Standardize Security Products commands
Problem to solve
SAST, Dependency Scanning and License Management wrapper projects provide an abstraction layer over the underlying scanners. We also have recently introduced DAST and Container Scanning is on its way!
Though, it looks like all these tools doesn't share the same external API, meaning the commands to launch the tools are different, and the docker entrypoints/CMD too.
SAST:
docker run \
--interactive --tty --rm \
--volume "$PWD":/code \
--volume /var/run/docker.sock:/var/run/docker.sock \
registry.gitlab.com/gitlab-org/security-products/sast:${VERSION:-latest} /app/bin/run /code
Dependency Scanning:
docker run \
--interactive --tty --rm \
--volume "$PWD":/code \
--volume /var/run/docker.sock:/var/run/docker.sock \
registry.gitlab.com/gitlab-org/security-products/dependency-scanning:${VERSION:-latest} /code
DAST:
docker run \
--interactive --tty --rm \
--volume "$PWD":/output \
-w /output \
registry.gitlab.com/gitlab-org/security-products/dast:${VERSION:-latest} /zap/run -t http://mysite.localhost
License Management:
docker run \
--volume "$PWD":/code \
--rm \
registry.gitlab.com/gitlab-org/security-products/license-management:latest analyze /code
This makes it harder play with these projects without doing mistakes and doesn't look well organized.
Proposal
Define a common usage convention and make all wrappers following it. E.g. analyze [params]
This must be backward compatible and old usage should be deprecated.
NB: This should be done for both binaries and docker container run commands.
What does success look like, and how can we measure that?
All Security Products tools share the same commands.