INTERCEPT - Policy As Code Static Analysis Auditing
Stupidly easy to use, small footprint Policy as Code subsecond command-line scanner that leverages the power of the fastest multi-line search tool to scan your codebase. It can be used as a linter, guard rail control or simple data collector and inspector. Consider it a weaponized ripgrep. Works on Mac, Linux and Windows.
How it works
- intercept binary
- policies yaml file
- (included) latest ripgrep binary
- (optional) exceptions yaml file
Use cases
- Simple and powerful free drop-in alternative for Hashicorp Sentinel if you are more comfortable writing and maintaining regular expressions than using a new custom policy language.
- Do you find Open Policy Agent rego files too much sugar for your pipeline?
- Captures the patterns from git-secrets and trufflehog and can prevent sensitive information to run through your pipeline. (trufflehog regex)
- Identifies policy breach (files and line numbers), reports solutions/suggestions to its findings making it a great tool to ease onboarding developer teams to your unified deployment pipeline.
- Can enforce style-guides, coding-standards, best practices and also report on suboptimal configurations.
- Can collect patterns or high entropy data and output it in multiple formats.
- Anything you can crunch on a regular expression can be actioned on.
Latest Release :
# Standard package (intercept + ripgrep) for individual platforms
-- intercept-rg-linux.zip
-- intercept-rg-macos.zip
-- intercept-rg-win.zip
# Clean package (intercept only) for individual platforms
-- core-intercept-linux.zip
-- core-intercept-macos.zip
-- core-intercept-win.zip
# Full package (intercept + ripgrep) for all platforms
-- x-intercept.zip
# Package needed to fully use the Makefile
-- setup-buildpack.zip
# Package of the latest compatible release of ripgrep (doesn't include intercept)
-- i-ripgrep-linux.zip
-- i-ripgrep-macos.zip
-- i-ripgrep-win.zip
Download the standard package for your platform to get started
Used in production
INTERCEPT was created to lint thousands of infra deployments a day with minor human intervention, the first MVP been running for a year already with no reported flaws. Keep in mind INTERCEPT is not and does not pretend to be a security tool. It's easy to circumvent a regex pattern once you know it, but the main objective of this tool is to pro-actively help the developers fix their code and assist with style suggestions to keep the codebase clean and avoid trivial support tickets for the uneducated crowd.
Inspired by
Standing on the shoulders of giants
Why ripgrep ? Why is it fast?
- It is built on top of Rust's regex engine. Rust's regex engine uses finite automata, SIMD and aggressive literal optimizations to make searching very fast. (PCRE2 support) Rust's regex library maintains performance with full Unicode support by building UTF-8 decoding directly into its deterministic finite automaton engine.
- It supports searching with either memory maps or by searching incrementally with an intermediate buffer. The former is better for single files and the latter is better for large directories. ripgrep chooses the best searching strategy for you automatically.
- Applies ignore patterns in .gitignore files using a RegexSet. That means a single file path can be matched against multiple glob patterns simultaneously.
- It uses a lock-free parallel recursive directory iterator, courtesy of crossbeam and ignore.
Benchmark ripgrep
Tool | Command | Line count | Time |
---|---|---|---|
ripgrep (Unicode) | rg -n -w '[A-Z]+_SUSPEND' | 450 | 0.106s |
git grep | LC_ALL=C git grep -E -n -w '[A-Z]+_SUSPEND' | 450 | 0.553s |
The Silver Searcher | ag -w '[A-Z]+_SUSPEND' | 450 | 0.589s |
git grep (Unicode) | LC_ALL=en_US.UTF-8 git grep -E -n -w '[A-Z]+_SUSPEND' | 450 | 2.266s |
sift | sift --git -n -w '[A-Z]+_SUSPEND' | 450 | 3.505s |
ack | ack -w '[A-Z]+_SUSPEND' | 1878 | 6.823s |
The Platinum Searcher | pt -w -e '[A-Z]+_SUSPEND' | 450 | 14.208s |
Tests
Test Suite runs with venom
venom run tests/suite.yml
Vulnerabilities
Scanned with Sonatype Nancy
Audited dependencies:41,Vulnerable:0
from Sonatype OSS IndexVia: feedproxy.google.com
INTERCEPT - Policy As Code Static Analysis Auditing
Reviewed by Anónimo
on
17:34
Rating: