View Source Code Scans
introduction
Introduction
There are three popular security tools for ensuring the security of Phoenix applications:
Sobelow
, for static analysis of source code for vulnerabilities, https://github.com/nccgroup/sobelowdeps.audit
, to scan a project's dependencies for vulnerabilities, https://github.com/mirego/mix_audithex.audit
, to scan for dependencies that have been marked as retired, https://hexdocs.pm/hex/Mix.Tasks.Hex.Audit.html
It may seem straightforward to integrate these tools into your existing CI/CD pipeline, but consider the following questions:
- When was the last time the scan ran successfully?
- Do you have a record of when all these scans happened?
- Did the numbers of vulnerabilities increase or decrease compared to the previous scans?
- How do you view the findings of the most recent scan? Of a scan from 3 months ago?
With the Paraxial.io agent version 2.2.0, you now have access to the command:
mix paraxial.scan
This will run Sobelow
, deps.audit
, and hex.audit
on your application, then upload the results to the Paraxial.io backend:
1-create-your-site-add-the-paraxial-io-agent
1. Create your site, add the Paraxial.io agent
In the Paraxial.io web interface, create a site for each environment you want to perform scans in. These are typically dev
, test
, or prod
. For this tutorial, we use dev
. In the "Site Settings" page, get your Site API key.
In your Phoenix app, open config/dev.exs
and add:
config :paraxial,
paraxial_api_key: System.get_env("PARAXIAL_API_KEY"),
paraxial_url: "https://app.paraxial.io",
Add the Paraxial.io agent as a config in mix.exs
:
{:paraxial, "~> 2.2.0"}
2-install-sobelow
2. Install Sobelow
While it's not necessary to install Sobelow, having it installed will allow you to flag specific findings as false positives. You can read more about how to flag false positives here - https://github.com/nccgroup/sobelow#false-positives
{:sobelow, "~> 0.11.1"}
3-test-the-install
3. Test the install
Run mix deps.get
to install the Paraxial.io agent. To see if the install was successful, run:
mix paraxial.scan
If the agent is installed correctly, and your site's API key is correct, you should see the following output:
19:36:42.184 [info] [Paraxial] API key found, scan results will be uploaded
[Paraxial] Scan findings: %Paraxial.Scan{
api_key: "REDACTED",
findings: [
%Paraxial.Finding{
...
4-view-the-scan-results
4. View the scan results
The scan task will run Sobelow
, deps.audit
, and hex.audit
on your project, and print the results in the terminal. Go to your site in app.paraxial.io to see the scan results, and a history of previous scans.
umbrella-applications
Umbrella Applications
To use mix paraxial.scan
with your Umbrella application, you must update the aliases
functions in the top level mix.exs
file to include:
defp aliases do
[
sobelow: ["cmd mix sobelow"]
]
end
This is to run Sobelow against all child applications.