vaultsovereign/test
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1583890199ba7bf5688e0f63e1e46cee63f93f61
test/VaultMesh_Catalog_v1/pages/page8-appsec-toolchain.md
Vault Sovereign 1583890199 Initial commit - combined iTerm2 scripts 
Contains:
- 1m-brag
- tem
- VaultMesh_Catalog_v1
- VAULTMESH-ETERNAL-PATTERN

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-28 03:58:39 +00:00

88 lines
3.4 KiB
Markdown
Raw Blame History

Page Title: AppSec Toolchain (Shield / CI Integration)
Summary: VaultMesh uses an integrated application security toolchain rooted on shield-vm and CI pipelines. It combines vulnerability scanning, secret detection, SBOM generation, and IaC analysis into a coherent flow, with findings eligible to be logged into the proof spine for high-risk assets.
Key Findings:
- Nuclei, Trivy, Semgrep, TruffleHog, Gitleaks, Checkov, Syft, and Grype cover distinct layers.
- shield-vm is the natural home for heavy security scans and OffSec tooling.
- CI pipelines can call out to shield-vm or run scanners directly in job containers.
- Secret detection runs in both pre-commit and CI stages for defense-in-depth.
- SBOM generation and vulnerability scanning support long-term supply chain tracking.
Components:
- Nuclei (web and service vuln scanning).
- Trivy (container/filesystem/SBOM vulnerability scanner).
- Semgrep (static code analysis).
- TruffleHog / Gitleaks (secret discovery).
- Checkov (IaC misconfiguration scanner).
- Syft (SBOM generator).
- Grype (vulnerability scanner against SBOMs).
Tool Capabilities:
| Tool | Target Types | Output |
|------------|----------------------------|-------------------------|
| nuclei | URLs, IPs, domains | Findings by severity |
| trivy | Images, dirs, repos, SBOMs | CVEs, secrets, configs |
| semgrep | Source code directories | Security findings |
| trufflehog | Git, S3, GCS, etc. | Verified secrets |
| gitleaks | Git repos, filesystems | Secret locations |
| checkov | Terraform, K8s, Helm, etc. | Misconfigurations |
| syft | Images, dirs, archives | CycloneDX/SPDX SBOM |
| grype | Images, dirs, SBOMs | Vulnerability list |
Example Scans:
Nuclei Web Scan:
```json
{
"targets": ["https://example.com"],
"severity": ["high", "critical"],
"tags": ["cve", "rce"]
}
```
Trivy Container Scan:
```json
{
"target": "vaultmesh-core:latest",
"scan_type": "image",
"scanners": ["vuln", "secret"],
"severity": ["HIGH", "CRITICAL"]
}
```
Secret Detection:
```json
{
"target": "/srv/git/vaultmesh",
"source_type": "git",
"only_verified": true
}
```
MCP Tools:
- offsec_appsec_nuclei_scan
- offsec_appsec_trivy_scan
- offsec_appsec_semgrep_scan
- offsec_appsec_trufflehog_scan
- offsec_appsec_gitleaks_scan
- offsec_appsec_checkov_scan
- offsec_appsec_syft_sbom
- offsec_appsec_grype_scan
Workflows:
1. SBOM Pipeline: Syft → produce CycloneDX JSON → Grype → vulnerability report.
2. Pre-merge Scans: CI job runs Semgrep, Trivy, Gitleaks on merge requests.
3. Periodic Deep Scans: shield-vm runs scheduled AppSec scans, logging high-severity findings.
4. Policy Integration: High-severity or critical findings feed into Lawchain/Lawchain-like policies.
Security Notes:
- Nuclei and Trivy should be rate-limited when targeting external assets.
- Secret detection in CI uses only_verified where possible to reduce noise.
- Baseline files can exclude accepted findings while still tracking new issues.
- AppSec findings for high-value systems may be recorded as receipts in the proof system.
Dependencies:
- offsec-mcp server with tools installed (on shield-vm or lab nodes).
- Network access for pulling scanner templates and vulnerability databases.
- CI integration (GitLab pipelines on gate-vm) to trigger scans automatically.
Reference in New Issue View Git Blame Copy Permalink