INTERCEPT: Policy as Code Static Analysis Auditing

by ddos ·

INTERCEPT

Stupidly easy to use, small footprint Policy as Code subsecond command-line scanner that leverages the power of the fastest multi-line search tool to scan your codebase. It can be used as a linter, guard rail control or simple data collector and inspector. Consider it a weaponized ripgrep. Works on Mac, Linux, and Windows.

Code Static Analysis Auditing

How it works

  • intercept binary
  • policies yaml file
  • (included) ripgrep binary
  • (optional) exceptions yaml file

Intercept merges environment flags, policies yaml, exceptions yaml to generate a global config. Uses ripgrep to scan a target path for policy breaches recursively against your code and generates a human-readable detailed output of the findings.

Use cases

  • Simple and powerful free drop-in alternative for Hashicorp Sentinel if you are more comfortable writing and maintaining regular expressions than using a new custom policy language.
  • Do you find Open Policy Agent rego files too much sugar for your pipeline?
  • Captures the patterns from git-secrets and trufflehog and can prevent sensitive information to run through your pipeline. (trufflehog regex)
  • Identifies policy breach (files and line numbers), reports solutions/suggestions to its findings making it a great tool to ease onboarding developer teams to your unified deployment pipeline.
  • Can enforce style-guides, coding-standards, best practices and also report on suboptimal configurations.
  • Can collect patterns or high entropy data and output it in multiple formats.
  • Anything you can crunch on a regular expression can be actioned on.

Download && Use

Copyright (C) 2020 xfhg