ysudhakar / insider Goto Github PK

This document is also available in Portuguese.

Insider is the OSS CLI project from the Insider Application Security Team for the community.

Insider is focused on covering the OWASP Top 10, to make source code analysis to find vulnerabilities right in the source code, focused on a agile and easy to implement software inside your DevOps pipeline.

We currently support the following technologies: Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).

There is a Github Action that permits you protect your repository with Insider, free, easy to integrate and frictionless. It is the most easy way to protect your code directly on your repository. Take a look - Insider-Action

We have precompiled binaries for Linux, Windows and macOS operational systems that you can find here.

But if you are (g)old school or just want to compile it yourself, you'll need at least Go version 1.13.3., and GNU Make >= 4.2.1;

After downloading / checking if your version is compatible, you just have to:

$ go get github.com/insidersec/insider
$ cd $GOPATH/src/github.com/insidersec/insider
$ make linux64 # We support: linux32, linux64, win32, win64, macos

Have fun! 🚀

OBS.: Do not put the insider in the same folder that contains the files to be analyzed.

The target folder should contain all the source code that should be analyzed, we plan to release support for compiled binaries for iOS, and Android' APKs.

./insider --help
Insider is the CLI project from the Insider Application Security Team for the community

Usage:
  -force
        Overwrite the report file name. Insider does not overwrite the results directory by default - Optional
  -no-banner
        Skips the banner printing (Useful for CI/Docker environments) - Optional
  -no-html
        Skips the report generation in the HTML format - Optional
  -no-json
        Skips the report generation in the JSON format - Optional
  -security int
        Set the Security level, values ​​between 0 and 100
  -target string
        Specify where to look for files to run the specific ruleset.
        -target <folder>
        -target <myprojectfolder>
  -tech string
        Specify which technology ruleset to load. (Valid values are: android, ios, csharp, javascript)
        -tech javascript
        -tech csharp
  -v    Set true for verbose output

Example of use :
        insider -tech javascript -target <myprojectfolder>
        insider -tech=android -target=<myandroidfolder>
        insider -tech android -target <myfolder> -no-html

# Check the correct release for your environment
$ mkdir insider && cd insider
$ wget https://github.com/insidersec/insider/releases/download/2.0.5/insider_2.0.5_linux_x86_64.tar.gz
$ tar -xf insider_2.0.5_linux_x86_64.tar.gz 
$ chmod +x insider
$ ./insider --tech javascript  --target <projectfolder>

• Your contributions and suggestions are heartily ♥ welcome. See here the contribution guidelines. Please, report bugs via issues page. See here the security policy for report security issues. (✿ ◕‿◕)

• This work is licensed under MIT.