Shulou(Shulou.com)05/31 Report--

Editor to share with you what is the use of Intercept, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

INTERCEPT is a powerful code static analysis audit strategy that is easy to use, takes up a small space, and allows you to scan your code base with a fast and powerful multiline scanning tool. In addition, the majority of researchers can also use it as a data collector and inspector, or as a cross-platform weaponized ripgrep.

Function introduction

Code is policy

Fine-grained regular strategy

Multiple levels of execution

Static analysis, no daemon

Low footprint, self-updatable binaries

Easy to integrate on any CI/CD pipeline

Declarative strategy to reduce complexity

No custom policy language

Code is policy

The idea of "code is policy" comes from the management and automation of policies. By presenting policies in the form of YAML file code, it is a validated software development best practice, which helps researchers to achieve version control, automatic testing and automatic deployment.

Working mechanism

1. Intercept and analyze the command line interface code

2. YAML file policy implementation

INTERCEPT integrates environment tags, YAML policies, and optional parameters to generate a global profile that recursively scans the target path for code that violates the policy, and generates human-readable detailed scan and analysis reports.

Scan report output sample: tool build # Standard package (intercept + ripgrep) for individual platforms-- core-intercept-rg-*.zip# Cross Platform Full package (intercept + ripgrep)-x-intercept.zip# Build package to build on all platforms (Development)-setup-buildpack.zip# Package of the latest compatible release of ripgrep (doesn't include intercept)-i-ripgrep-*.zip start quickly

First, download the latest version of INTERCEPT according to your platform:

-Darwincurl-fSL https://github.com/xfhg/intercept/releases/latest/download/intercept-darwin_amd64-o intercept--- Linuxcurl-fSL https://github.com/xfhg/intercept/releases/latest/download/intercept-linux_amd64-o intercept--- Windowscurl-fSL https://github.com/xfhg/intercept/releases/latest/download/intercept-windows_amd64-o intercept.exe

Get a sample for quick scan:

Curl-fSLO https://github.com/xfhg/intercept/releases/latest/download/_examples.zip

Now that the code we need to analyze is stored in an examples/ folder, we need to look at the optional policy types in the policy file before we begin:

-scan: where we enforce breaking rules on matched patterns- collect: where we just collect matched patterns

The sample demo we give will do the following:

1. Scan the target code for the existence of a private key: we need to guarantee the fatal:true of the policy and do not accept any exceptions, that is, enforcement:true. Set up the environment: ensure that this policy will be enforced on all environments.

2. Whether the scanning module comes from a compatible source rather than a local or git: we need to guarantee the fatal:true of the policy, and the environment must be PROD, that is, environment:prod. This strategy can accept a local exception: enforcement:false.

3. Terraform resource instances other than those used by the collection module.

The policy file containing the above scanning and collection policies is as follows (examples/policy/simple.yaml):

# This banner is shown on the start of the scanning report,# use it to point out important documentation/warnings/contactsBanner: | Banner text here, drop documentation link or quick instructions on how to react to the reportRules:# This is the main policy block All rules will be part of this array# This is a rule structure block# Each rule can have one or more patterns (regex) # The rule is triggered by any of the patterns listed## Essential settings: (must be unique) # type: (scan | collect) # fatal: (true | false) # enforcement: (true | false) # environment: (all | anystring) # All other settings are free TEXT to complement your final report- name: Private key committed in codeid: 1description: Private key committed to code version controlsolution:error : This violation immediately blocks your code deploymenttype: scanenforcement: trueenvironment: allfatal: truepatterns:-\ s * (- BEGIN PRIVATE KEY-) -\ s * (- BEGIN RSA PRIVATE KEY-) -\ s * (- BEGIN DSA PRIVATE KEY-) -\ s * (- BEGIN EC PRIVATE KEY-) -\ s * (- BEGIN OPENSSH PRIVATE KEY-) ) -\ s * (- BEGIN PGP PRIVATE KEY BLOCK-) # Another scan rule- name: Compliant module sourceid: 5description: Modules should not be sourced locally nor from giterror: This breach blocks your deployment on production environmentstype: scansolution:environment: prodfatal: trueenforcement: falsepatterns:- source\ sroom.*\ .git "-\ s+source\ swords =\ s*" ((?! https\:).) # A different type of policy rule that just collects findings matched with the patterns listed- name: Collect sparse TF Resources outside of modules.description: The following resources were detected outside of compliant module usagetype: collectpatterns:- (resource)\ s * "(. *)" # These are the messages displayed at the end of the report# Clean for no finds# Warning for at least one non-fatal find# Critical for at least one fatal findExitCritical: "Critical irregularities found in your code" ExitWarning: "Irregularities found in your code" ExitClean: "Clean report" above are all the contents of the article "what's the use of Intercept"? Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.