Forces

Forces is the product responsible for the client-side part of the DevSecOps agent. It uses the Integrates API to communicate with the back-end.

Contributing

Please read the contributing page first.

Internals

1. Forces is written in Python, with the rich library providing colors, tables and formatting, an image is built from the code with makes which is then deployed to the Fluid Attacks DockerHub page.

Tip

You can try out your own image of Forces by running the following command after the deployContainerManifest/forcesDev job in the pipeline is done:

docker pull fluidattacks/forces:<youruseratfluid> &&
docker run --rm fluidattacks/forces:<youruseratfluid> forces

Note

Forces sends some telemetry to Bugsnag, where developers can use it to improve exception handling and enhance the program’s logic to prevent unexpected crashes. Remember, stability is paramount!

Product structure

• Directorysrc

  • Directoryapis

    • Directoryintegrates

      • api.py GraphQL operations made to the Integrates API are found here
      • client.py GraphQL client and retry parameters are defined here
  • Directorycli

    • __init__.py Defines the CLI flags and help information
  • Directorymodel/ NamedTuple class definitions for data and the reports

    • …
  • Directoryreport/ Data parsers, validations and report formatting

    • …
  • Directoryutils/ General utils including the strict mode evaluation

    • …
  • __init__.py Application entrypoint
• Directorytest/ Unit and functional tests

  • …

Getting Started

1. Configure your Development Environment.

2. When prompted for an AWS role, choose dev, and when prompted for a Development Environment, pick integratesForces.

3. Run this command within the universe repository:

   m . /integrates/forces

   This will build and run the Forces CLI application, including the changes you’ve made to the source code. Most of the time you’ll be running Forces this way.

Note

You will need to pass the Forces token to the CLI, which can be generated locally and from ephemeral environments.

Linting and testing

To invoke the linter, run the following command with makes:

m . /lintPython/module/forces

To lint the tests use:

m . /lintPython/module/forcesTests

To run the tests, use:

m . /integrates/forces/test

Tip

After running the test job, you can sometimes end up with an orphaned Integrates instance. To stop it, run the following command:

m . /integrates/utils/kill

Building the container locally

Most of the time you’ll be running Forces via makes. But in case you want to manually build and check the container, follow these steps:

1. Build the container image (a tarball)

   m . /integrates/forces/container

2. Load the tarball into the local Docker repository

   docker load < ~/.cache/makes/out-integrates-forces-container

3. Run the container image

   docker run --rm container-image:latest forces

Checking the output

Forces can be pointed to your local or ephemeral Integrates instances, to do this, you can set the API_ENDPOINT variable:

• Local environment:

    export API_ENDPOINT=http://localhost:8001/api

• Ephemeral environment:

    export API_ENDPOINT=http://<youruseratfluid>.app.fluidattacks.com/api

The output can be seen in the DevSecOps table of the group in the instance you pointed Forces to.

Caution

The readability of the logs is very important! Whenever you make presentation changes, make sure to run Forces locally or check the output of the integrates/web/forces and integrates/web/forces/container jobs to ensure everything’s okay before opening a merge request.