Static Application Security Testing (SAST) and Software Composition Analysis (SCA)

Static Application Security Testing (SAST) and Software Composition Analysis (SCA) are two popular software security testing techniques used by developers and security teams to identify vulnerabilities and risks in software applications.

SAST involves analyzing source code or binary files to identify security vulnerabilities and coding errors that could lead to security issues. It provides an automated way to identify potential security vulnerabilities in an application's source code before it is deployed. SAST tools can detect issues such as SQL injection, cross-site scripting, and buffer overflows.

SCA, on the other hand, involves analyzing third-party and open-source components used in an application to identify vulnerabilities and risks. It provides an automated way to identify known vulnerabilities and license compliance issues in third-party components, libraries, and frameworks used in an application.

Both SAST(Secrets Scanner) and SCA have their own set of tools and techniques. For instance, SAST tools include Fortify, SonarQube, and Checkmarx, among others, while SCA tools include Black Duck, WhiteSource, and Sonatype, among others.

How to use on Prancer

Step 1 - Create the scan through the PAC Wizard

Once the PAC file has been created, add this information to your PAC .yaml file as follows


AppCodeAnalysis:

  SASTScan: true
  SecretsScan: true
  SCAScan: true
  Remote: true
  Rule: python
  IncrementalScan: true
  GitConnector: git_sca_VulnerableApp

Type of Scan	Explanation
SASTScan	Results from Static Application Security Testing (post code analysis).
SecretsScan	Results from Secrets scanner.
SCAScan	Results from Software Composition Analysis (library dependency checks).
IncrementalScan	An incremental scan selectively tests newly developed or recently modified code for vulnerabilities. It identifies which parts of the application have been changed or added by comparing the current state of the codebase to its state at the time of the previous scan.

The following table outlines the type of scan settings in our Prancer PAC feature. The value of each type of scan can be set to true or false. If set to true, the corresponding scan is enabled; if set to false, the scan is disabled. Whatever type of scan best fits your criteria for your code analysis, you can set these values in your PAC Config file.

Type of Scan	Setting
SASTScan	`true` or `false`
SecretsScan	`true` or `false`
SCAScan	`true` or `false`
IncrementalScan	`true` or `false`

Git connector

Step 1 - Follow the steps for creating a Git connector

In "gitProvider" section, put the link to the branch of your repository

This is an example of how your Git connector should be when doing SAST & SCA

{
  "branchName": "master",
  "companyName": "prancer",
  "fileType": "structure",
  "gitProvider": "https://github.com/SasanLabs/VulnerableApp.git",
  "httpsAccessToken": "Token",
  "private": true,
  "type": "filesystem"
}

Step 2 - Start the pentest once all is completed.

This is an example .yaml file for SAST&SCA

Collection: azure_pac
AppCodeAnalysis:
  SASTScan: true
  SecretsScan: true
  SCAScan: true
  Remote: true
  Rule: python
  IncrementalScan: true
  GitConnector: git_sca_inspector
ConnectionName: azure_pac_connector
CloudType: azure
ApplicationName: azure sca py inspector
RiskLevel: standard
RiskProfit: Medium
Compliance:
- CIS
- CSA-CCM
ApplicationType: WebScan
Schedule: onetime
Target: https://ctflearn.com
Tags:
  Cloud: azure
WebScan:
  AjaxSpider: false
Scanner:
  Cloud:
    Platform:
      Azure:
        ContainerInstance:
          AfterRun: delete
          NewContainerInstance:
            External:
              SubscriptionId: a6941677-4c37-42fb-960c-dad8f25060a3
              ResourceGp: shahin-test
              Region: westus
              ContainerGroupName: prancer-scanner-group
              ContainerName: prancer-pentest-instance
              ResourceName: prancer-instances-inspector
AuthenticationMethod: noAuthentication
# All the addons ID listed on link https://www.zaproxy.org/addons.
AddOns:
#  - accessControl
#  - ascanrulesAlpha

Prancer Code Analysis CLI Usage Guide

Follow these steps to use the Prancer Code Analysis Command Line Interface (CLI):

Step 1 - Fetch the Latest Docker Image of prancer/prancer-pca.

To obtain the most up-to-date Docker image of prancer/prancer-pca, follow this command:

docker pull prancer/prancer-pca:latest

Step 2 - Create a docker.env file and set the following environment variables:

Environment Variable	Description
`CUSTOMER`	Should be in the format "prancer-" as the tenant URL.
`ACCESSTOKEN`	Access token generated from the Prancer portal.
`ENVIRONMENT`	Deployment environment. Valid values are: dev, qa, prod. Default is prod.
`CONFIGID`	PAC configuration ID as in the Inventory Management.
`DIRPATH`	Full path where the source code exists.
`RULE`	The path to the rules to be used for analysis. Check the list of valid values for `RULE` below.
`GITURL`	Git repository URL to clone the source code.
`BRANCHNAME`	Branch name on the git repository.
`GITSECRET`	Secret value to clone the git repository.
`SAST`	Perform Sast scan, default is true.
`SECRETS`	Perform Secrets scan, default is true.
`SCA`	Perform Sca scan, default is true.

Either (DIRPATH) or (GITURL, BRANCHNAME, and GITSECRET) are required.
Valid Rules: apex, bash, c, clojure, contrib, csharp, dockerfile, elixir, fingerprints, generic, go, html, java, javascript, json, kotlin, ocaml, php, problem-based-packs, python, ruby, rust, scala, solidity, swift, terraform, typescript, yaml.

Step 3 - Initiate Appcode Analysis

2.1 Run Appcode Analysis against local source code

Run Appcode Analysis against a local source code in a directory.
Set the DIRPATH path in the docker.env file and launch the Docker image with this command, ensuring you mount your local repository directory into the Docker container:

docker.env

CUSTOMER=prancer-comapanyname
ACCESSTOKEN=5cd5a27e4f1c4f7f9a3587dr5a70eac0
ENVIRONMENT=prod
CONFIGID=652d44a8ef58f22d23b6cee3
RULE=python
SAST=true
SECRETS=true
SCA=true
DIRPATH=/path/to/repo

Run in daemon mode

docker run -d --rm --name prancer-pca -v /path/to/repo:/path/to/repo --env-file docker.env prancer/prancer-pca:latest

Check the logs:

docker logs -f prancer-pca

Run in foreground mode

docker run --rm --name prancer-pca -v /path/to/repo:/path/to/repo --env-file docker.env prancer/prancer-pca:latest

2.2 Run Appcode Analysis against an internal git repository

Run Appcode Analysis on a internal git repository by cloning it using the GITURL, BRANCH and GITSECRET provided as environment variables.
Set the GITURL, BRANCHNAME, and GITSECRET parameters in the docker.env file and launch the Docker image with this command:

docker.env

CUSTOMER=prancer-comapanyname
ACCESSTOKEN=5cd5a27e4f1c4f7f9a3587dr5a70eac0
ENVIRONMENT=prod
CONFIGID=652d44a8ef58f22d23b6cee3
RULE=python
GITURL=http://192.168.2.1:9000/organization/repository-name.git
BRANCHNAME=main
GITSECRET=ghp_RpMyae0********************
SAST=true
SCA=true
SECRETS=true

Run in daemon mode

docker run -d --rm --name prancer-pca --env-file docker.env prancer/prancer-pca:latest

Check the logs:

docker logs -f prancer-pca

Run in foreground mode

docker run --rm --name prancer-pca --env-file docker.env prancer/prancer-pca:latest