> For the complete documentation index, see [llms.txt](https://zeyad-abulaban.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://zeyad-abulaban.gitbook.io/notes/ctf-notes/appsec/code-review.md). # Code Review Simple notes on code review ## Dependency Confusion We can use `confused` to scan package requirement file ``` git clone https://github.com/visma-prodsec/confused cd confused go get go build ``` * Usage ``` confused -l pip requirements.txt confused -l npm package.json # default confused -l composer composer.json confused -l mvn pom.xml confused -l rubygems Gemfile.lock ``` ## Hijacking Dependencies ### Python-pip * ### Nodejs-npm * TODO ## Static Application Security Analysis (SAST) Here are a set of tools I usually use when I conduct a source code review: * [**Semgrep**](https://github.com/returntocorp/semgrep): It has a good set of rules for pointing out weak code practices. ``` python3 -m pip install semgrep semgrep --config auto | tee -a semgrep.out ``` * **Snyk**: Snyk is good (Available Vscode extension) * **Trivy**:Built mainly for container security, it's suitable for dependency vulnerability scanning. (Available Vscode extension) ## Secrets Scanning I personally prefer [gitleaks](https://github.com/zricethezav/gitleaks) for scanning a git repo, Because it points out informative information beside the secret. ``` # Require golang to be installed git clone https://github.com/zricethezav/gitleaks.git cd gitleaks make build # Usage gitleaks detect --report-path gitleaks-report.json -v ``` For scanning container images for secrets and vulnerabilities, i would use [trivy](https://github.com/aquasecurity/trivy). ``` sudo apt install -y trivy trivy image --severity HIGH,CRITICAL --security-checks vuln,secret,config # Append --offline-scan to scan a local image ``` Other than that [trufflehog](https://github.com/trufflesecurity/trufflehog) is good. ``` git clone https://github.com/trufflesecurity/trufflehog.git cd trufflehog go install ``` ``` # Scan a repo trufflehog git --only-verified --json # Scan a github organization trufflehog git https://github.com/trufflesecurity/test_keys --only-verified --json # Scan filesystem trufflehog filesystem --directory --json [--only-verified] ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://zeyad-abulaban.gitbook.io/notes/ctf-notes/appsec/code-review.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.