This is a Docker image that combines multiple open source tools that can be used for software composition analysis. It consists of the following tools:
- dependency-check
- license_finder
- npm audit
- auditjs
- OSSIndex Maven Plugin
- Snyk
docker build -t sca .
To run the image, we need to mount a project directory into it, that we want to scan. Furthermore, you need to authenticate snyk with an API key. You can get the API key by registering on snyk.io. Create a file called snyk.json inside a directory snyk_config with the following content:
{
"api": "<your_api_token>"
}
We will mount this file into our Docker container, so you can use snyk without ever having to run snyk auth.
Run the container with the following command:
docker run -it -v <path_to_project>:/scan -v <path_to_snyk_config>:/root/.config/configstore sca
For simplicity reasons, I included two shell scripts, that perform the corresponding checks for node.js and maven projects.
dependency-check/bin/dependency-check.sh --project myproject --out /scan/report/ --scan scan/
The license_finder is based on package managers and therefore needs the sources of the project. You can run it like this:
license_finder report --save=/scan/report/license_report --project-path=/scan
In order to run npm audit, you need to switch into your project folder.
cd scan
npm audit
cd scan
auditjs
cd scan
snyk test
mvn org.sonatype.ossindex.maven:ossindex-maven-plugin:audit -Dossindex.reportFile=/report/ossindex_report.txt -f scan/pom.xml