple, cross-platform CLI tool (Docker: sourceguard/sourceguard-cli:latest), users can customize exclusions and control ignore list (such as testdata and others) with easy integration to any pipeline.

Getting started:

  • Register, activate and login at:Check Point Infinity Portal 
  • From the available services menu, choose “SourceGuard” and hit “Try Now”.
  • Download and install SourceGuard CLI according to your OS.
  • Generate token, copy and save it.
  • Scan a project by running: sourceguard-cli --src <project path> 

 

6 Comments
Eyal_Balla
Employee Alumnus
Employee Alumnus

@IMAR is there a way to disable specific checks for specific files?

 

ilavender
Employee Alumnus
Employee Alumnus

Yes @Eyal_Balla there are two alternatives to exclude files like test data and such:

  • You could use a "-x" flag to your CLi command with the file/path to exclude
  • You could commit a file ".sgignore" to you repository and list your exclusions there

In both, the format is same as ".gitignore", for example: -x "testdata/**" -x "docs/**" -x "*_test.go"

Maciej_Maczka
Contributor
Hi, could you please provide more information about sourceguard? Where code is being analysed? On my computer or infinity servers? What checks are built in? What programming languages are supported? Best Regards Maciej
PhoneBoy
Admin
Admin

There's a little more about it in the CPX presentation, but I don't think it answers every question you have.

PhoneBoy
Admin
Admin

Actually, you can see how it works in the Infinity Portal (at least our internal version).
It requires a CLI command to be installed, which is available for Linux, Windows, and Mac.
This CLI command is executed against a build tree, with results visualized on the Infinity Portal.
You get an access key for SourceGuard from the Infinity portal.

Checks include, but may not be limited to:

  • Vulnerable dependencies

  • Leakage of sensitive data (keys, password, etc.)

  • Malicious resources (binaries, URLs, IPs)

AneesahConrad
Explorer

Hi,

maybe someone can clarify about the daily quota and which relevant information is attached it change it to use it in a best practice operative manner?

ERROR  [15-04-2021 11:12:58.720] failed sending StartScan: got HTTP error 429 {"message":"tenant exceeded the daily allowed source code scan quota of 10000 files and 100 MB","code":429} 

Thanks

Labels