Skip to content
/ deepscan Public

Tools for Deep Scanning Archives and Repositories

License

View license
10 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

AGWA/deepscan

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
apt
apt
 
 
archives
archives
 
 
cmd/govulncheck-deep
cmd/govulncheck-deep
 
 
deb
deb
 
 
everything
everything
 
 
file
file
 
 
govulncheck
govulncheck
 
 
internal
internal
 
 
lambda
lambda
 
 
s3
s3
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
scan.go
scan.go
 
 

Repository files navigation

Tools for Deep Scanning Archives and Repositories

Documentation

src.agwa.name/deepscan is a Go library that recursively descends into archives and repositories, executing a given function for every file that it finds. It's extensible, allowing you to add support for your own URL schemes and archive formats.

By default, the library does not support any archives or repository formats. To include support for a particular format, you must import the appropriate package, typically with a blank package name. For example, to include support for common archive formats:

import _ "src.agwa.name/deepscan/archives"

govulncheck-deep

govulncheck-deep is a command line program that runs govulncheck on every Go binary it can find at a specified URL, descending into archives as needed. There are other programs that do deep vulnerability scanning, but they don't use govulncheck so they return many false positives.

For example, if you have an S3 bucket of tarballs containing Go binaries, you can run the following command to check them for vulnerabilities:

govulncheck-deep s3://mybucket

The argument must be a URL with one of the supported schemes listed below.

If govulncheck finds a vulnerability, the path to the binary is written to stdout followed by the output of govulncheck. If no vulnerabilities are found, nothing is written to stdout.

To install govulncheck-deep, run:

go install src.agwa.name/deepscan/cmd/govulncheck-deep@latest

By default, govulncheck-deep includes support for all archive formats and URL schemes. To omit support for a particular format, use one of the following build tags:

  • omit_aws -- exclude AWS support (S3 and Lambda)
  • omit_debian -- exclude Debian support (.deb files and APT repos)
  • omit_all -- exclude all of the above

If you use omit_all, you can add back support with one of the following build tags:

  • include_aws
  • include_debian

For example:

go install -tags omit_aws src.agwa.name/deepscan/cmd/govulncheck-deep@latest
go install -tags omit_all,include_debian src.agwa.name/deepscan/cmd/govulncheck-deep@latest

Using these build tags, you can minimize the binary size and third-party dependencies.

Supported Archive Formats

  • .deb
  • .tar
  • .tar.bz2
  • .tar.gz
  • .tgz
  • .zip

Supported URL Schemes

  • apt+http://, apt+https:// -- followed by a hostname and path to an APT repository; see the documentation for more information
  • file:// -- followed by a path to a file or directory
  • lambda:// -- to deep scan all AWS Lambda functions
  • s3:// -- followed by the name of an S3 bucket

About

Tools for Deep Scanning Archives and Repositories

Resources

Readme

License

View license
Activity

Stars

10 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

7 tags

Packages

No packages published

Languages