Shifting Security Left with the Cycode CLI

user profile
Developer Advocate

Security doesn’t begin with developers, but they are often affected by security. In my career as a developer, I would say I spent roughly a week per quarter performing tasks to fulfill security needs, whether that meant patch updates, vulnerability remediation, or other DevOps requirements for the sake of policy compliance. As developers are a necessary part of many security fixes, they also benefit from tools supporting security initiatives. Tools that help prevent security issues can also help save developer time because it almost always becomes more expensive and time-consuming to remediate security problems in later phases of development. The Cycode CLI is one of these time-saving tools because it helps prevent hardcoded secrets, misconfigurations, and other vulnerabilities from entering the SCM at all. 

What Is the Cycode CLI?

The Cycode Command Line Interface (CLI) is an application you can install on your local machine to scan your locally stored repositories for any secrets or infrastructure as code misconfigurations. This application may be run on files, commits, and repositories while they are under active development, providing security and productivity benefits to developers. 

What Problem Does the CLI Solve?

The Cycode CLI allows developers to check their code for potential vulnerabilities before pushing their code to a remote server or on-premises environment. Having a command line interface enables security ownership by developers by fitting directly within developer workflows

For example, let’s say a developer has cloned a repository from GitHub and has made local changes. To confirm that desired changes do not introduce security risks (such as hardcoded secrets), this developer may use the Cycode CLI to scan for issues before committing them. This scan doesn’t require developers to leave the development workflow. Security scans may be further streamlined with Cycode’s pre-commit hook, which automatically runs security scans on any files developers attempt to commit. 

Improved visibility of potential security concerns helps prevent security defects requiring remediating action later; because of this earlier oversight, plus the tendency of security to become more expensive later in the SDLC, the Cycode CLI can actually help give developers back time and save overall costs for an organization. [ads id=3299]

Cycode CLI Features

As a tool to help empower developers, the Cycode CLI offers features that help identify security vulnerabilities at the earliest possible stages of application development.

 

Commands

The Cycode CLI provides a means of running scans, managing results, and authorizing scans with the Cycode platform. These commands are run with the format:

cycode <command> <option>
Command Description
auth Opens the Cycode login page to allow developers to associate CLI with their Cycode account.
configure A manual command to authenticate the Cycode CLI client within the command line using client ID and client secret.
ignore Ignore a specific value, path or rule ID
scan Scan content for secrets/IaC violations, You need to specify which scan type: ci/commit_history/path/repository/etc
–version Show the version and exit

These commands help assist with debugging, providing status checks, and extending CLI functionality. To show detailed logs from any Cycode command, append -v or –verbose before any command. To show options for a given command, append –help after the command.

Scans

The Cycode CLI supports a variety of different scan types. To run a scan, enter:

cycode scan <scan-type-command>
Command Description
repository Scan git repository including its history
path Scan the files in the path supplied in the command
commit_history Scan all the commits history in this git repository
pre_commit Use this command to scan the content that was not committed yet

Local Repository Scans

A repository scan examines an entire local repository for any exposed secrets or insecure misconfigurations. This more holistic scan type looks at everything: the current state of your repository and its commit history. It will look not only for currently exposed secrets within the repository but previously deleted secrets as well.

For example, consider a scenario where you want to scan your repository stored in ~/home/git/codebase. You could then execute the following:

cycode scan repository ~/home/git/codebase

Options which may be appended after cycode scan repositiory include:

  • Branch to scan, if not set scanning the default branch: -b, –branch TEXT
  • Specify the scan you wish to execute (secret/iac), the default is secret: -t, –scan-type [secret|iac]
  • Show secrets in plain text. (default option is to hide the secret): –show-secret <boolean>
  • Run scan without failing, always return a non-error status code (default is false): –soft-fail <boolean>

Path Scans

A path scan examines a specific local directory and all the contents within it, instead of focusing solely on a git repository. This enables scans of files irrespective of git status.

For example, consider a scenario where you want to scan the directory located at ~/home/git/codebase. You could then execute the following:

cycode scan path ~/home/git/codebase

Commit History Scans

A commit history scan is