This document is also available in Portuguese.
Insider is the OSS CLI project from the Insider Application Security Team for the community.
Insider is focused on covering the OWASP Top 10, to make source code analysis to find vulnerabilities right in the source code, focused on a agile and easy to implement software inside your DevOps pipeline.
We currently support the following technologies: Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).
There is a Github Action that permits you protect your repository with Insider, free, easy to integrate and frictionless. It is the most easy way to protect your code directly on your repository. Take a look - Insider-Action
Installation
You can install Insider using precompiled binaries or from source.
Precompiled binaries
We have precompiled binaries for Linux, Windows and macOS operational systems that you can find here.
Have fun!
Usage
insider is the CLI project from the Insider Application Security Team for the community
Usage:
-exclude value
Patterns to exclude directory or files to analyze. Can be used multiple times
-jobs int
Number of analysis to execute in parallel (default 4)
-no-html
Skips the report generation in the HTML format
-no-json
Skips the report generation in the JSON format
-quiet
No output logs of execution
-security float
Set the Security level, values between 0 and 100 (default 0)
-target string
Specify where to look for files to run the specific ruleset
-tech string
Specify which technology ruleset to load
-v Enable verbose output
-version
Show version and quit with exit code 0
Supported technologies:
android
java
ios
javascript
csharp
Example of use:
# Run JavaScript analysis on specific directoty
insider -tech javascript -target <directory>
# Run Android analysis on specific directoty and ignore html and json report
insider -tech android -target <directory> -no-html -no-json
# Run Java analysis on specific directoty with a base security value to fail
insider -tech java -target <directory> -security 20
# Run JavaScript analysis on specific directoty and exclude node_modules and test files
insider -tech javascript -target <directory> -exclude tests/* -exclude node_modules/*
Example
# Check the correct release for your environment
$ wget https://github.com/insidersec/insider/releases/download/2.1.0/insider_2.1.0_linux_x86_64.tar.gz
$ tar -xf insider_2.1.0_linux_x86_64.tar.gz
$ chmod +x insider
$ ./insider --tech javascript --target <projectfolder>
Docker
You can also run insider in a container. You only need to mount the target into a volume:
$ docker run --rm -v $(pwd):/target-project insidersec/insider -tech <tech> -target /target-project
Demo
Contribution
- Your contributions and suggestions are heartily
♥ welcome. See here the contribution guidelines. Please, report bugs via issues page. See here the security policy for report security issues. (✿ ◕‿◕)
Building from source
To build Insider from source you'll need at least Go version 1.13 working.
$ go get github.com/insidersec/insider/cmd/insider
License
- This work is licensed under MIT.
-
你好,Windows Insider Preview,今天我们将向快速通道的Windows 10 Insider Preview Build 19628。 一些Windows内部人员可能会注意到,从今天的版本开始,我们发布版本的分支的名称已更改为MN_RELEASE。正如我们在12月份提到的,快速环直接从这个活跃的开发分支接收构建。在这种情况下,我们正在实践我们的能力,以改变哪一个分支,我们认为是
-
Windows 11 是 Microsoft 生产的一系列个人计算机操作系统,作为其 Windows NT 操作系统系列的一部分。它是 Windows 10 的继任者,于 2015 年 7 月 15 日开始生产,并于 2015 年 7 月 29 日开始零售。Windows 10 会持续接收新版本,用户无需额外付费即可使用。企业环境中的设备可以以较慢的速度接收这些更新,或者使用长期支持里程碑,这
-
您好,Windows Insider,今天我们将向Beta频道发布Windows 11 Insider预览版22621.1255和22623.1255(KB5022918)。 Build 22623.1255=推送新功能。 Build 22621.1255=默认情况下关闭新功能。 提醒:以前在22622版本上的内部人员将通过启用包自动转移到22623版本。启用包人为地增加了新功能推出并启用的更新的
-
https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewadvanced
-
Visual Studio Code Insider ARM for Mac 1.54.0 预览版原生支持苹果 M1 芯片的 Mac 电脑,同时Visual Studio Code Insider ARM版运行速度会更快,使用的资源(内存和 CPU)更少。 Visual Studio Code Insider ARM Mac版下载 Visual Studio Code Insider ARM fo
-
Microsoft Windows Insider 计划是微软推出的旨在: 1.为参与者提供对以下内容的访问权限:(i)供参与者在设备上试用的试验性和预发行软件和服务;(ii)内容;(iii)通信服务以及其他相关材料和交互信息(以下统称为“计划服务”); 2.向微软提供有关这些设备上发生的所有活动以及设备与计划服务之间交互的反馈和详细使用数据,以便微软及其合作伙伴改进其产品和服务。 该计划是微软于