Skip to content

Introduction

Skims is a CLI application that can be configured to analyze source code, web services, and other attack surfaces, and produces detailed reports with the security vulnerabilities found.

End Users are allowed to run Skims as a Free and Open Source vulnerability detection tool.

Integrates configures and runs Skims periodically to find vulnerabilities over the surface of Fluid Attacks customers as part of the Essential plan.

Externally the Scanner can be an alias of:

  • Skims, when run by End Users.
  • The combination of efforts between Skims and Integrates, when part of the Essential plan.

Skims refers only to the CLI application.

Public Oath

  1. Skims can be used by End Users as a Free and Open Source vulnerability detection tool.
  2. The Skims CLI can be found on DockerHub
  3. It has a low rate of False Positives, meaning that it only reports vulnerabilities that have an impact.
  4. When the existence of a vulnerability cannot be deterministically decided, Skims will favor a False Negative over a False Positive. In other words, it will prefer failing to report a vulnerability that may have a real impact over reporting a vulnerability that may have no impact.

Architecture

Architecture-light Architecture-dark
  1. Skims is a CLI application written in Python.
  2. It declares its own infrastructure using Terraform.
  3. Sensitive secrets like Cloudflare authentication tokens are stored in encrypted YAML files using Mozilla SOPS.
  4. Skims CLI is published on DockerHub so anyone can use it.
  5. The vulnerability advisories used for Source Composition Analysis (SCA) are managed by a schedule in the Compute component of Common. The schedule fetches the information from public vulnerability databases, and updates the data with new information. Once the data is ready, it is pushed to a public S3 bucket.
  6. Skims CLI performs SCA analysis with its own SCA DB.
  7. It sends metrics data to AWS CloudWatch.
  8. It sends errors to Bugsnag

Contributing

Please read the contributing page first.

Development Environment

Configure your Development Environment.

When prompted for an AWS role, choose dev, and when prompted for a Development Environment, pick skims.

Local Environment

Run this command within the universe repository:

Terminal window
m . /skims

This will build and run the Skims CLI application, including the changes you’ve made to the source code.

Local Tests

There are several skims tests, for each library or finding that has been added to the module.