This repository holds a few example Python scripts that use Contrast's REST APIs.
- Python 3.10 (other versions may work but are untested)
- Ability to install Python libraries from
requirements.txt
You can run these scripts locally with a Python install, or, in a container with the provided Dockerfile
docker run -it --env-file=contrast.env -v $PWD/output:/usr/src/app/output ghcr.io/contrast-security-oss/example-teamserver-api-scripts:main python <script.py> <...args...>docker build . --tag contrast-scripts # Build the container
docker run -it --env-file=contrast.env -v $PWD/output:/usr/src/app/output contrast-scripts python <script.py> <...args...> # Run the containerUse of a virtual environment is encouraged
python3 -m venv venv # Create the virtual environment
. venv/bin/activate # Activate the virtual environment
pip3 install -r requirements.txt # Install dependencies
. contrast.env # Setup environment
python3 <script.py> <args> # Run scriptsEach script requires the following environment variables at minimum:
CONTRAST__API__URL- the URL to your Contast instance, e.g.:https://contrast_instance.your_domain.tld/ContrastCONTRAST__API__API_KEY- an API key with permission to access that instanceCONTRAST__API__AUTH_HEADER- authorization header for a user with permission to access that instance (base 64 ofusername:service_key)
There are also the following optional environment variables:
INSECURE_SKIP_CERT_VALIDATION- set totrueor1to skip TLS certificate validation on network requestsHTTP_PROXY- set to your proxy URL if a proxy is needed to reach Contrast
Create application access group contrast_create_group.py
Creates an application access group with the specified name, allowing applications to be onboarded to that group with the specified role. Does not manage users, as most will map users to groups automatically via SSO.
Requires additional options:
- Group name
- Role
- Organization ID
Full usage information:
usage: contrast_create_group.py [-h] -n GROUP_NAME -r
{NO_ACCESS,VIEW,EDIT,RULES_ADMIN,ADMIN} -o
ORG_ID
Create an application access group on Contrast.
options:
-h, --help show this help message and exit
-n GROUP_NAME, --group-name GROUP_NAME, --group-name GROUP_NAME
Name of the group you want to create.
-r {NO_ACCESS,VIEW,EDIT,RULES_ADMIN,ADMIN}, --role {NO_ACCESS,VIEW,EDIT,RULES_ADMIN,ADMIN}
Role to give users allocated to this group's applications.
-o ORG_ID, --org-id ORG_ID, --organization-id ORG_ID
ID of the organization to create this group in.
Create application contrast_create_application.py
Creates an application with the specified name and language.
Note, it is not required to create an application up-front, as the agents will do that when loaded into a new application, however, it may be beneficial to create custom named applications, e.g. when merging. See Knowledge Base.
Requires additional options:
- Application name
- Language of application
- Organization ID
Full usage information:
usage: contrast_create_application.py [-h] -n APP_NAME -l {DOTNET,DOTNET_CORE,GO,JAVA,NODE,PHP,PYTHON,RUBY} -o ORG_ID [-c CODE] [-g [GROUPS ...]] [-m METADATA] [-t [TAGS ...]]
Create an application on Contrast.
options:
-h, --help show this help message and exit
-n APP_NAME, --app-name APP_NAME, --application-name APP_NAME
Name of the application you want to create.
-l {DOTNET,DOTNET_CORE,GO,JAVA,NODE,PHP,PYTHON,RUBY}, -language {DOTNET,DOTNET_CORE,GO,JAVA,NODE,PHP,PYTHON,RUBY}
Agent language for the application you want to create.
-o ORG_ID, --org-id ORG_ID, --organization-id ORG_ID
ID of the organization to create this application in.
-c CODE, --code CODE, --app-code CODE, --application-code CODE
Optional 'application code' / 'short name' for this application.
-g [GROUPS ...], --groups [GROUPS ...]
Optional list of application access groups to add this application to. Group(s) must exist prior to the application for this to work.
-m METADATA, --metadata METADATA
Optional key/value pairs of application metadata / custom fields to set on this application.
