Serverless Vulnerability Scanner

Use AWS Lambda to regularly scan your repos for vulnerabilities

Environment Variables

To deploy this, you will need to provide the following environment variables:

• AWS_ACCESS_KEY_ID
• AWS_SECRET_ACCESS_KEY
• GITHUB_TOKEN
• RESULTS_S3_BUCKET_PREFIX

In addition, you will need to provide EITHER...

• GITHUB_ORG

... (to scan a GitHub organization) AND/OR...

• BITBUCKET_USERNAME
• BITBUCKET_APP_PASSWORD
• BITBUCKET_WORKSPACE

... (to scan a Bitbucket workspace).

If you also want to check the PHP versions used in the repos' Dockerfiles (such as for use of End-Of-Life versions of PHP), also provide...

• VERSIONS_CSV_URL

For details on what that CSV file needs to contain, see https://github.com/silinternational/vulnerability-scanner#checking-php-versions

Results S3 Bucket

A CSV file of the results of the scan will be uploaded to an Amazon S3 bucket named using this template:

`${RESULTS_S3_BUCKET_PREFIX}-${STAGE}`

For example, if you use RESULTS_S3_BUCKET_PREFIX=scan-results and deploy a production copy of this, the bucket will be named scan-results-prod.

AWS IAM Permissions for CI/CD (deployments, removals)

The /terraform directory contains Terraform configuration to create an AWS IAM user for Serverless deployment. If you prefer to create the user manually, the /templates/iam-role-for-ci-cd.json file contains a template for what your AWS IAM user's permission policy will probably need to be in order to successfully deploy (serverless deploy) or remove (serverless remove) this serverless application.

HOWEVER, you will need to replace every occurrence of {RESULTS_S3_BUCKET_PREFIX} in that JSON file with the actual value you used for that environment variable. After you do that replacement, you should be able to create an AWS IAM user, add a custom policy to that user (using that JSON you just assembled), and use that user's AWS key/secret as the values for the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY on your CI/CD platform.