Security Assessments

Soluble Fusion is a dev-friendly platform that allows your to perform security assessments against a variet of modern DevOps-oriented compnents including:

  • Infrastructure-as-Code
    • Terraform
    • AWS CloudFormation
    • Kubernetes manifests
  • Container Images
  • Secrets detection in source code
  • Dependency analysis for Python, Node, and Java platforms
  • Cloud security posture management checks of your AWS Runtime
  • and more...

Soluble runs these assessments locally in your development environemnt or in CI.

You can, optionally, send the results of these assessments to our SaaS platform for reporting, ticketing, prioritization and notification.

If you have an existing investment in the best open-source assessment tools, we let you leverage that investment and build an operationalized security program around them.

We give you flexibility to run one or more of such tools of your choice, to provide maximum security coverage of your infrastructure and to give you freedom from vendor lock-in.

If you want us to integrate with any other tools or solutions, please let us know by emailing the support.

How It Works

The soluble CLI takes care of downloading the underlying assessment tool and executing it for you. We then take the assessment results and send it to our SaaS platform along with contextual inforamtion about the asessments such as the git repository, branch, commit, and CI pipline in which it was executed.

For assessment tools that offer a static binary distribution, such as those written in Golang, the CLI will obtain the asssessment tool from the upstream distribution point, typically, GitHub Release.

For assessments that have complex dependencies that complicate installation (Node, Python, Ruby, etc) we use a containerized version of the tool to make it easier to manage.

If you don't have Docker available and wish to install the underlying tool natively yourself, you can do that with the --tool-path <tool> option. If you omit that option, Docker will be used.

We do not send your data to our SaaS platform. In some cases, the assessment tools will send snippits of source fragments (Secrets detection does not!), but we do not send anything more than that.

Once the assessment has been sent to the SaaS platform, it can be viewed in the web UI, and is availble for integraiton with alert management, JIRA ticketing an Slack notification.

Prerequisites

You should have the Soluble CLI installed and a Soluble Fusion authentication token. Instructions for this can be found on the CLI Configuration Guide.

Infrastructure-as-Code

In all of the examples below, the --uplaod option is optional. If you specify it and you have an API token configured for your CLI, the results will be sent to Soluble Fusion.

CloudFormation

Checkov

Checkov is one of the better infrastructure-as-code asessment tools. It is written in Python, is easily extensible, and has support CloudFormation, Terrafrom and Kubernetes.

To run an assesmsent of your cloudformation by running the following:

soluble cfn-scan checkov --upload

cfn-python-lint

cfn-lint is a popular commmunity OSS tool sponsored in part by AWS.

soluble cfn-scan cfn-pyhton-lint --upload

cfn-nag

cfn-nag is an assessment tool originally written by employees of Stelligent.

soluble cfn-scan cfn-nag --upload

Terraform

Checkov

As mentioned above, checkov supports Terraform as well.

soluble tf-scan checkov --upload

TFSec

tfsec is an independently-developed OSS assessment tool for Terrafrom.

soluble tf-scan tfsec --upload

Terrascan

soluble tf-scan terrascan --upload

Hashicorp Sentinel

We are exploring integration with Hashicorp Sentinel. Let us know if you are interested.

Other

Let us know if there are other flavors of infrastructure-as-code that you would like to integrate. We are considering Ansible, Chef, Puppet, Pulumi and others.

Kubernetes

To scan a source tree of kubernetes manifests, run the following:

soluble k8s-scan --upload

At present we only offer checkov support for kubernetes. If you would like to see another asseement tool (there are many!), please let us know.

Container Image Scanning

Trivy

Soluble provides a simple and comprehensive vulnerability scanner for containers and other artifacts based on Trivy.

To scan a container image:

soluble image-scan <image> [--upload]

Other

Let us know if there are other image scanning tools that you would like us to support. We have AWS ECR and AWS GCR available, but they are not fully integrated into the CLI. We are happy to provide native support for Clair, Anchore, etc if there is interest.

Secrets Detection

The Soluble secrets scanner searches through git repositories for secrets. The underlying implementation uses Detect Secrets from Yelp. Plugging this CLI service into the CI provides an easy way to prevent accidental check-in of secrets.

soluble secrets-scan [--upload]

If there is interest in other secrets detecton engines (Trufflehog, Shhhgit, etc.) we would be happy to add support.

Application Dependency Scanning

Python and Node via Trivy

Trivy can be used to scan your Python and Node applications for depedencies with vulnerabilities.

soluble dep-scan trivy --upload

OWASP Dependency Check for JVM Apps

If you use OWASP Dependency Check for java applications, you can send the JSON output to Soluble.

If you are using Gradle and have the Dependency Check plugin installed, run:

gradle dependencyCheckAnalyze

This will produce a report in build/reports/dependency-check-report.json

You can then send the report to Soluble with:

soluble post -m owasp -f build/reports/dependency-check-report.json

Note: We are happy to create a wrapper plugin if there is interest.

Retire JS

We have retirejs support coming to the CLI.

Dependabot

We are actively looking into integrating GitHub Dependabot into Soluble Fusion. We like Dependabot a lot and use it ourselves. Let us know if you are interested.

Infrastructure Scanning

Cloudsploit

Cloudsploit is a great cloud security scanner from Aqua Security.

Cloudsploit supports AWS, GCP, Azure and even Oracle cloud.

Soluble has packaged clousdploit as a container image that can be run via Docker or Kubernetes.

Run via Docker

Note: We are in the process of wrapping this invocation into our CLI to make it less clumsy. However, it is just syntactic sugar to make the tools easier to use. Under the hood it will invoke Cloudsploit as follows.

Assuming the soluble CLI is configured and you have AWS credentials in environment variables, run the following:

docker run -it  --rm \
-e AWS_ACCESS_KEY_ID \
-e AWS_SECRET_ACCESS_KEY \
-e AWS_SESSION_TOKEN \
-v ${HOME}/.soluble:/app/.soluble \
gcr.io/soluble-repo/soluble-cloudsploit

If your AWS configuration is in ~/.aws, the following will work as well:

docker run -it --rm \
-v ${HOME}/.aws:/app/.aws \
-v ${HOME}/.soluble:/app/.soluble \
gcr.io/soluble-repo/soluble-cloudsploit

Cloudsploit can take a while to run.

When it has completed, it will send the results to Soluble Fusion.

Run via Kubernetes

The following job template will run cloudsploit and send the results to Soluble Fusion.

apiVersion: batch/v1
kind: Job
metadata:
  generateName: cloudsploit-
spec:
  template:
    spec:
      containers:
        - image: gcr.io/soluble-repo/soluble-cloudsploit:latest
          name: cloudsploit
          imagePullPolicy: Always
          env:
            - name: AWS_ACCESS_KEY_ID
              value: ""
            - name: AWS_SECRET_ACCESS_KEY
              value: ""
            - name: AWS_SESSION_TOKEN
              value: ""
            - name: SOLUBLE_API_TOKEN
              value: ""
      restartPolicy: Never

The example above is meant for illustrative purposes only. You should consider using kubernetes secrets or use integrated IAM provide credentials to cloudsploit.

Have Soluble Fusion Run It For You

Soluble Fusion can execute cloudsploit for you automatically if you delegate the AWS Security Audit role to Soluble. In this case we well schedule cloudsploit for you and feed assessments into Fusion.

Prowler

We have support for Prowler as well.

IAM Assessment

We are working on automating AWS and Kubernetes IAM assessments to help make everyone's least-privileged dreams come true.

We'd appreciate it if you would let us know if you have specific interest in this.