Data Theorem On-Prem Scanner

Owned by Victor Wang
Last updated: Feb 08, 2024
9 min read

Data Theorem allows you to run our source code SAST analyzer directly in your environment and on your hardware. This gives you full control over the scanning infrastructure: the scanning machine could be your own on-prem hardware, or it could be a CI runner (for example, from Github, Bitbucket, Gitlab, or Azure DevOps).

Data Theorem’s on-prem scanner allows you to leverage Data Theorem’s SAST scanning without sending any source code off-site. The security scan results will still be uploaded to the Data Theorem portal. However, this approach comes with a couple of important limitations:

  • Data Theorem’s SAST analyzer won’t be able to post source code annotations directly in the Github / Bitbucket / Gitlab UI. Security scan results will only be consumable within the Data Theorem portal, or via our Security Scan Results API.

If you prefer not to be limited by the above, we recommend utilizing our dedicated Github / Bitbucket / Gitlab integrations, which are built around Data Theorem’s Cloud infrastructure and provide the most polished developer experience (see onboarding instructions at DevSecOps > SAST Code Analysis).

 

Requirements

  • The machine running the scanner must have docker installed

  • The machine running the scanner must have internet access

  • We can recommend a base of 8GB RAM / 4 CPUs to run the scans, but note that scan time is proportional to the code base size so the specs that fit your needs may vary based on the size of your codebase.

Step 1: Generate a SAST Security Results API Key

Navigate to Data Theorem’s API key provisioning portal https://www.securetheorem.com/devsecops/v2/results_api_access

Make sure the API key has the “SAST Scanning” feature permission

sast-api-key.png

 

Step 2: Run the Data Theorem SAST scanner

The Data Theorem Scanner docker image is available at us-central1-docker.pkg.dev/prod-scandal-us/datatheorem-sast/datatheorem-sast

Environment Variables Inputs

The Data Theorem SAST scanner needs the following inputs to run:

  • DT_SAST_API_KEY: Data Theorem API Key retrieved on step 1

  • DT_SAST_REPOSITORY_NAME: name of your resource to scan

    • example my_org_name/my_repo_name

  • DT_SAST_REPOSITORY_ID: the identifier for the repository on your platform (Github, Bitbucket, Gitlab…)

  • DT_SAST_REPOSITORY_HTML_URL: base web url to the resource

    • example https://github.com/my_org_name/my_repo_name

  • DT_SAST_REPOSITORY_DEFAULT_BRANCH_NAME: name of the default branch name of your repository

    • example main

[Diff scans] Often, it’s more useful to find out what security issues have been introduced in a given branch, rather than just scanning for all the issues in the codebase as a whole. This is accomplished by providing the scan with two git snapshots: one for the branch you’re going to merge the code into (i.e. the base state of the code), and another for the branch where you’ve introduced new code (i.e. your PR branch). To to this, use the following inputs

  • DT_SAST_SCAN_HEAD_REF: git ref of the head to scan

  • DT_SAST_SCAN_TARGET_REF: git ref of the target to scan

[Optional]

  • set DT_SAST_FAIL_MODE=true if set, the process will return a non-zero status when issues are found. This can be used to make Data Theorem SAST a blocking step of your workflow.

  • set DT_SAST_NO_FORWARD_MODE=true if you want to skip forwarding scan results/metadata to Data Theorem, note that this will mean that no scan results will be visible from the Data Theorem Portal

Local Scanning example

The Data Theorem on-prem scanner can run from your local machine.

From the root of the git repository you wish to scan, run the following command

docker run -it \ -e DT_SAST_API_KEY=$DT_SAST_API_KEY \ -e DT_SAST_REPOSITORY_NAME="<my_org>/<my_repo>" \ -e DT_SAST_NO_FORWARD_MODE=true \ --mount type=bind,source="$(pwd)"/,target=/target \ us-central1-docker.pkg.dev/prod-scandal-us/datatheorem-sast/datatheorem-sast \ data_theorem_sast_analyzer scan /target

Sample output:

