The purpose of this tool is help you scan your Atlassian Connect app for compliance against the Atlassian Connect Security Requirements and potential security misconfigurations.
This utility can be run as a python script or can be built as a Docker container.
If you are unsure what option makes the most sense for you, follow the Docker setup instructions.
CSRT uses Python 3.9 and Pipenv. Both are required to successfully run the tool.
Common usage:
pipenv run python3 main.py https://example.com/atlassian-connect.json
CSRT with all arguments:
pipenv run python main.py url-to-atlassian-connect-json --debug=True/False --out_dir=./out --skip_branding=True/False --timeout=30 --json_logging=True/False
Ensure you have Docker setup for your respective operating system.
Run the following from the project root:
docker build -t connect-security-req-tester .
docker run -v $(pwd)/out:/app/out connect-security-req-tester <url of descriptor>
Argument | Argument Description |
---|---|
--timeout | Defines how long CSRT will wait on web requests before timing out, default: 30 seconds |
--skip_branding | Whether or not to skip branding checks, default: False |
--out_dir | The output directory where results are stored, default: ./out |
--json_logging | Whether or not to log output in a JSON format, default: False |
--debug | Sets logging to DEBUG for more verbose logging, default: False |
Variable | Description |
---|---|
OUTBOUND_PROXY | If defined, route all requests through this proxy server (eg. OUTBOUND_PROXY=http://proxy.example.com:8080 ) |
This tool assumes your connect app is reachable by the machine running this tool. If your connect app is not reachable, the tool will fail to produce any meaningful results. The following internet addresses are required to be accessible for this tool to work:
- Your connect app's descriptor URL
- All URLs referenced inside your connect app descriptor
This tool will make network requests on from your computer. Please ensure this is allowed from your organization if running this from a monitored network.
Tip: Use a proxy by setting OUTBOUND_PROXY
to your organization's proxy server if your app needs to be accessed via a proxy server.
Additional information about the Atlassian Connect Security Requirements can be found at: https://developer.atlassian.com/platform/marketplace/security-requirements-more-info/
To run the entire test suite:
pipenv run lint
-- Runs flake8 with the project settingspipenv run test
-- Runs pytest with the project settings
Found a bug or have an idea for an improvement? Create an issue via the issue tracker.