Skip to content

Commit

Permalink
add installation instructions (#13)
Browse files Browse the repository at this point in the history 
* add installation instructions

* move docs to mkdocs
  • Loading branch information
@06kellyjac
06kellyjac authored Jul 5, 2022
1 parent e9d3107 commit 46cb8ab
Show file tree
Hide file tree
Showing 10 changed files with 290 additions and 2 deletions.
8 changes: 8 additions & 0 deletions CONTRIBUTING.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,3 +59,11 @@ We welcome pull requests!
- Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
- You're welcome to submit a draft PR if you would like early feedback on an idea or an approach.
- Happy coding!

### Documentation

You can build the documents as below and view it at <http://localhost:8000>.

```bash
make mkdocs-serve
```
24 changes: 22 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,14 @@
</p>

<p align="center">

[📖 Documentation][docs]

Chain-bench is an open-source tool for auditing your software supply chain stack for security compliance based on a new
<a href="docs/CIS-Software-Supply-Chain-Security-Guide-v1.0.pdf">CIS Software Supply Chain benchmark</a>.
The auditing focuses on the entire SDLC process, where it can reveal risks from code time into deploy time. To win the race against hackers and protect your sensitive data and customer trust, you need to ensure your code is compliant with your organization’s policies.

Read more in the [Chain-bench Documentation][docs]
</p>

[![Go Reference](https://pkg.go.dev/badge/github.com/aquasecurity/chain-bench.svg?style=flat-square)](https://pkg.go.dev/github.com/aquasecurity/chain-bench)
Expand Down Expand Up @@ -51,11 +56,19 @@ The auditing focuses on the entire SDLC process, where it can reveal risks from

# Quick start

There is a primarily way to run chain-bench as a stand alone cli, that requires the personal access token of your account and the repository url in order to access your SCM.
The primary way to run chain-bench is as a standalone cli. It requires an access token for your account and the repository url in order to access your SCM.

## Installation

Get Chain-bench via your favorite installation method. See [installation] section in the documentation for details. For example:

- `nix-env --install -A nixpkgs.chain-bench`
- `docker run aquasec/chain-bench`
- Download binary from https://github.com/aquasecurity/chain-bench/releases/latest/

## Usage

```
```bash
chain-bench scan --repository-url <REPOSITORY_URL> --access-token <TOKEN> -o <OUTPUT_PATH>
```

Expand Down Expand Up @@ -144,3 +157,10 @@ We welcome PRs and issue reports.

Going forward we plan to release updates to chain-bench to increase the benchmark coverage with more checks and support more platforms.
chain-bench is an Aqua Security open source project part of Trivy Family.

[docs]: https://github.com/aquasecurity/chain-bench/blob/main/docs/
[installation]: https://github.com/aquasecurity/chain-bench/blob/main/docs/getting-started/installation.md
<!-- TODO: swap to GH pages
[docs]: https://aquasecurity.github.io/chain-bench
[installation]: https://aquasecurity.github.io/chain-bench/latest/docs/getting-started/installation/
-->
10 changes: 10 additions & 0 deletions docs/build/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
FROM squidfunk/mkdocs-material:8.2.10

## If you want to see exactly the same version as is published to GitHub pages
## use a private image for insiders, which requires authentication.

# docker login -u ${GITHUB_USERNAME} -p ${GITHUB_TOKEN} ghcr.io
# FROM ghcr.io/squidfunk/mkdocs-material-insiders

COPY requirements.txt .
RUN pip install -r requirements.txt
30 changes: 30 additions & 0 deletions docs/build/requirements.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
click==8.1.2
csscompressor==0.9.5
ghp-import==2.0.2
htmlmin==0.1.12
importlib-metadata==4.11.3
Jinja2==3.1.1
jsmin==3.0.1
Markdown==3.3.6
MarkupSafe==2.1.1
mergedeep==1.3.4
mike==1.1.2
mkdocs==1.3.0
mkdocs-macros-plugin==0.7.0
mkdocs-material==8.2.10
mkdocs-material-extensions==1.0.3
mkdocs-minify-plugin==0.5.0
mkdocs-redirects==1.0.4
packaging==21.3
Pygments==2.11.2
pymdown-extensions==9.3
pyparsing==3.0.8
python-dateutil==2.8.2
PyYAML==6.0
pyyaml-env-tag==0.1
six==1.16.0
termcolor==1.1.0
verspec==0.1.0
watchdog==2.1.7
zipp==3.8.0

70 changes: 70 additions & 0 deletions docs/getting-started/installation.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
# Installation

## Nix/NixOS

Direct issues installing `chain-bench` via `nix` through the channels mentioned [here](https://nixos.wiki/wiki/Support)

You can use `nix` on Linux or macOS and on other platforms unofficially.

`nix-env --install -A nixpkgs.chain-bench`

Or through your configuration as usual

NixOS:

