Cabueta is a DevSecOps Security Scan tool made for Github. It performs Static analysis, Dependency scanning, Dynamic analysis, and Secrets scanning. It integrates with your project via Github Actions.
Cabueta was created to improve Security at VTEX. It solves the issue of Insecure CI/CD pipelines, integrating security directly with CI/CD. It provides clear and actionable output via Markdown, and the JSON output for each tool.
Sample report generated by cabueta.
-
Secrets Scanning with Gitleaks
-
Dependency Scanning with osv-scanner
-
Static Code Analysis with Semgrep
-
Dynamic Application Security Testing with Nuclei
-
Access resources in the AWS using OpenID Connect. With Identity Federation it's possible to access resources in AWS from the Github Actions runner. One possible application is that for all repositories under an organization will send logs securely via POST to an AWS Lambda function, those POST requests will be authenticated by Github and AWS. More info here
To use cabueta as an Workflow:
name: cabueta
on:
# Other options can be added here to make cabueta run on a per PR and per commit basis
workflow_dispatch:
jobs:
cabueta:
# You can change version here from @main to a label such as @v1.0.1
uses: gbrls/cabueta/.github/workflows/cabueta.yml@main
with:
# Turn this on if you want nuclei to test the target-url
dast-check: false
target-url: https://your-website-here.com
# Configure and turn this on if you want to collect logs in your endpoint
upload-logs: false
aws-role: AWS_ROLE_HERE
aws-region: AWS_REGION_HERE
upload-url: https://endpoint-to-collect-logs-via-http-post.com
print:
runs-on: ubuntu-latest
needs: cabueta
steps:
- name: Print output
run: echo ${{ needs.cabueta.outputs.report }}
This tool was the project of my Internship Program at VTEX.