irulescan

static security analyzer for iRules

View on GitHub

irulescan
static security analyzer for iRules

build container image size releases

irulescan is a tool to scan iRules for unexpected/unsafe expressions that may have undesirable effects like double substitution.

irulescan would not exist without tclscan.

It is available as a docker/container image as well as a Github Action irulescan-action.

Usage

It is easiest to use the irulescan container to scan your irules. It is available via docker hub as we as ghcr.io.

The container will recursively scan files within the /scandir folder of the container and return the result in YAML format. Files with the (case insensitive) extensions .tcl, .irul and .irule will be considered.

Command line

Scanning a directory ($PWD/tests/basic):

docker run -i --rm -v $PWD/tests/basic:/scandir simonkowallik/irulescan
---
/dangerous.tcl: |
  WARNING: Unquoted expr at `1` in `expr 1 + $one`
  WARNING: Unquoted expr at `+` in `expr 1 + $one`
  DANGEROUS: Dangerous unquoted expr at `$one` in `expr 1 + $one`
/ok.tcl: |
/warning.tcl: |
  WARNING: Unquoted expr at `1` in `expr 1 + 1`
  WARNING: Unquoted expr at `+` in `expr 1 + 1`
  WARNING: Unquoted expr at `1` in `expr 1 + 1`

Scanning a single file ($PWD/tests/tcl/catch.tcl):

docker run -i --rm -v $PWD/tests/tcl/catch.tcl:/scandir/catch.tcl simonkowallik/irulescan
---
/catch.tcl: |
  WARNING: Unquoted expr at `1` in `expr 1`
  WARNING: Unquoted expr at `2` in `expr 2`

Invoking irulescan directly:

docker run -i --rm simonkowallik/irulescan irulescan

The container ships with a simple shell script, scandir.sh, which can be invoked directly. This is especially useful when using a CI system with custom mount points (eg. /custom/path), here is an example:

docker run -i --rm \
  -v $PWD/tests/tcl/:/custom/path \
  simonkowallik/irulescan /scandir.sh /custom/path

Note: When using -t, --tty with docker run newlines will use CRLF (“Windows style”) instead of LF (“unix style”)

API Server

The irulescan container tag :apiserver ships with a simple Swagger / OpenAPI server.

Start the API server:

docker run -it --rm -p 80:80 simonkowallik/irulescan:apiserver

Scanning a single file:

curl -s http://localhost/scan/ --data-binary '@tests/basic/dangerous.tcl'

Scanning multiple files:

curl -s http://localhost/scanfiles/ -F 'file=@tests/basic/warning.tcl' -F 'file=@tests/basic/ok.tcl'

Here is a demo of the Swagger UI:

simonkowallik/irulescan:apiserver

Additional resources

For safer authoring the VS Code iRules Extension is highly recommended: