Skip to content

simonkowallik/irulescan

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
.github/workflows
.github/workflows
 
 
files
files
 
 
irulescan
irulescan
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

irulescan
static security analyzer for iRules

build container image size releases

irulescan is a tool to scan iRules for unexpected/unsafe expressions that may have undesirable effects like double substitution.

irulescan would not exist without tclscan.

It is available as a docker/container image as well as a Github Action irulescan-action.

Usage

It is easiest to use the irulescan container to scan your irules. It is available via docker hub as we as ghcr.io.

The container will recursively scan files within the /scandir folder of the container and return the result in YAML format. Files with the (case insensitive) extensions .tcl, .irul and .irule will be considered.

Command line

Scanning a directory ($PWD/tests/basic):

docker run --rm -v "$PWD/tests/basic:/scandir" simonkowallik/irulescan
---
/dangerous.tcl: |
  WARNING: Unquoted expr at `1` in `expr 1 + $one`
  WARNING: Unquoted expr at `+` in `expr 1 + $one`
  DANGEROUS: Dangerous unquoted expr at `$one` in `expr 1 + $one`
/ok.tcl: |
/warning.tcl: |
  WARNING: Unquoted expr at `1` in `expr 1 + 1`
  WARNING: Unquoted expr at `+` in `expr 1 + 1`
  WARNING: Unquoted expr at `1` in `expr 1 + 1`

Scanning a single file ($PWD/tests/tcl/catch.tcl):

docker run --rm -v "$PWD/tests/tcl/catch.tcl:/scandir/catch.tcl" simonkowallik/irulescan
---
/catch.tcl: |
  WARNING: Unquoted expr at `1` in `expr 1`
  WARNING: Unquoted expr at `2` in `expr 2`

Invoking irulescan directly:

docker run --rm simonkowallik/irulescan irulescan

The container ships with a simple shell script, scandir.sh, which can be invoked directly. This is especially useful when using a CI system with custom mount points (eg. /custom/path), here is an example:

docker run --rm \
  -v "$PWD/tests/tcl/:/custom/path" \
  simonkowallik/irulescan /scandir.sh /custom/path

Note: When using -t, --tty with docker run newlines will use CRLF ("Windows style") instead of LF ("unix style")

API Server

The irulescan container tag :apiserver ships with a simple Swagger / OpenAPI server.

Start the API server:

docker run -t --rm -p 80:80 simonkowallik/irulescan:apiserver

Scanning a single file:

curl -s http://localhost/scan/ --data-binary '@tests/basic/dangerous.tcl'

Scanning multiple files:

curl -s http://localhost/scanfiles/ -F 'file=@tests/basic/warning.tcl' -F 'file=@tests/basic/ok.tcl'

Here is a demo of the Swagger UI:

simonkowallik/irulescan:apiserver

Additional resources

For safer authoring the VS Code iRules Extension is highly recommended:

About

🛡️ irulescan - static security analyzer for iRules

simonkowallik.github.io/irulescan/

Topics

docker security static-code-analysis docker-image tcl f5 f5networks security-tools irules sast dast f5-bigip

Resources

Readme

License

MIT license
Activity

Stars

6 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases 4

version 1.1.1 Latest
Jul 1, 2023
+ 3 releases

Packages

 
 
 

Languages