INTERCEPT / Policy as Code Static Analysis Auditing / SAST
intercept is a devsecops cli tool designed to provide Static Application Security Testing (SAST) capabilities to software development teams. The tool aims to help developers identify and address security vulnerabilities in their code early in the software development life cycle, reducing the risk of security breaches and ensuring compliance with industry regulations. intercept leverages a range of security scanning techniques to analyze code, including pattern matching, code analysis, and vulnerability scanning. It is designed to be easy to integrate, with a simple sub-second command-line interface and customizable configuration options. With intercept, developers can integrate security testing into their development workflows and make security a critical yet seamless part of their software development process.
Policy as code is an approach to defining and enforcing policies within an organization using code. Instead of writing policies in documents or spreadsheets, policy as code involves writing policies as code using a programming language. This code is then integrated into the organization's infrastructure, software, or workflow to enforce the policies automatically.
Main benefits:
Policy as code can be used to enforce a wide range of policies, including security policies, compliance policies, and operational policies. It is often used in conjunction with infrastructure as code and other DevOps practices to provide a more automated and streamlined approach to managing IT operations.
intercept offers an extensive library of policies consisting of over a thousand regular expressions that can be used to detect sensitive data leakage and enforce security best practices in software development. This vast collection of pre-defined policies makes it easy for developers to get started with secret scanning and quickly identify potential issues in their code. The policies cover a range of security concerns, such as hard-coded passwords, API keys, and other secrets, and are continuously updated to keep up with the latest security threats and best practices. With the ability to customize policies or add new ones, developers can ensure that their applications are protected against known and emerging threats, reducing the risk of sensitive data leakage and improving the overall security posture of their organization.
core-intercept-rg-x86_64-darwin.zip
core-intercept-rg-x86_64-linux.zip
core-intercept-rg-x86_64-windows.zip
intercept system --update
start with the minimal.yaml
intercept config -r
intercept config -a examples/minimal.yaml
intercept audit -t examples/target
stdout human readable report
individual json rule output with matches
all findings compiled into intercept.output.json
fully compliant SARIF output into intercept.sarif.json
intercept audit -t examples/target -e "development" -i "AWS"
These are 2 types of policies available :
Easy to read and compose the rules file have this minimal required structure:
Banner: |
| Minimum 1 SCAN and 1 COLLECT RULE
Rules:
- name: Private key committed in code
id: 100
description: Private key committed to code version control
error: This violation immediately blocks your code deployment
tags: KEY
type: scan
fatal: true
enforcement: true
environment: all
confidence: high
patterns:
- \s*(-----BEGIN PRIVATE KEY-----)
- \s*(-----BEGIN RSA PRIVATE KEY-----)
- \s*(-----BEGIN DSA PRIVATE KEY-----)
- \s*(-----BEGIN EC PRIVATE KEY-----)
- \s*(-----BEGIN OPENSSH PRIVATE KEY-----)
- \s*(-----BEGIN PGP PRIVATE KEY BLOCK-----)
- name: Collect sparse TF resources outside of modules.
id: 900
description: The following resources were detected outside of compliant module usage
type: collect
tags: AWS,AZURE
patterns:
- (resource)\s*"(.*)"
ExitCritical: "Critical irregularities found in your code"
ExitWarning: "Irregularities found in your code"
ExitClean: "Clean report"
all flags under the same instruction can be combined
intercept config -a examples/minimal.yaml -k e4ab151755bddfba106010477adc1fd0
intercept config -a https://xxx.com/artifact/policy.yaml -k e4ab151755bddfba106010477adc1fd0
intercept audit -t examples/target -e "development"
intercept audit -t examples/target -i "AWS,OWASP"
intercept audit -t examples/target -s true
intercept audit -t examples/target -b false
intercept audit -t examples/target -x
use .ignore file
Enforcement levels are a first class concept in allowing pass/fail behavior to be associated separately from the policy logic. This enables any policy to be a warning, allow exceptions, or be absolutely mandatory. These levels can be coupled to environments, different uses of the same policy can have different enforcement levels per environment.
You can set three enforcement levels:
- fatal: false
- enforcement: false
- environment : (all | optional)
- confidence : low | high
- fatal: true
- enforcement: false
- environment : (all | optional)
- confidence : low | high
- fatal: true
- enforcement: true
- environment : (all | optional)
- confidence : high
Build & mess around with it :
make
(gitpod latest images still dont fancy the go1.20 , it's ok to compile intercept using 1.19 by editing the go.mod so you can play around inside gitpod)
It is built on top of Rust's regex engine. Rust's regex engine uses finite automata, SIMD and aggressive literal optimizations to make searching very fast. (PCRE2 support)
Rust's regex library maintains performance with full Unicode support by building UTF-8 decoding directly into its deterministic finite automaton engine. It supports searching with either memory maps or by searching incrementally with an intermediate buffer. The former is better for single files and the latter is better for large directories. ripgrep chooses the best searching strategy for you automatically.
Applies your ignore patterns in .gitignore files using a RegexSet. That means a single file path can be matched against multiple glob patterns simultaneously.
It uses a lock-free parallel recursive directory iterator, courtesy of crossbeam and ignore.
same engine used on vscode search
Tool | Command | Line count | Time |
---|---|---|---|
INTERCEPT (ripgrep) | rg -n -w '[A-Z]+_SUSPEND' |
452 | 0.106s |
git grep | LC_ALL=C git grep -E -n -w '[A-Z]+_SUSPEND' |
452 | 0.553s |
The Silver Searcher | ag -w '[A-Z]+_SUSPEND' |
452 | 0.589s |
git grep (Unicode) | LC_ALL=en_US.UTF-8 git grep -E -n -w '[A-Z]+_SUSPEND' |
452 | 2.266s |
sift | sift --git -n -w '[A-Z]+_SUSPEND' |
452 | 3.505s |
ack | ack -w '[A-Z]+_SUSPEND' |
452 | 6.823s |
The Platinum Searcher | pt -w -e '[A-Z]+_SUSPEND' |
452 | 14.208s |
Timings were collected on a system with an Intel
i7-6900K 3.2 GHz.
A straight-up comparison between ripgrep, ugrep and GNU grep on a single large file cached in memory (~13GB, OpenSubtitles.raw.en.gz
):
Tool | Command | Line count | Time |
---|---|---|---|
ripgrep | rg -w 'Sherlock [A-Z]\w+' |
7882 | 2.769s |
ugrep | ugrep -w 'Sherlock [A-Z]\w+' |
7882 | 6.802s |
GNU grep | LC_ALL=en_US.UTF-8 egrep -w 'Sherlock [A-Z]\w+' |
7882 | 9.027s |