Scanning completed in 15.65 seconds Scan results: 1 issues on commit=f719d004ef98254b46187c53ef1b3ed2f8643082 Total Issues: 1 Issues per types: - First Party Code: 1 - SCA: 1 Issues per severity: - High Severity: 1 - Medium Severity: 1 [ { "issue_title": "Unauthenticated Route Found for Flask API", "issue_description": "The security of this code is compromised due to the presence of unauthenticated access to specific routes within the Flask API. This vulnerability poses a significant risk as it can potentially expose sensitive data or allow unauthorized actions to be performed. To mitigate this risk, it is crucial to implement robust authentication mechanisms that ensure only authorized users can access the protected routes.\n\nBy allowing unauthenticated access, the code fails to validate the identity of users before granting them access to certain routes. This lack of authentication opens the door for malicious actors to exploit the system and gain unauthorized access to sensitive information or perform actions that they should not be able to.\n\nTo address this issue, it is recommended to implement a secure authentication process that verifies the identity of users before granting them access to protected routes. This can be achieved through various methods such as username/password authentication, token-based authentication, or integration with third-party authentication providers.\n\nAdditionally, it is important to consider implementing other security measures such as encryption of sensitive data, input validation to prevent injection attacks, and proper error handling to avoid leaking sensitive information.\n\nBy implementing these security measures, the code can ensure that only authenticated and authorized users can access the protected routes, significantly reducing the risk of unauthorized access or data breaches. It is essential to prioritize security in the development process to safeguard sensitive data and protect the integrity of the system.", "issue_type": "FIRST_PARTY_CODE", "severity": "HIGH", "detected_in_file_path": "sample_code/bad_python.py", "detected_on_line": 7, "issue_code_snippet": "@app.route(\"/\")\ndef index():\n cmd = request.args.get(\"cmd\", \"\")\n exec(cmd)\n return \"\"" }, { "issue_title": "jinja2 version 3.1.2 contains a known vulnerability (via PyPI dependency): Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter", "issue_description": "Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter", "issue_type": "SCA", "severity": "MEDIUM", "detected_in_file_path": "sample_code/requirements.txt", "detected_on_line": 1, "issue_code_snippet": "jinja2==3.1.2\n" } ] Visit https://www.securetheorem.com/api/v2/security/sast for more details

GitHub Actions example

Set the Data Theorem API Key as a secret variable

Go to your repository > Settings > Security > Secrets and variables > Actions> Secrets

Click on New Repository Secret and create a secret variable named DT_SAST_API_KEY with the value retrieved in Step 1

Scans on pushes

name: Data Theorem SAST # Controls when the workflow will run, adapt to your own needs on: # Triggers the workflow on push or pull request events but only for the "main" branch # Adapt triggers to your own needs push: branches: [ "main" ] # Allows you to run this workflow manually from the Actions tab workflow_dispatch: jobs: scan: runs-on: ubuntu-latest container: image: us-central1-docker.pkg.dev/prod-scandal-us/datatheorem-sast/datatheorem-sast:latest env: DT_SAST_API_KEY: ${{ secrets.DT_SAST_API_KEY }} DT_SAST_REPOSITORY_NAME: ${{ github.event.repository.full_name }} DT_SAST_REPOSITORY_PLATFORM: GITHUB DT_SAST_REPOSITORY_ID: ${{ github.event.repository.id }} DT_SAST_REPOSITORY_HTML_URL: ${{ github.event.repository.html_url }} DT_SAST_REPOSITORY_DEFAULT_BRANCH_NAME: ${{ github.event.repository.default_branch }} DT_SAST_OUTPUT_DIR: ./ steps: - uses: actions/checkout@v4 - name: Start Data Theorem SAST Scan run: data_theorem_sast_analyzer scan ./ - uses: actions/upload-artifact@v4 with: name: dt-sast-scan-result path: ./scan-results-sarif.json

Scans on pull requests

Bitbucket pipeline example

Set the Data Theorem API Key as a secret variable

Go to your repository > Repository Settings > Repository Variables

Add a variable named DT_SAST_API_KEY with the value retrieved in step 1 and make sure the Secured option is checked

Gitlab pipeline example

Set the Data Theorem API Key as a secret variable

Go to your project > Settings > CI/CD > Variables

Add a variable named DT_SAST_API_KEY with the value retrieved in step 1 and make sure the Masked option is checked

Note: the Gitlab pipeline must run the Data Theorem SAST step on an executor that supports the image feature.
See https://docs.gitlab.com/runner/executors/#compatibility-chart for more information on compatible executors