-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathdoc.go
63 lines (50 loc) · 3.72 KB
/
doc.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
// License information
/*
Talos runs security checks on developed applications or features.
The currently developed modules include DAST and CSA.
DAST is available for api API and for basic store
modules are configured through a configuration file. This file
(config.yaml) contains the global configuration for every tool available for
talos.
Below is a sample configuration file in YAML format:
CSA: # Required; To use talos like: "talos run csa"
Image: "golang:latest" # Required; Can be a local image or a image from a container registry
DAST: # Required; To use talos like: "talos run dast"
ScanType: "API" # Required; one of Website or API
Network: "development-network" # Optional; (Change if network is other than bridge)
ImageName: "perf" # Required; Container name of the target app
ZAPConfigFileDir: "/path/to/<user>/talos/" # Optional; Location of ZAPConfigFileName (absolute path)
ZAPConfigFileName: "api-dev-automation.yaml" # Required; Name of config file
OpenApiConfigFileDir: "/path/to/<user>/talos/" # Optional; Location of OpenApiConfigFileName (absolute path)
OpenApiConfigFileName: "OpenAPISchema.json" # Required; Name of config file
Auth: # Required; Configures Auth for Website or API, so both are not required
Website: # Required; If using talos to perform DAST analysis on store
AccessToken: "basic XXXXXXX" # Required; AccessToken stands for Authorization header, sent in every request
API: # Required; If usnig talos to perform a API-DAST analysis
doc # Below fields will be used to generate authentication/oauth post body
ClientID: "XXXXXXXXXX" # Required; Will be used to get authorization from API
ClientSecret: "XXXXXXXXXX" # Required; Will be used to get authorization from API
GrantType: "password" # Required; Will be used to get authorization from API
Username: "XXXXXXXXXXXXXXXXXXXX" # Required; Will be used to get authorization from API
Password: "XXXXXXXXXXXXXXXXXXXX" # Required; Will be used to get authorization from API
CSA stands for Container Security Analysis.
It's goal is to analyze the layers a specific container Image is composed of
and subsequently provide a report of the vulnerabilities that the whole image
contain.
CSA Configuration explanation: The Image parameter will be sent to the Docker
client, it will look for a container with that name. If the container is not
found locally, it will be looked for in the default registries, like Dockerhub.
DAST stands for Dynamic Application Security Test.
It's goal is to run functional tests on the application, to evaluate how it
performs against common security vulnerabilities.
These include SQLi, XML, XSS amongst others.
DAST configuration explained: The dast tool spinns-up a container and attaches
it to the network the ImageName container is on. Then, the ZAP server
starts performing the automated security analysis configured in the
ZAPConfigFileName file.
To obtain a specific ZAP automation application scan configuration file, please
contact the security team at Scalefast.
The ZAP config file is a sensitive file, as it contains infirmation on
authentication and authorization, so it should NOT be commited.
*/
package main // import "golang.org/x/tools/cmd/godoc"