```nix
# your other config ...
environment.systemPackages = with pkgs; [
# your other packages ...
chain-bench
];
```

home-manager:

```nix
# your other config ...
home.packages = with pkgs; [
# your other packages ...
chain-bench
];
```

## Binary

Download the archive file for your operating system/architecture from [here](https://github.com/aquasecurity/chain-bench/releases/latest).
<!-- TODO: swap to GH pages [here](https://github.com/aquasecurity/chain-bench/releases/tag/{{ git.tag }}). -->
Unpack the archive, and put the binary somewhere in your `$PATH` (on UNIX-y systems, `/usr/local/bin` or the like).
Make sure it has execution bits turned on.

## From source

```bash
mkdir -p $GOPATH/src/github.com/aquasecurity
cd $GOPATH/src/github.com/aquasecurity
git clone --depth 1 https://github.com/aquasecurity/chain-bench
cd chain-bench/cmd/chain-bench/
export GO111MODULE=on
go install
```
<!-- TODO: swap to GH pages git clone --depth 1 --branch {{ git.tag }} https://github.com/aquasecurity/chain-bench -->

## From source with `go install`

With a sufficient version of `go` you can install and build with `go install github.com/aquasecurity/chain-bench/cmd/chain-bench@latest`
<!-- TODO: swap to GH pages `go install github.com/aquasecurity/chain-bench/cmd/chain-bench@{{ git.tag }}` -->

## Docker

### Docker Hub

```bash
docker pull aquasec/chain-bench:latest
```
<!-- TODO: swap to GH pages {{ git.tag[1:] }} -->

Example:

``` bash
docker run --rm aquasec/chain-bench:latest scan --repository-url <REPOSITORY_URL> --access-token <TOKEN>
```
63 changes: 63 additions & 0 deletions docs/getting-started/quickstart.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# Quick start
The primary way to run chain-bench is as a standalone cli. It requires an access token for your account and the repository url in order to access your SCM.

## Requirements
You must provide an access token with permission to these scopes: `repo`(all), `read:repo_hook`, `admin:org_hook`, `read:org`

## Supported Providers
We currently support Github as the first SCM, with PAT authentication.

## For example

```shell
$ chain-bench scan --repository-url <REPOSITORY_URL> --access-token <TOKEN> -o <OUTPUT_PATH>

