New Features:
- Exclude Patterns - To help with fighting false positives
- Profiles - To help select what type of rules to be used during scanning
- Rule Testing Framework - To help with testing CSA rules against real code samples
- Generate HTML and CSV Finding Reports - Generate HTML and CSV Reports that can be leveraged into a CI pipeline
We are becoming more formal in our tracking of backlog with increased usage driving feature requests. You'll find our official backlog detailed in our Roadmap
To summarize, here's what is in progress:
- Rules that look for the absence of a pattern
- Allowing multiple instances of file patterns
csa has pre-built binaries for Windows, OSX, and Linux. The quickest way to get starting using csa is to download the latest release. Included with the release is the latest user manual in pdf format. A sample portfolio of applications is also included.
No install is required. Simply download the version that matches your operating system and move the executable to the directory of your choice. It's best to put the directory in your path to simplify running csa. Everything you need to use csa is inside this single executable.
To see all the options to run, simply type:
csa -hFor more detailed help instructions:
csa --help-longTo simplify usage, csa has a default mode of analyze, since that is it most frequently used. Typically, you point csa to a directory that contains sub-directories, each containing one application. csa considers this directory of sub-directories a portfilio. To tell csa to process the directory as a portfolio of applications, we use the-p flag on the command-line
csa -p <directory of application code>csa will process all the subdirectories as applications and write the results to the console. Look in the directory where csa was copied to and you'll see a file, csa.db. This is a SQLite database full of it findings.
To see the results of the analysis, you'll need to call csa one more time and launch the browser-based user interface:
csa uicsa will take you directly to your browser and activate the user interface.
If you want to contribute to csa, you'll need to build it.
-
Golang - Installation instructions are here
-
Docker - Instructions for Get Docker
-
go-bindata - Install go-bindata using go get
Alternatives if go get fails
OSX
$> brew install go-bindataLinux
sudo apt install go-bindata
Clone the repo into your the directory of your choice.
> ./build.sh
Executable will be generated here:
=> csa-app/dist/csa
=> csa-app/dist/csa-l
=> csa-app/dist/csa.exe
Release builds containing all required GO dependencies can be generated using a docker build
- Run Docker Build
$> docker build -f build-Dockerfile -t csa-release:latest .
- Generate executables
$> docker run -v ${PWD}:/app -e VERSION=v3.2.10-rc1 csa-release:latest
> ./build.sh
Executable will be generated here
=> csa-app/dist/csa-l
=> csa-app/dist/csa.exe
Verify docker created directory has correct ownership
$> sudo chown -R $USER:`id -g -n $USER` $WORKING_DIR/go/exe
Check that the exe runs
The executable(s) can be found in <project root dir>/csa-app/exe directory
To create the release build do the following:
-
Tag release
git tag <tag-name> -
Execute
./build.sh -r -
Push the tag out
git push --tags
The cloud-suitability-analyzer project team welcomes contributions from the community. Before you start working with cloud-suitability-analyzer, please read our Developer Certificate of Origin. All contributions to this repository must be signed as described on that page. Your signature certifies that you wrote the patch or have the right to pass it on as an open-source patch. For more detailed information, refer to CONTRIBUTING.md.
Cloud Suitability Analyzer is released under the BSD-2 license. Please see LICENSE.txt