fafnir-sec is an open-source tool that allows for the complete automation of launching different security tools detecting vulnerabilities in the software supply chain.
This tool reports vulnerabilities in the different parts of the supply chain management, like source code, dependencies, containers, infrastructure as code...
Fafnir was a dwarf-like creature in Norse mythology, who transformed himself into a terrifying dragon to protect his treasure. More about his history
- Official documentation: https://syn-4ck.github.io/fafnir-sec/
The tool runs the security tools using Docker containers (official images or self-created).
fafnir-sec gets the tools from Docker Hub and, using the builded source code and/or the application container, detects the vulnerabilities, reporting it in a single, simple and standard JSON file with all the details of all the vulnerabilities detected.
Also, fafnir-sec detects all the technologies used in your project and only executes the security tools that have support. In this way, the tool only use the necessary tools and it improves the performance and the speed of the execution.
- Python 3.6 or later
- Docker installed
- Internet access to pull security tool images
TO DO
To check the options available in the CLI, you can run the following command:
fafnir --help
- SCAN_FULLPATH: Pre-builded source code fullpath to analyze
-
--configuration: Fafnir configuration file with all the options
-
--asynchronous: Asynchronous mode to run all security tools at the same time
-
--output-type: Type of report: sarif, json
-
--output-path: Path to store the reports
-
--disable-apis: Disable API requests to get external information
-
--verbose: Verbose mode
- Previous project build/compilation
- If you use a Docker image, previous build in local registry to scan
- Read all
fafnir_config.ymland configure it
The fafnir-sec configuration file, defined with the --configuration flag, may be defined with a YAML structure. You can see a full example of this file in this repository. You can download it, fill it and then use it in your future scans.
We are continuously improving our open-source supported tools, growing up the detection engine and the performance of the scan.
To know the supported languages and technologies, review the integrated tools.
| Tool | Tipology | API key |
|---|---|---|
| Semgrep | SAST | Recommended |
| Bandit | SAST | No |
| FindSecBugs | SAST | No |
| Gitleaks | Secrets Scanning | No |
| osv-scanner | SCA | No |
| Trivy | SCA | No |
| Trivy | Container Security Scan | No |
| Checkov | IaC Scan | Recommended |
| Syft | SBOM generator | No |
| Tool | Tipology | Status |
|---|---|---|
| DevSkim | SAST | Soon |
| Insider | SAST | Soon |
| bearer | SAST | Soon |
| MobSF | SAST & DAST | Soon |
| Dastardly | DAST | Soon |
| Kics | IaC | Soon |
| Brakeman | SAST | TO DO |
| LunaSec | SAST | TO DO |
| GoSec | SAST | TO DO |
| Progpilot | SAST | TO DO |
| dustilock | Dependency Confusion | TO DO |
| Nuclei | DAST | TO DO |
| grype | Container Analysis | TO DO |
| clair | Container Analysis | TO DO |
| chain-bench | Software Supply Chain Security | TO DO |
| Trufflehog | Secrets Scanning | TO DO |
| Language | Supported SAST | Supported SCA |
|---|---|---|
| Python | ✅ | ✅ |
| Java | ✅ | ✅ |
| JS & TS | ✅ | ✅ |
| Go | ✅ | ✅ |
| C / C++ / C# | ✅ | ✅ |
| Kotlin | ✅ | ✅ |
| PHP | ✅ | ✅ |
| Ruby on rails | ❌ | ❌ |
| Lua | ❌ | ❌ |
| Batch file | ❌ | ❌ |
| Powershell script | ❌ | ❌ |
| Technologies | Supported | Supported Technologies |
|---|---|---|
| Secrets | ✅ | All files |
| IaC | ✅ | HCL files |
| Containers | ✅ | Dockerfile / Local builded images |
| SBOM generator | ✅ | Python / Java / JS / Go / C / C++ / C# / Kotlin / PHP |
| DAST | ❌ | URL |
docker.errors.DockerException: Error while fetching server API version: ('Connection aborted.', PermissionError(13, 'Permission denied'))
To fix this issue, yo can run the following command to elevate the Docker socket permissions:
sudo chmod 666 /var/run/docker.sockIn the first run, Fafnir needs to pull all security tools images from Docker Hub. The first run may not delay more than 2 - 5 minutes, depending on your network connection.