Skip to main content

Skims

Skims is a CLI application that can be configured to analyze source code, web services, and other attack surfaces, and produces detailed reports with the security vulnerabilities found.

End Users are allowed to run Skims as a Free and Open Source vulnerability detection tool.

Integrates configures and runs Skims periodically to find vulnerabilities over the surface of Fluid Attacks customers as part of the Machine Plan.

Externally the Scanner can be an alias of:

  • Skims, when run by End Users.
  • The combination of efforts between Skims and Integrates, when part of the Machine Plan.

Skims refers only to the CLI application.

Public Oath

  1. Skims can be used by End Users as a Free and Open Source vulnerability detection tool. In other words: it can be used without authentication or manual intervention by Fluid Attacks staff.

  2. Skims has a low rate of False Positives, meaning that it only reports vulnerabilities that have an impact.

  3. When the existence of a vulnerability cannot be deterministically decided, Skims will favor a False Negative over a False Positive. In other words, it will prefer failing to report a vulnerability that may have a real impact over reporting a vulnerability that may have no impact.

Using Skims

  1. Make sure you are in a Linux x86_64 system:

    $ uname -ms
    Linux x86_64
  2. Make sure you have the following tools installed in your system:

  3. Now you can use Skims by calling:

    $ m gitlab:fluidattacks/[email protected] /skims

    Feel free to pass the --help flag to learn more about the things it can do for you.

    You can run the scanner with:

     $ m gitlab:fluidattacks/[email protected] /skims scan /path/to/config.yaml

    ... 🚀 !!

    The configuration format is explained in the Configuration guidelines.

Architecture

  1. Skims is a CLI application written in Python.

  2. Most of Skims' code is related to finding vulnerabilities. Therefore, the best way to understand how everything works is by reading the source code of the CLI first and then following the control flow. You'll eventually get to the different security checks Skims performs.

  3. The vulnerability advisories used in the Source Composition Analysis (SCA) component of Skims are added, deleted, or updated, by:

    • A Scheduler in the Compute component of Common, which fetches the information from public vulnerability databases, and populates the data with new information periodically.
    • Manually by a Developer.

    The vulnerability advisories used to perform the analysis are downloaded from a DynamoDB table or a public S3 bucket, depending on what privileges the user running Skims has.

    Since access to the S3 bucket is public, access logs are dumped for security reasons into the common.logging bucket owned by the Users component of Common.

  4. Some cloud resources are owned by Skims, but they are either unused or used by Integrates when running Skims as part of the Machine plan. See Issue #7886, and Issue #7873.

  5. The OWASP Benchmark is used to measure the quality of Skims when analyzing certain kinds of Java applications.

tip

You can right-click on the image below to open it in a new tab, or save it to your computer.

Architecture of Skims

Contributing

Please read the contributing page first.

Development Environment

Follow the steps in the Development Environment section of our documentation.

When prompted for an AWS role, choose dev, and when prompted for a Development Environment, pick skims.

Local Environment

Just run:

universe $ m . /skims

This will build and run the Skims CLI application, including the changes you've made to the source code.

Local Tests

Some tests require a local instance of Integrates.

To deploy a local instance of integrates, run each command in a different terminal.

universe $ m . /integrates/back
universe $ m . /dynamoDb/skims
universe $ m . /integrates/storage