npm
Sign UpSign In

@quantum-sec/ci-analysis-collector
TypeScript icon, indicating that this package has built-in type declarations

1.3.3 • Public • Published

Managed Security Platform Infrastructure by Quantum

ci-analysis-collector

Build Status License @quantum-sec/ci-analysis-core Maintained by quantum.security

Quantum's CI analysis collector utility is a wrapper for common security tools for normalizing results to rank and prioritize the remediation of vulnerabilities discovered in your applications and infrastructure.

This utility can be modified to be used with your own aggregation and analysis pipeline or used directly with the Quantum Security Platform.

Prerequisites

This utility requires Node.js and git. Additionally, you must install any tools you wish to use that are wrapped by this utility – each of which will have its own dependencies. Alternatively, Quantum supplies Docker containers for each of the officially supported tools.

Usage

Use npx to directly reference, install, and run this utility:

# npx <= 6
npx @quantum-sec/ci-analysis-collector [tool] [args]

# npx >= 7
npx --yes --package @quantum-sec/ci-analysis-collector \
  --call 'ci-analysis-collector [tool] [args]'

Where [tool] is the all lowercase name or "ID" of the tool (see the table of supported tools below) and where [args] are any of the following optional arguments:

Arguments

  • --path [path] – the path to source code being analyzed (default: "$PWD")
  • --soft-fail – when specified a zero exit code will be returned regardless of whether or not checks are failing (default: false)
  • --quiet – when specified, passing checks will be excluded from the printed output (default: false)
  • --log-level [LEVEL] – the log verbosity (one of error, warning, info, or debug) (default: info)
  • --webhook-url [URL] – the URL to which results will be PUT (defaults to the Quantum Platform webhook)

Environment Variables

  • QS_API_TOKEN – the API token associated with this analysis collection generated in the Quantum Security Console
  • QS_COLLECTOR_SOFT_FAIL – same as the --soft-fail argument above
  • QS_COLLECTOR_QUIET – same as the --quiet argument above
  • QS_COLLECTOR_WEBHOOK_URL – same as the --webhook-url argument above

Supported Tools

Tool Analysis Type Platforms / Languages Container Runtime
checkov SAST Terraform
CloudFormation
ARM Templates
Dockerfile
Kubernetes		 quantumsec/docker-pipeline-checkov
sonarqube SAST, DAST C / C++ / Objective-C
C#
Go
Java
JavaScript / TypeScript
Kotlin
PHP
Python
Ruby
Scala
Swift
Visual Basic		 quantumsec/docker-pipeline-sonarqube
trivy SAST Terraform
Dockerfile
Kubernetes		 quantumsec/docker-pipeline-trivy
tfsec
(Planned) 		SAST Terraform quantumsec/docker-pipeline-tfsec
ZAP SAST HTTP quantumsec/docker-pipeline-zap

Code of Conduct

Help us keep this project open and inclusive. Please read and follow our Code of Conduct.

License

This code is released under the Apache 2.0 License.

Readme

Keywords

none

Package Sidebar

Install

npm i @quantum-sec/ci-analysis-collector

Repository

github.com/quantum-sec/ci-analysis-collector

Homepage

github.com/quantum-sec/ci-analysis-collector#readme

Weekly Downloads

20

Version

1.3.3

License

Apache-2.0

Unpacked Size

1.91 MB

Total Files

165

Last publish

Collaborators

  • lukiffer
  • quantum-ci-bot
Try on RunKit
Report malware