-t [TAGS ...], --tags [TAGS ...]
Optional list of tags to add to this application.
List applications to CSV contrast_applications_to_csv.py
Given a superadmin set of credentials, this script will loop through all organizations accessible on the TeamServer, listing applications and outputting a CSV file with the following information:
| application_name | application_id | application_code | parent_application_id | archived | metadata_appname | metadata_parentictoid | metadata_appictoid | license | score | organization_id | organization_name | language | created | last_seen | tags | total_modules | routes_discovered | routes_exercised |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WebGoat | 46da4e47-d8f9-404d-abe7-29a2baf22a80 | False | webgoat | 12345 | 54321 | Licensed | F | 2139f92a-c115-4e05-8b49-c1f52df33a5d | Demo | Java | 2022-03-02T16:08:00 | 2022-03-02T16:08:00 | webgoat,demo,lab,intentionally-vulnerable | 1 | 79 | 46 |
List vulnerabilities (traces) to CSV contrast_traces_to_csv.py
Given a superadmin set of credentials, this script will loop through all organizations accessible on the TeamServer, listing vulnerabilities and outputtting a CSV file with the following information:
| application_name | application_id | organization_id | organization_name | vuln_uuid | title | type | severity | confidence | impact | status | first_time_seen | last_time_seen | closed_time |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WebGoat | 46da4e47-d8f9-404d-abe7-29a2baf22a80 | 2139f92a-c115-4e05-8b49-c1f52df33a5d | Demo | K3PU-B3SN-RY4O-OOK0 | SQL Injection from "account_name" Parameter on "/WebGoat/attack" page | SQL Injection | Critical | High | High | Reported | 2022-02-18T11:21:00 | 2022-03-02T10:58:00 |
Set status of a vulnerability contrast_mark_vulnerabilities.py
Requires additional options:
- Vulnerability (trace) ID(s)
- Status
- Organization ID
Full usage information:
usage: contrast_mark_vulnerabilities.py [-h] -t [TRACE_ID ...] -s
{Reported,Suspicious,Confirmed,NotAProblem,Remediated,Fixed}
[-b {FP,EC,SC,OT,URL}] -o ORG_ID
[-m MESSAGE]
Set the status of Contrast vulnerabilities with an optional comment.
options:
-h, --help show this help message and exit
-t [TRACE_ID ...], --trace-id [TRACE_ID ...]
ID(s) of the trace(s) you want to update.
-s {Reported,Suspicious,Confirmed,NotAProblem,Remediated,Fixed}, --status {Reported,Suspicious,Confirmed,NotAProblem,Remediated,Fixed}
Status to mark these vulnerabilities.
-b {FP,EC,SC,OT,URL}, --sub-status {FP,EC,SC,OT,URL}
Substatus to mark these vulnerabilities when using
NotAProblem. Allowed values: {'FP': 'False Positive',
'EC': 'Attack is defended by an external control',
'SC': 'Goes through an internal security control',
'OT': 'Other', 'URL': 'URL is only accessible by
trusted power users'}
-o ORG_ID, --org-id ORG_ID, --organization-id ORG_ID
ID of the organization with the trace(s).
-m MESSAGE, --message MESSAGE, --explanation MESSAGE
Optional comment to add to these vulnerabilities with
the status change.
Grant or revoke SuperAdmin role contrast_manage_superadmins.py
Grant or revoke the SuperAdmin role from an existing user. SuperAdmin credentials must be used for this to succeed.
Full usage information:
usage: contrast_manage_superadmins.py [-h] action account
Grant or revoke superadmin from a user in Contrast.
positional arguments:
action Action to take - grant|revoke superadmin.
account ID of Account to act on - email address/username.
options:
-h, --help show this help message and exit
Various tools enforce code standards, and are run as a pre-commit hook. This must be setup before committing changes with the following commands:
python3 -m venv venv # setup a virtual environment
. venv/bin/activate # activate the virtual environment
pip3 install -r requirements-dev.txt # install development dependencies (will also include app dependencies)
pre-commit install # setup the pre-commit hook which handles formatting