pdm/security-tools
Public Access
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add per-VM whitelist to suppress known-safe findings

Browse Source
This commit is contained in:
pdmarf
2026-04-17 23:07:38 +01:00
parent dc299e4262
commit 101fe444b1
3 changed files with 27 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -1,2 +1,3 @@
config.sh config.sh
whitelist.conf
logs/ logs/

19
npm-security-check.sh
View File

@@ -18,6 +18,11 @@ send_telegram() {
HOSTNAME=$(hostname) HOSTNAME=$(hostname)
DATE=$(date) DATE=$(date)
LOGFILE="${1:-npm_security_check_${HOSTNAME}_$(date +%Y%m%d_%H%M%S).log}" LOGFILE="${1:-npm_security_check_${HOSTNAME}_$(date +%Y%m%d_%H%M%S).log}"
WHITELIST="$SCRIPT_DIR/whitelist.conf"
is_whitelisted() {
[[ -f "$WHITELIST" ]] && grep -qF "$1" "$WHITELIST" 2>/dev/null
}
RED='\033[0;31m' RED='\033[0;31m'
YELLOW='\033[1;33m' YELLOW='\033[1;33m'
@@ -85,6 +90,10 @@ else
COUNT=$(echo "$LOCKFILES" | wc -l) COUNT=$(echo "$LOCKFILES" | wc -l)
log "Scanning $COUNT lock file(s)..." log "Scanning $COUNT lock file(s)..."
for pkg in "${BAD_PKGS[@]}"; do for pkg in "${BAD_PKGS[@]}"; do
if is_whitelisted "$pkg"; then
ok "$pkg is whitelisted — skipping"
continue
fi
MATCHES=$(echo "$LOCKFILES" | xargs grep -l "\"$pkg\"" 2>/dev/null || true) MATCHES=$(echo "$LOCKFILES" | xargs grep -l "\"$pkg\"" 2>/dev/null || true)
if [[ -n "$MATCHES" ]]; then if [[ -n "$MATCHES" ]]; then
fail "Found '$pkg' in: $MATCHES" fail "Found '$pkg' in: $MATCHES"
@@ -206,12 +215,14 @@ for dir in /tmp /dev/shm /var/tmp; do
EXEC_FILES=$(find "$dir" -type f -executable 2>/dev/null | head -20 || true) EXEC_FILES=$(find "$dir" -type f -executable 2>/dev/null | head -20 || true)
JS_FILES=$(find "$dir" -name "*.js" -o -name "*.mjs" 2>/dev/null | head -10 || true) JS_FILES=$(find "$dir" -name "*.js" -o -name "*.mjs" 2>/dev/null | head -10 || true)
if [[ -n "$EXEC_FILES" ]]; then if [[ -n "$EXEC_FILES" ]]; then
warn "Executable files in $dir:" while IFS= read -r f; do
log "$EXEC_FILES" is_whitelisted "$f" && ok "$f is whitelisted — skipping" || { warn "Executable file in $dir: $f"; }
done <<< "$EXEC_FILES"
fi fi
if [[ -n "$JS_FILES" ]]; then if [[ -n "$JS_FILES" ]]; then
warn "JS files in $dir:" while IFS= read -r f; do
log "$JS_FILES" is_whitelisted "$f" && ok "$f is whitelisted — skipping" || { warn "JS file in $dir: $f"; }
done <<< "$JS_FILES"
fi fi
done done
ok "Temp directory scan complete" ok "Temp directory scan complete"

11
setup.sh
View File

@@ -35,6 +35,17 @@ chmod +x "$SCRIPT_DIR/check-nextjs-rce.sh"
# ── Create logs directory ────────────────────────────────────────────────────── # ── Create logs directory ──────────────────────────────────────────────────────
mkdir -p "$SCRIPT_DIR/logs" mkdir -p "$SCRIPT_DIR/logs"
# ── Create whitelist if absent ─────────────────────────────────────────────────
if [[ ! -f "$SCRIPT_DIR/whitelist.conf" ]]; then
cat > "$SCRIPT_DIR/whitelist.conf" <<'EOF'
# whitelist.conf — one entry per line, exact match against package names or file paths
# Example:
# ua-parser-js
# /tmp/my-known-safe-script.sh
EOF
echo "whitelist.conf created — add known-safe items to suppress false positives."
fi
# ── Cron jobs ────────────────────────────────────────────────────────────────── # ── Cron jobs ──────────────────────────────────────────────────────────────────
CRON_1="0 8 * * * $SCRIPT_DIR/npm-security-check.sh >> $SCRIPT_DIR/logs/npm-security-check-\$(date +\%Y\%m\%d).log 2>&1" CRON_1="0 8 * * * $SCRIPT_DIR/npm-security-check.sh >> $SCRIPT_DIR/logs/npm-security-check-\$(date +\%Y\%m\%d).log 2>&1"
CRON_2="5 8 * * * $SCRIPT_DIR/check-nextjs-rce.sh >> $SCRIPT_DIR/logs/check-nextjs-rce-\$(date +\%Y\%m\%d).log 2>&1" CRON_2="5 8 * * * $SCRIPT_DIR/check-nextjs-rce.sh >> $SCRIPT_DIR/logs/check-nextjs-rce-\$(date +\%Y\%m\%d).log 2>&1"