2022-06-13 15:22:18 INF 🚩 Fetch Starting
2022-06-13 15:22:19 INF 🏢 Fetching Organization Settings Finished
2022-06-13 15:22:29 INF 🛢️ Fetching Repository Settings Finished
2022-06-13 15:22:29 INF 🌱 Fetching Branch Protection Settings Finished
2022-06-13 15:22:29 INF 👫 Fetching Members Finished
2022-06-13 15:22:31 INF 🔧 Fetching Pipelines Finished
2022-06-13 15:22:31 INF 🏁 Fetch succeeded
ID Name Result Reason
-------- ----------------------------------------------------------------------------------------------- -------- ---------------------------------------
1.1.3 Ensure any change to code receives approval of two strongly authenticated users Passed
1.1.4 Ensure previous approvals are dismissed when updates are introduced to a code change proposal Failed
1.1.5 Ensure that there are restrictions on who can dismiss code change reviews Failed
1.1.6 Ensure code owners are set for extra sensitive code or configuration Failed
1.1.8 Ensure inactive branches are reviewed and removed periodically Failed 20 inactive branches
1.1.9 Ensure all checks have passed before the merge of new code Passed
1.1.10 Ensure open git branches are up to date before they can be merged into codebase Passed
1.1.11 Ensure all open comments are resolved before allowing to merge code changes Passed
1.1.12 Ensure verifying signed commits of new changes before merging Failed
1.1.13 Ensure linear history is required Passed
1.1.14 Ensure branch protection rules are enforced on administrators Failed
1.1.15 Ensure pushing of new code is restricted to specific individuals or teams Passed
1.1.16 Ensure force pushes code to branches is denied Failed
1.1.17 Ensure branch deletions are denied Failed
1.2.1 Ensure all public repositories contain a SECURITY.md file Failed
1.2.2 Ensure repository creation is limited to specific members Failed
1.2.3 Ensure repository deletion is limited to specific members Passed
1.2.4 Ensure issue deletion is limited to specific members Passed
1.3.1 Ensure inactive users are reviewed and removed periodically Failed 22 inactive users
1.3.3 Ensure minimum admins are set for the organization Passed
1.3.5 Ensure the organization is requiring members to use MFA Passed
1.3.7 Ensure 2 admins are set for each repository Failed
1.3.8 Ensure strict base permissions are set for repositories Passed
1.3.9 Ensure an organization's identity is confirmed with a Verified badge Failed
2.3.1 Ensure all build steps are defined as code Failed No build job was found in pipelines
2.3.5 Ensure access to the build process's triggering is minimized Passed
2.3.7 Ensure pipelines are automatically scanned for vulnerabilities Passed
2.3.8 Ensure scanners are in place to identify and prevent sensitive data in pipeline files Failed Repository is not scanned for secrets
2.4.2 Ensure all external dependencies used in the build process are locked Failed 16 task(s) are not pinned
2.4.6 Ensure pipeline steps produce an SBOM Passed
3.1.7 Ensure dependencies are pinned to a specific, verified version Failed 16 dependenc(ies) are not pinned
3.2.2 Ensure packages are automatically scanned for known vulnerabilities Passed
3.2.3 Ensure packages are automatically scanned for license implications Passed
4.2.3 Ensure user's access to the package registry utilizes MFA Passed
4.2.5 Ensure anonymous access to artifacts is revoked Passed
4.3.4 Ensure webhooks of the package registry are secured Passed
-------- ----------------------------------------------------------------------------------------------- -------- ---------------------------------------
Total Passed Rules: 19 out of 36
2022-06-13 15:22:31 INF Scan completed: 13.108s
```
Binary file added docs/imgs/logo.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
29 changes: 29 additions & 0 deletions docs/index.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
---
hide:
- navigation
- toc
---

<!-- ![logo](imgs/logo.png){ align=left } -->

Chain-bench is an open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.
The auditing focuses on the entire SDLC process, where it can reveal risks from code time into deploy time. To win the race against hackers and protect your sensitive data and customer trust, you need to ensure your code is compliant with your organization’s policies.

<div style="text-align: center; margin-top: 150px">
<h1 id="demo">Demo</h1>
</div>

<figure style="text-aligh: center">
<img src="imgs/demo.gif" width="1000">
<figcaption>Demo: Vulnerability Detection</figcaption>
</figure>

---

Chain-bench is an [Aqua Security][aquasec] open source project.
Learn about our open source work and portfolio [here][oss].
Contact us about any matter by opening a GitHub Discussion [here][discussions]

[aquasec]: https://aquasec.com
[oss]: https://www.aquasec.com/products/open-source-projects/
[discussions]: https://github.com/aquasecurity/chain-bench/discussions
10 changes: 10 additions & 0 deletions makefile
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
VERSION := $(shell git describe --tags --always)
LDFLAGS=-ldflags "-s -w -X=main.version=$(VERSION)"

MKDOCS_IMAGE := aquasec/mkdocs-material:dev
MKDOCS_PORT := 8000

# If the first argument is "run"...
ifeq (run,$(firstword $(MAKECMDGOALS)))
# use the rest as arguments for "run"
Expand All @@ -24,3 +27,10 @@ test:
.PHONY: test-coverage
test-coverage:
go test -coverprofile=coverage.out -covermode=atomic -v ./...

# Run MkDocs development server to preview the documentation page
.PHONY: mkdocs-serve
mkdocs-serve:
docker build -t $(MKDOCS_IMAGE) -f docs/build/Dockerfile docs/build
docker run --name mkdocs-serve --rm -v $(PWD):/docs -p $(MKDOCS_PORT):8000 $(MKDOCS_IMAGE)

48 changes: 48 additions & 0 deletions mkdocs.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
site_name: Chain-bench
site_url: https://aquasecurity.github.io/chain-bench/
site_description: An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmarks
docs_dir: docs/
repo_name: GitHub
repo_url: https://github.com/aquasecurity/chain-bench
edit_uri: ""

nav:
- HOME: index.md
- Getting started:
- Quick Start: getting-started/quickstart.md
- Installation: getting-started/installation.md
theme:
name: material
language: "en"
# TODO: replace with svg
logo: imgs/logo.png
features:
- navigation.tabs
- navigation.tabs.sticky
- navigation.sections

markdown_extensions:
- pymdownx.highlight
- pymdownx.superfences
- admonition
- footnotes
- attr_list
- pymdownx.tabbed
- def_list
- pymdownx.details
- pymdownx.emoji:
emoji_index: !!python/name:materialx.emoji.twemoji
emoji_generator: !!python/name:materialx.emoji.to_svg

extra:
generator: false
version:
method: mike
provider: mike
var:
prev_git_tag: "v0.0.0"
operator_version: "v0.0.7"

plugins:
- search
- macros

0 comments on commit 46cb8ab

Please sign in to comment.