Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bugsy README updates + new image #1

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Bugsy README updates + new image #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
0260e7b
Update README.md
tomer-mobb Nov 8, 2023
b58f668
Merge pull request #2 from tomer-mobb/patch-1
tomer-mobb Nov 8, 2023
11f2c90
added new Bugsy image
tomer-mobb Nov 8, 2023
61ba5d2
Delete img/Bugsy2.png
tomer-mobb Nov 8, 2023
47b7dec
added new Bugsy image
tomer-mobb Nov 8, 2023
f8e8159
Update README.md
tomer-mobb Nov 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 49 additions & 10 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,43 +2,82 @@

Bugsy is a command-line interface (CLI) tool that provides automatic security vulnerability remediation for your code. It is the community edition version of [Mobb](https://www.mobb.ai), the first vendor-agnostic automated security vulnerability remediation tool. Bugsy is designed to help developers quickly identify and fix security vulnerabilities in their code.

<img width="1888" alt="Bugsy" src="./img/bugsy.png">
<img width="1888" alt="Bugsy" src="./img/bugsy2.png">

## What is [Mobb](https://www.mobb.ai)?

[Mobb](https://www.mobb.ai) is the first vendor-agnostic automatic security vulnerability remediation tool. It ingests SAST results from Checkmarx, CodeQL (GitHub Advanced Security), OpenText Fortify, and Snyk and produces code fixes for developers to review and commit to their code.

## What does Bugsy do?

Bugsy has two modes - Analyze (the user has a pre-generated SAST report from one of the supported SAST tools) and Scan (no SAST report needed).
Bugsy has two modes - Scan (no SAST report needed) & Analyze (the user needs to provide a pre-generated SAST report from one of the supported SAST tools).

Scan

- Uses Snyk CLI tool to run a SAST analysis on a given open-source GitHub repo
- Uses Checkmarx or Snyk CLI tools to run a SAST scan on a given open-source GitHub/GitLab repo
- Analyzes the vulnerability report to identify issues that can be remediated automatically
- Produces the code fixes and redirects the user to the fix report page on the Mobb platform

Analyze

- Analyzes the vulnerability report to identify issues that can be remediated automatically
- Analyzes the a Checkmarx/CodeQL/Fortify/Snyk vulnerability report to identify issues that can be remediated automatically
- Produces the code fixes and redirects the user to the fix report page on the Mobb platform

## Disclaimer

This is a community edition version that only analyzes public GitHub repositories. Analyzing private repositories is allowed for a limited amount of time.
Snyk CLI is used to produce a SAST vulnerability report.

- Only Java and Node.js projects are supported at the moment.
Bugsy does not detect any vulnerabilities in your code, it uses findings detected by the SAST tools mentioned above.

## Usage
You can simply run Bugsy from the command line, using npx:
```shell
npx mobbdev
```

This will show you Bugsy's usage help:
```shell
Bugsy - Trusted, Automatic Vulnerability Fixer 🕵️‍♂️

Usage:
mobbdev <command> [options]


Commands:
mobbdev scan Scan your code for vulnerabilities, get automated fixes right away.
mobbdev analyze Provide a vulnerability report and relevant code repository, get automated fixes right away.

Options:
-h, --help Show help [boolean]

You can use Bugsy from the command line. To evaluate and remediate a new open-source repository, you can run the following command:
Examples:
mobbdev scan -r https://github.com/WebGoat/WebGoat Scan an existing repository

Made with ❤️ by Mobb
```

To run a new SAST scan on a repo and get fixes, run the **Bugsy Scan** command. Example:
```shell
npx mobbdev scan --repo https://github.com/mobb-dev/simple-vulnerable-java-project
```

To get fixes for a pre-generated SAST report, run the **Bugsy Analyze** command. Example:
npx mobbdev analyze --scan-file sast_results.json --repo https://github.com/mobb-dev/simple-vulnerable-java-project

Bugsy will automatically generate a fix for each supported vulnerability identified in the results, and refer the developer to review and commit the fixes to their code.


To see all the options Bugsy allows, use the Scan or Analyze commands with the -h option:
```shell
npx mobbdev scan -r https://github.com/mobb-dev/simple-vulnerable-java-project
npx mobbdev scan -h
npx mobbdev analyze -h
```

Bugsy will automatically generate a fix for each supported vulnerability identified in the SAST results, present it to developers for review and commit to their code.
## Using Bugsy as part of a CI/CD pipeline
If you utilize SAST scans as part of the CI/CD pipeline, Bugsy can be easiy added and provide immediate fix for every issue detected.
Here is a simple example of a command line that will run Bugsy in your pipeline:
```shell
npx mobbdev analyze --ci --scan-file $SAST_RESULTS_FILENAME --repo $CI_PROJECT_URL --ref $CI_COMMIT_REF_NAME --api-key $MOBB_API_KEY
```

## Contribution

Expand Down
Binary file added img/bugsy2.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.