Sken CLI is a security scan tool that can be integrated into your DevOps CI/CD workflow to identify and generate a detailed report of all security leaks and vulnerabilities in your application.

Related article: What all opensource scanners, languages, and CI/CD tools are supported by Sken

Note: If you are yet to run the scan for your first app in Sken, check out the quick-step getting started article to follow the minimum steps to see how Sken works.

General Form

To operate Sken CLI, run Sken CLI without any parameters inside your Sken CLI directory.

> PS [skenclidirectory] > skencli [options]
> PS [skenclidirectory] > skencli [--path | -l | --lang]

Options

-p, --path string Path of the project files
-l, --lang string Language in which the source code is written

--ignore-limit Only use this option if you're an advanced user. If your code base is large, this option will bypass sanity checks, including the limit on the number of files scanned and the time it takes for a scanner to run. Please note scanners can run for a very long time on large code bases.

For now, we only recommend running Sken CLI with a sken.yaml configuration file and no options.

Configuration Files

By default, the Sken CLI stores configuration inside sken.yaml file. This file should be in the root directory of the project. You can modify this file to control how Sken CLI works.

See below to understand the parameters and variables in the file.

Sample .yaml File

orgid: your-org-id-here
appid: your-app-id-here

# optional Param section start
buildtool: jenkins # optional param, values=jenkins|travis
scanner: sast,dast,sca # optional param, default is ALL
language: python,javascript # optional param, default is Auto-Detect

variables:
DAST_URL: https://your.url.com # optional param
DAST_FULL_SCAN: true #true|false

# optional Param section end
# end of file

Parameters and Variables

Parameters (Mandatory)

orgid(string)

The unique ID associated with your organization.

appid(string)

The unique ID that identifies the projects running within the organization.

Parameters (Optional)

buildtool(string)

Supported values: jenkins,travis
Used to identify the project path by reading environment variables.

Note:

  • If value is jenkins, Sken reads WORKSPACE variable.
  • If value is travis, Sken reads TRAVIS_BUILD_DIR variable.
  • If parameter is unspecified, Sken uses configuration file’s path.

scanner(string)

Supported values: SAST, DAST, SCA, secrets
Type of security scanning.

Note:

  • If parameter is unspecified, all static scans will run.
  • If the parameter is unspecified but DAST_URL is detected, a DAST scan will run.
  • If DAST_URL is detected but the parameter doesn’t have DAST, DAST_URL would be ignored.

language(string)

Language in which the source code is written.

Supported values: java, javascript, typescript, python, python2, php, ruby, go

(If you want a kotlin or scala scanner, use java as your language. Sken will run FindSecBugs. Currently, we only support Java, Kotlin, and Scala built using Maven. You must run a build first before running skencli.)


Note:

  • If parameter is unspecified, Sken will try to auto-detect language.

Variables (Optional)

DAST_URL (string)

URL where your application is hosted

DAST_FULL_SCAN (boolean)

Supported values: true,false (default)

A full DAST scan will run when the value is set to true else a basic scan will run.

DAST_LOGINURL (string)

The URL where you display your login form. Currently, we only support form-based authentication.

DAST_LOGINBODY (string)

Format is: xxx={%username%}&yyy={%password%}

Where xxx and yyy are the form input name values of the username and password input fields respectively.

For example, if your form has fields <input name="myusername"> and <input name="mypassword">, then the string value is:

myusername={%username%}&amp;mypassword={%password%}

DAST_USERNAME (string)

The username used to login. This will be the %username% variable in DAST_LOGINBODY.

DAST_PASSWORD (string)

The password used to login. This will the %password% variable in DAST_LOGINBODY.

MAVEN_REPO_PATH

If your language is Java and you are using Maven, the scanner needs access to Maven’s .m2 repository location. If this parameter is specified, skencli will use that location. Otherwise, skencli will attempt to find it in ${user.home}/.m2. And if that fails, attempt to locate ${maven.home}/conf/settings.xml and extract the location.

GRADLE_CACHE_PATH

If your language is Java and you are using Gradle, the scanner needs access to Gradle’s cache. If this parameter is specified, skencli will use that location. Otherwise, skencli will attempt to find it in ${user.home}/.gradle.

Did this answer your question?