Twigs supports discovery of Serverless functions for Azure Functions and Google Cloud Functions. Support for AWS Lambda functions is coming soon. Each Serverless function is treated like an individual source code repository asset and can be assessed for issues like open source dependency vulnerabilities, static analysis (SAST), secrets and embedded passwords, license compliance and software composition analysis (SCA).
Refer to source code discovery section for more details.
Azure Functions
Overview
twigs supports discovery of Azure Functions code for security vulnerabilities through your Azure subscription. Each Azure Function will be represented as an asset in the ThreatWorx console.
Pre-requisites
Azure CLI is required, please install it by following the steps mentioned here for your Operating System. An Azure user or service principal with access to the Azure Functions API is required. The best builtin role required for the service principal to access the Azure Functions is Website Contributor
For static code analysis (SAST) tests, twigs uses an open source tool called semgrep. For more information on semgrep and how to download it, refer to this link.
For security checks in your infrastructure-as-code (IaC) code, twigs uses an open source tool called checkov. For more information on checkov and how to download it, refer to this link.
Steps
Open a new shell / terminal.
Check that twigs is installed and running properly by running below command:
twigs azure_functions -h
You can run the command as below:
twigs azure_function [--secrets_scan][--enable_entropy]
[--regex_rules_file REGEX_RULES_FILE][--check_common_passwords] [--common_passwords_file COMMON_PASSWORDS_FILE]
[--include_patterns INCLUDE_PATTERNS]
[--include_patterns_file INCLUDE_PATTERNS_FILE]
[--exclude_patterns EXCLUDE_PATTERNS]
[--exclude_patterns_file EXCLUDE_PATTERNS_FILE]
[--mask_secret] [--no_code][--sast][--iac_checks]
After discovery is complete, you can login into ThreatWorx Console to view the newly discovery Azure Function assets from your subscription.
Secrets such as tokens, keys etc. embedded in the Azure Function source code can be found using –secrets_scan option. A default set of regex rules are used for this which can be substituted for your regex rules file. A more advanced (but noisy) way is to use –enable_entropy to detect secrets based on text patterns.
The –mask_secret option will hide any secret strings that are collected from the Azure Function source code.
The –no_code option will prevent any function code snippet from being collected or transmitted as part of the discovery. The source file and line numbers will be collected and transmitted.
Common passwords embedded in source code can be scanned for using the –check_common_passwords option. You may provide your own list of common passwords as a simple text file using –common_passwords_file option.
The include_ and exclude_ options can be used to specify or skip certain file name patterns or directories while scanning the Azure Function deployment.
Google Cloud Functions
Overview
Twigs supports discovery of Google Cloud Functions code for security vulnerabilities through your GCP subscription. Each Google Cloud Function will be represented as an asset in the ThreatWorx console.
Pre-requisites
Google Cloud SDK is required, please install it by following instructions mentioned here for your Operating System. The SDK provides tools (like gcloud, gsutil etc.) which are used to discover the Google Functions.
Following GCP IAM permissions are required for the gsutil command:
ls Projects storage.buckets.list
storage.buckets.get
storage.buckets.get.IamPolicy
ls Buckets, Objects storage.objects.list
storage.objects.get
storage.buckets.get.IamPolicy
cp Objects storage.objects.list (for the destination bucket)
storage.objects.get (for the source objects)
storage.objects.create (for the destination bucket)
storage.objects.delete (for the destination bucket)
storage.objects.delete (for the destination bucket)
For static code analysis (SAST) tests, twigs uses an open source tool called semgrep. For more information on semgrep and how to download it, refer to this link.
For security checks in your infrastructure-as-code (IaC) code, twigs uses an open source tool called checkov. For more information on checkov and how to download it, refer to this link.
Steps
Open a new shell / terminal.
Check that twigs is installed and running properly by running below command:
twigs gcloud_functions -h
You can run the command as below:
twigs gcloud_functions [--secrets_scan][--enable_entropy]
[--regex_rules_file REGEX_RULES_FILE][--check_common_passwords] [--common_passwords_file COMMON_PASSWORDS_FILE]
[--include_patterns INCLUDE_PATTERNS]
[--include_patterns_file INCLUDE_PATTERNS_FILE]
[--exclude_patterns EXCLUDE_PATTERNS]
[--exclude_patterns_file EXCLUDE_PATTERNS_FILE]
[--mask_secret][--no_code][--sast][--iac_checks]
After discovery is complete, you can login into ThreatWorx Console to view the newly discovered Google Cloud Function assets from your subscription.
Secrets such as tokens, keys etc. embedded in the Google Cloud Function source code can be found using –secrets_scan option. A default set of regex rules are used for this which can be substituted for your regex rules file. A more advanced (but noisy) way is to use –enable_entropy to detect secrets based on text patterns.
The –mask_secret option will hide any secret strings that are collected from the Google Cloud Function source code.
The –no_code option will prevent any function code snippet from being collected or transmitted as part of the discovery. The source file and line numbers will be collected and transmitted.
Common passwords embedded in source code can be scanned for using the –check_common_passwords option. You may provide your own list of common passwords as a simple text file using –common_passwords_file option.
The include_ and exclude_ options can be used to specify or skip certain file name patterns or directories while scanning the Google Cloud Function deployment.