This document is also available in Portuguese.
Insider is the OSS CLI project from the Insider Application Security Team for the community.
Insider is focused on covering the OWASP Top 10, to make source code analysis to find vulnerabilities right in the source code, focused on a agile and easy to implement software inside your DevOps pipeline.
We currently support the following technologies: Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).
There is a Github Action that permits you protect your repository with Insider, free, easy to integrate and frictionless. It is the most easy way to protect your code directly on your repository. Take a look - Insider-Action
We have precompiled binaries for Linux, Windows and macOS operational systems that you can find here.
But if you are (g)old school or just want to compile it yourself, you'll need at least Go version 1.13.3., and GNU Make >= 4.2.1;
After downloading / checking if your version is compatible, you just have to:
$ go get github.com/insidersec/insider
$ cd $GOPATH/src/github.com/insidersec/insider
$ make linux64 # We support: linux32, linux64, win32, win64, macosHave fun! 🚀
OBS.: Do not put the insider in the same folder that contains the files to be analyzed.
The target folder should contain all the source code that should be analyzed, we plan to release support for compiled binaries for iOS, and Android' APKs.
./insider --help
Insider is the CLI project from the Insider Application Security Team for the community
Usage:
-force
Overwrite the report file name. Insider does not overwrite the results directory by default - Optional
-no-banner
Skips the banner printing (Useful for CI/Docker environments) - Optional
-no-html
Skips the report generation in the HTML format - Optional
-no-json
Skips the report generation in the JSON format - Optional
-security int
Set the Security level, values between 0 and 100
-target string
Specify where to look for files to run the specific ruleset.
-target <folder>
-target <myprojectfolder>
-tech string
Specify which technology ruleset to load. (Valid values are: android, ios, csharp, javascript)
-tech javascript
-tech csharp
-v Set true for verbose output
Example of use :
insider -tech javascript -target <myprojectfolder>
insider -tech=android -target=<myandroidfolder>
insider -tech android -target <myfolder> -no-html
# Check the correct release for your environment
$ wget https://github.com/insidersec/insider/releases/download/2.0.0/insider-linux-amd64
$ chmod +x insider-linux-amd64
$ ./insider-linux-amd64 --tech javascript --target <projectfolder>- Your contributions and suggestions are heartily ♥ welcome. See here the contribution guidelines. Please, report bugs via issues page. See here the security policy for report security issues. (✿ ◕‿◕)
- This work is licensed under LGPL-3.0.