Open source code audit system Swallow internal beta released

News 2023-08-26 04:37:29 views: null

a background

The main goal of this month is to test the orchestration system and optimization of Dragonfly. I developed the ASM system of dolphin based on Dragonfly. In the past two weeks, I mainly developed the code audit system swallow.

Swallow is an open source code audit tool. Its bottom layer integrates a variety of static code analysis tools, such as murphysec SCA, Fortify, SemGrep, Hema (Webshell detection), and is connected through Dragonfly's secure orchestration system. At the same time, the upper UI uses Bootstrap 5 and ThinkPHP 6.

Two tool introduction

advantage

Supports the integration of multiple static code analysis tools, which means it can more comprehensively discover potential vulnerabilities and security issues in the code. For example, murphysec SCA can help developers find common security vulnerabilities such as SQL injection and cross-site scripting attacks; Fortify can find more advanced vulnerabilities such as buffer overflow and code injection; and Hema and Webshell can help discover web applications Webshells and malicious code in .

Connect using Dragonfly's secure orchestration system, which makes it easier to integrate and use. Dragonfly Security's orchestration system can combine multiple static code analysis tools, and configure and manage them according to user needs. This allows Swallow to easily scan large volumes of code and provide effective warnings and recommendations when vulnerabilities are found.

The upper UI uses Bootstrap 5 and ThinkPHP 6, which makes it have better usability and ease of use. Bootstrap is a popular front-end framework that helps developers quickly create beautiful, responsive web interfaces. And ThinkPHP is a popular PHP framework that helps developers quickly build web applications. Swallow's UI uses a combination of these two frameworks to make Swallow easier to use and provide a better user experience.


From the perspective of security engineers, Swallow has the following advantages. First of all, it can help security engineers discover potential vulnerabilities and security issues in the code. This allows security engineers to more comprehensively assess code security and provide more effective recommendations and measures.

custom configuration

Swallow supports custom configuration, and can configure and manage static code analysis tools according to user needs. This allows security engineers to select the appropriate tools based on the actual situation and integrate them together.
It also supports custom rules, which can help security engineers customize rules based on their own experience and knowledge, and apply them to static code analysis.

Scalability

Swallow can be integrated with other tools and systems. For example, it can be integrated with continuous integration tools such as Jenkins to automate code auditing and vulnerability detection. In addition, it supports multiple languages, and can support code auditing in multiple programming languages ​​such as Java, PHP, and Python.

open source tools

Swallow is an open source tool that can help you better understand the process and technology of code auditing. Open source means that Swallow's code can be viewed and modified publicly, which allows security engineers to customize and extend it according to their needs and actual situations. At the same time, it can attract more developers and security researchers to participate, so that its functions and performance can be continuously improved and improved.

Three installation methods

GitHub address: https://github.com/StarCrossPortal/swallow

  1. One-click deployment console docker-compose up -d
  2. The browser opens the address:http://xx.xx.xx.xx:1890/

Instructions

  1. Fill in the dragonfly configuration in the settings, the dragonfly workflow template is: http://qingting.starcross.cn/scenario/detail?id=2084
  2. Add primary domain in settings
  3. Click to run the workflow in Dragonfly, or set the workflow to run periodically
  4. View data in swallow

Four summary

In short, Swallow can help you discover potential loopholes and security issues in your code.
A variety of static code analysis tools are integrated and connected using Dragonfly's secure orchestration system, making code scanning more comprehensive and efficient.

I used Bootstrap 5 and ThinkPHP 6 which makes it better usability and ease of use. Most importantly, Swallow is an open source tool that can help everyone better understand the process and technology of code auditing, attract more developers and security researchers to participate, and continuously improve and improve its functions and performance.

Note: The commercial version of fortify is not included in swallow by default. If you already have fortify, you need to fill in the fortify path in the configuration

View the original text, jump to the GitHub Swallow system

Guess you like

Origin blog.csdn.net/u013431141/article/details/129753618
Recommended
Rushing to the GitHub hot list——How can open source programming languages and frameworks be so cute?
Beijing Humanoid Robot Innovation Center launches Tiangong, the world's first full-size humanoid robot with purely electric drive for anthropomorphic running
Ranking
8个无需编写代码即可使用 Python 内置库的方法
Java collections interview knowledge Lite
Machine learning algorithms foundation - Introduction a (watermelon materials for the book)
(Easy) Ransom Note - LeetCode
[Five days] Qt from entry to actual combat: the second day
Remember once extremely pit father can not download Maven Jar package of issues: IDEA question
The minimum cost Shortest
OSPF study map (the most complete version)
Network Takeaways
GnuPG
Daily
More
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)

Code World

© 2018 codetd.com