Skip to content

Sheriff is a tool to scan repositories and generate security reports.

License

Notifications You must be signed in to change notification settings

elementsinteractive/sheriff

Repository files navigation

sheriff-logo

Sheriff

Sheriff is a tool to scan repositories and generate security reports.

Quick Usage

sheriff patrol --target gitlab://your-namespace-or-group --report-to-issue

How it works

Sheriff analyzes repositories in source code repository hosting services (such as GitLab) looking for vulnerabilities in the dependencies of the scanned repositories. Sheriff uses one or several third-party scanners to detect these vulnerabilities, and aggregates them into its reports. See a list of supported platforms and scanners in the section below.

Sheriff is best used for analyzing vulnerabilities in bulk, regularly scanning groups of repositories to provide an overview of which vulnerabilities affect them. For that, Sheriff provides different types of reports, and it can publish them to different platforms such as GitLab (see supported platforms section).

Issue in the affected repository

Sheriff will keep an open issue in each one of the analyzed repositories, providing a detailed report of which vulnerabilities have been found by its scanners.

issue-report

Report message

Sheriff will post a message to a messaging service with an overview of the analyzed repositories and the vulerabilities detected. This message is intended to provide a generic overview to those in charge of security to oversee the state of a given group of repositories.

msg-report

Specific repository message

Project teams can also be informed regularly by Sheriff (if they want to) by configuring a channel to which Sheriff should report its findings of a given repository. The message generated by Sheriff will be slightly different, and will contain only information relevant for the repository maintainers.

repo-report

Installation

Docker

The easiest way to run Sheriff is through docker:

docker pull elementsinteractive/sheriff
docker run elementsinteractive/sheriff --help

Manual installation

Note

If you install Sheriff manually, you will need to ensure that all the scanners used by it are available in your system

You can install Sheriff yourself by installing its dependencies, and then either downloading the binary from the GitHub Releases page or building Sheriff from source.

brew install osv-scanner
git clone [email protected]:elementsinteractive/sheriff.git
cd sheriff
go install .

Configuration

Sheriff can be configured in a few different ways:

CLI flags

The most complete way is through CLI flags. See sheriff patrol --help for the full list of available options.

Environment variables

For specific sensitive configuration keys such as API tokens, Sheriff can read them from environmental variables. Only the Tokens section of configuration parameters are supported for this (see sheriff patrol --help for the full list).

This is the case for GITLAB_TOKEN & SLACK_TOKEN for example.

Configuration file

Sheriff also supports configuration through a TOML config file. Only the Reporting and Scanning sections of configuration parameters are supported for this (see sheriff patrol --help for the full list).

In this case you may choose to create a config file such as the following:

targets = ["namespace/group", "namespace/group/cool-repo"]
[report.to]
slack-channel = "sheriff-report-test"
issue = true

And if you wish to specify a different file, you can do so with sheriff patrol --config your-config-file.toml.

Note

When using several types of configurations at once there is an order of preference: cli flags > env vars > config file

Configuration options

Miscellaneous

config
CLI options File config
--config -

Sets the path of your sheriff configuration file

verbose
CLI options File config
--verbose/-v -

Sets the log level to verbose

Scanning

targets
CLI options File config
(repeatable) --target targets

Sets the list of groups and projects to be scanned. The expected format of a target is platform://path/to/your/group-or-project

For example: --target gitlab://namespace/group --target github://organization/project

Reporting

report to issue
CLI options File config
--report-to-issue [report.to]
issue

Enables reporting to an issue on the project's platform

report to email (TODO #12)
CLI options File config
(repeatable) --report-to-email [report.to]
emails

Sets the list of email to which a full scan report should be sent

report to slack channels
CLI options File config
(repeatable) --report-to-slack-channels [report.to]
slack-channels
enable project report to
CLI options File config
--report-to-enable-project-report-to [report.to]
enable-project-report-to

Enable project-level configuration report-to to allow projects to control where their individual reports are sent

silent
CLI options File config
--report-silent [report]
silent

Disable printing the report in the bash output

Tokens

gitlab token
ENV VAR
$GITLAB_TOKEN

Sets the token to be used when fetching projects from gitlab

slack token
ENV VAR
$SLACK_TOKEN

Sets the token to be used when reporting the security report on slack

Supported platforms

Source code hosting services

Messaging services

Scanners

Usage in CI

Sheriff was designed so it could be run as part of a CI pipeline.

In Gitlab

To run sheriff on Gitlab, we suggest the following set-up:

  1. Create a repostory which will contain your CI runner, you can call it sheriff-runner for example
  2. Create a CI file in this repository which extends from our template
    include:
      - remote: 'https://raw.githubusercontent.com/elementsinteractive/sheriff/refs/tags/v0.23.2/gitlab/templates/sheriff.gitlab-ci.yml'
    
    sheriff:
      extends: .sheriff
  3. Go to Build -> Pipeline schedules -> New schedule a. Add a name & a preferred cron interval. We prefer a weekly scan such as 0 7 * * 1 (every Monday at 7am) b. Add a Variable Variable named SHERIFF_CLI_ARGS which extra CLI arguments you wish to add (see CLI configuration section) c. Add a File Variable named SHERIFF_CONFIG containing your sheriff configuration (see file configuration section)
  4. Go to Settings -> CI/CD -> Variables a. If scanning gitlab projects, add your gitlab token in GITLAB_TOKEN with Protected, Masked, Hidden b. If publishing reports to slack, add your slack token in SLACK_TOKEN with Protected, Masked
  5. Test your pipeline by going to Build -> Pipeline schedules & clicking the play button on your pipline
  6. Enjoy! Your pipeline should now run & scan your projects on a weekly basis 😀

We have a gitlab template set up for convenience, which runs sheriff with a set of configurable options.

Contributors ✨

Thanks goes to these wonderful people (emoji key):

Sacha Brouté
Sacha Brouté

💻 🎨 🤔 🚧
Sergio Castillo
Sergio Castillo

💻 🤔 🚧
Jakub Bożanowski
Jakub Bożanowski

🤔 🎨

This project follows the all-contributors specification. Contributions of any kind welcome!