Shifting Security Left with the Cycode CLI

Tony Loehr
Developer Advocate

Security doesn’t begin with developers, but they are often affected by security. In my career as a developer, I would say I spent roughly a week per quarter performing tasks to fulfill security needs, whether that meant patch updates, vulnerability remediation, or other DevOps requirements for the sake of policy compliance. As developers are a necessary part of many security fixes, they also benefit from tools supporting security initiatives. Tools that help prevent security issues can also help save developer time because it almost always becomes more expensive and time-consuming to remediate security problems in later phases of development. The Cycode CLI is one of these time-saving tools because it helps prevent hardcoded secrets, misconfigurations, and other vulnerabilities from entering the SCM at all. 

What Is the Cycode CLI?

The Cycode Command Line Interface (CLI) is an application you can install on your local machine to scan your locally stored repositories for any secrets or infrastructure as code misconfigurations. This application may be run on files, commits, and repositories while they are under active development, providing security and productivity benefits to developers. 

What Problem Does the CLI Solve?

The Cycode CLI allows developers to check their code for potential vulnerabilities before pushing their code to a remote server or on-premises environment. Having a command line interface enables security ownership by developers by fitting directly within developer workflows

For example, let’s say a developer has cloned a repository from GitHub and has made local changes. To confirm that desired changes do not introduce security risks (such as hardcoded secrets), this developer may use the Cycode CLI to scan for issues before committing them. This scan doesn’t require developers to leave the development workflow. Security scans may be further streamlined with Cycode’s pre-commit hook, which automatically runs security scans on any files developers attempt to commit. 

Improved visibility of potential security concerns helps prevent security defects requiring remediating action later; because of this earlier oversight, plus the tendency of security to become more expensive later in the SDLC, the Cycode CLI can actually help give developers back time and save overall costs for an organization.

Cycode CLI Features

As a tool to help empower developers, the Cycode CLI offers features that help identify security vulnerabilities at the earliest possible stages of application development.

 

Commands

The Cycode CLI provides a means of running scans, managing results, and authorizing scans with the Cycode platform. These commands are run with the format:

cycode <command> <option>
Command Description
auth Opens the Cycode login page to allow developers to associate CLI with their Cycode account.
configure A manual command to authenticate the Cycode CLI client within the command line using client ID and client secret.
ignore Ignore a specific value, path or rule ID
scan Scan content for secrets/IaC violations, You need to specify which scan type: ci/commit_history/path/repository/etc
–version Show the version and exit

These commands help assist with debugging, providing status checks, and extending CLI functionality. To show detailed logs from any Cycode command, append -v or –verbose before any command. To show options for a given command, append –help after the command.

Scans

The Cycode CLI supports a variety of different scan types. To run a scan, enter:

cycode scan <scan-type-command>
Command Description
repository Scan git repository including its history
path Scan the files in the path supplied in the command
commit_history Scan all the commits history in this git repository
pre_commit Use this command to scan the content that was not committed yet

Local Repository Scans

A repository scan examines an entire local repository for any exposed secrets or insecure misconfigurations. This more holistic scan type looks at everything: the current state of your repository and its commit history. It will look not only for currently exposed secrets within the repository but previously deleted secrets as well.

For example, consider a scenario where you want to scan your repository stored in ~/home/git/codebase. You could then execute the following:

cycode scan repository ~/home/git/codebase

Options which may be appended after cycode scan repositiory include:

  • Branch to scan, if not set scanning the default branch: -b, –branch TEXT
  • Specify the scan you wish to execute (secret/iac), the default is secret: -t, –scan-type [secret|iac]
  • Show secrets in plain text. (default option is to hide the secret): –show-secret <boolean>
  • Run scan without failing, always return a non-error status code (default is false): –soft-fail <boolean>

Path Scans

A path scan examines a specific local directory and all the contents within it, instead of focusing solely on a git repository. This enables scans of files irrespective of git status.

For example, consider a scenario where you want to scan the directory located at ~/home/git/codebase. You could then execute the following:

cycode scan path ~/home/git/codebase

Commit History Scans

A commit history scan is limited to a local repository’s previous commits, focused on finding any secrets within the commit history, instead of examining the repository’s current state.

For example, consider a scenario where you want to scan the commit history for a repository stored in ~/home/git/codebase. To perform a security scan, one would execute the following:

cycode scan commit_history ~/home/git/codebase

Options which may be appended after cycode scan commit_history include:

  • Scan a commit range in this git repository*: -r, –commit_range TEXT

*by default Cycode scans all commit history (example: HEAD~1)

Pre-Commit Scan

A pre-commit scan automatically identifies any issues before you commit changes to your repository. There is no need to execute this scan manually; configure the pre-commit hook as detailed below to enable this scan for every commit.

Pre-commit Hook

Pre-commit scans automatically identify issues before they can be committed to changes to a repository. The Cycode CLI includes a pre-commit hook, providing an easy, integrated means of executing this security scan. Once Cycode’s pre-commit hook is set up within your local repository, the Cycode CLI application will automatically identify any issues with your code before you commit it to your codebase, such as hard-coded secrets or configuration drift.

To use the pre-commit hook, users must configure the hook as detailed within the Cycode CLI README. Once the CLI is installed, the pre-commit hook installation is done as follows:

  1. Install the pre-commit framework:

    pip3 install pre-commit
  2. Navigate to the root directory of the local repository you wish to scan.

    cd <workspace>
  3. Create a new YAML file named .pre-commit-config.yaml

    touch .pre-commit-config.yaml
  4. Add the following to .pre-commit-config.yaml

    repos:
    
      - repo: https://github.com/cycodehq-public/cycode-cli
    
        rev: 0.1.6
    
        hooks:
    
          - id: cycode
    
            language_version: python3
    
            stages:
    
              - commit
  5. Run the following command

    pre-commit install

If you see a message reading:

Pre-commit installed at .git/hooks/pre-commit

Then it’s time to celebrate as you have successfully installed Cycode’s hook. This effectively installs security as a part of the development workflow that requires no additional work from the developer (until it comes to remediation).

Protecting the Software Supply Chain with Cycode

The Cycode CLI helps protect the earliest stages of the SDLC from hardcoded secrets, IaC misconfigurations, and other vulnerabilities that can compromise security. This serves the overarching goal of Cycode: providing complete software supply chain security from code to cloud.

The Cycode platform helps provide visibility of all the components, tools, and data handoffs that exist in the modern development and deployment pipeline. To enforce security, organizations need to understand their entire SDLC including tooling, configurations, activity, risk, and security posture. Cycode helps organizations understand the attributes of their development and deployment pipelines to help reinforce software supply chain security. 

When new vulnerabilities like Text4Shell are disclosed, Cycode’s visibility allows you to understand whether and where your organization is at risk immediately. Cycode’s Pipeline Composition Analysis (PCA) provides enhanced context by analyzing the components of the system in aggregate as well as individually. The additional context provided by PCA helps slice through the noise of false positives.

Give Cycode a Try

To learn more about how Cycode can help, make an account or schedule a demo today.