opensca/opensca-cli

By opensca

•Updated 5 months ago

OpenSCA-cli Docker images: an open-source tool to detect and manage supply chain risks.

Image

3.1K

Overview Tags

opensca/opensca-cli repository overview

GitHub go.mod Go version (subdirectory of monorepo)

⁠Introduction

OpenSCA is intended for scanning third-party dependencies and vulnerabilities.

Our website: https://opensca.xmirror.cn⁠

Click STAR⁠ to encourage us.

⁠Detection Ability

OpenSCA is now capable of parsing configuration files in the listed programming languages and correspondent package managers. The team is now dedicated to introducing more languages and enriching the parsing of relevant configuration files gradually.

LANGUAGE	PACKAGE MANAGER	FILE
`Java`	`Maven`	`pom.xml`
`Java`	`Gradle`	`.gradle` `.gradle.kts`
`JavaScript`	`Npm`	`package-lock.json` `package.json` `yarn.lock`
`PHP`	`Composer`	`composer.json` `composer.lock`
`Ruby`	`gem`	`gemfile.lock`
`Golang`	`gomod`	`go.mod` `go.sum`
`Rust`	`cargo`	`Cargo.lock`
`Erlang`	`Rebar`	`rebar.lock`
`Python`	`Pip`	`Pipfile` `Pipfile.lock` `setup.py` `requirements.txt` `requirements.in`(For the latter two, pipenv environment & internet connection are needed)

⁠Samples

⁠Detecting dependencies in the current directory:

docker run -ti --rm -v ${PWD}:/src opensca/opensca-cli

⁠Connect to the cloud vulnerability database:

docker run -ti --rm -v ${PWD}:/src opensca/opensca-cli -token xxxx

⁠Use the local vulnerability database:

docker run -ti --rm -v ${PWD}:/src -v /localDB:/data opensca/opensca-cli -db /data/db.json

⁠Detect dependencies and generate SBOM:

docker run -ti --rm -v ${PWD}:/src opensca/opensca-cli -out /src/output.spdx

⁠Use a configuration file for advanced settings, such as configuring a Maven private repository:

{
  "path": "/src",
  "db": "",
  "url": "https://opensca.xmirror.cn",
  "token": "Put-Your-Token-Here",
  "out": "/src/report.html",
  "vuln": false,
  "progress": true,
  "dedup": true,
  "maven": [
    {
      "repo": "https://maven.aliyun.com/repository/public",
      "user": "",
      "password": ""
    }
  ]
}

After setting, save config.json to project folder and execute the command. Eg:

docker run -ti --rm -v $(PWD):/src opensca/opensca-cli

For the full documentation, please visit OpenSCA Documentaion⁠

⁠FAQ

⁠Is the environment variable needed while using OpenSCA?

No. OpenSCA can be directly executed by the command in CLI/CRT after decompression.

⁠About the vulnerability database?

OpenSCA allows configuring the local vulnerability database. It has to be sorted according to the Format of the Vulnerability Database File.

Meanwhile, OpenSCA also offers a cloud vulnerability database covering official databases including CVE/CWE/NVD/CNVD/CNNVD.

For more other FAQs, please check FAQs⁠.

⁠Contact Us

ISSUEs are warmly welcome.

Add WeChat for further consults is also an option:

二维码

Our QQ Group: 832039395

Mailbox: [email protected]⁠

⁠Authors

Tao Zhang
Chi Zhang
Zhong Chen
Enzhi Liu
Ge Ning

⁠Contributing

OpenSCA is an open source project, we appreciate your contribution!

To contribute, please read our Contributing Guideline⁠.

Tag summary

Recent tags

Content type

Image

Digest

sha256:44002ab41…

Size

368.5 MB

Last updated

5 months ago

docker pull opensca/opensca-cli:python3.11