README
¶
Capslock is a capability analysis CLI for Go packages that informs users of which privileged operations a given package can access. This works by classifying the capabilities of Go packages by following transitive calls to privileged standard library operations.
The recent increase in supply chain attacks targeting open source software has highlighted that third party dependencies should not be inherently trusted. Capabilities indicate what permissions a package has access to, and can be used in conjunction with other security signals to indicate which code requires additional scrutiny before it can be considered trusted.
What are capabilities?
Current security analysis focuses a lot on identifying vulnerabilities in packages -- an important goal given the rate of new CVEs being identified. To complement this analysis, we are alerting on the capabilities of packages, meaning that we are identifying what permissions the package has access to via its transitive dependencies on standard library functions with privileged accesses.
This has many potential applications, from identifying the purpose of packages by looking at what capabilities they use, to directing security reviews to more privileged code paths, and even alerting on unexpected capability changes to stop potential supply chain threats before they can become an issue.
This is motivated by the Principle of Least Privilege -- the idea that access should be limited to the minimal set that is feasible and practical. We intend to apply this to software development to ensure that code can be scoped to the minimal set of capabilities that are required to perform its intended purpose.
To learn more about the capabilities in your dependencies, install Capslock
go install github.com/google/capslock/cmd/capslock@latest
You can then invoke Capslock by running capslock from the path of the packages you want to analyze.
Caveats
See the caveats file.
Contributing
See the contributing file.
Star History
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
capslock
Program capslock loads packages specified in command line arguments, and for each function in those packages that has interesting capabilities, outputs a string describing this to stdout.
|
Program capslock loads packages specified in command line arguments, and for each function in those packages that has interesting capabilities, outputs a string describing this to stdout. |
|
capslock-git-diff
capslock-git-diff lists package capabilities that were added between two revisions of a git repository.
|
capslock-git-diff lists package capabilities that were added between two revisions of a git repository. |
|
Package interesting contains tools for our static analysis to determine whether a leaf function is interesting.
|
Package interesting contains tools for our static analysis to determine whether a leaf function is interesting. |
|
testpkgs
|
|
|
buildtags
Package buildtags is used for testing.
|
Package buildtags is used for testing. |
|
callnet
Package callnet is used for testing.
|
Package callnet is used for testing. |
|
callos
Package callos is used for testing.
|
Package callos is used for testing. |
|
callruntime
Package callruntime is used for testing.
|
Package callruntime is used for testing. |
|
callutf8
Package callutf8 is used for testing.
|
Package callutf8 is used for testing. |
|
importname
Package importname is used for testing whether we analyze the names of imports correctly.
|
Package importname is used for testing whether we analyze the names of imports correctly. |
|
importname/sort
Package sort is not really the sort package.
|
Package sort is not really the sort package. |
|
indirectcalls
Package indirectcalls is used for testing.
|
Package indirectcalls is used for testing. |
|
initfn
Package initfn is used for testing.
|
Package initfn is used for testing. |
|
rewrites
Package rewrites is for testing that the syntax-rewriting code in the analysis library handles various types of statements correctly.
|
Package rewrites is for testing that the syntax-rewriting code in the analysis library handles various types of statements correctly. |
|
transitive
Package transitive is used for testing.
|
Package transitive is used for testing. |
|
useasm
Package useasm is for testing analysis of packages that include .s files.
|
Package useasm is for testing analysis of packages that include .s files. |
|
usecgo
Package usecgo is used for testing.
|
Package usecgo is used for testing. |
|
usegenerics
Package usegenerics is used for testing.
|
Package usegenerics is used for testing. |
|
uselinkname
Package uselinkname is for testing go:linkname.
|
Package uselinkname is for testing go:linkname. |
|
usereflect
Package usereflect is used for testing.
|
Package usereflect is used for testing. |
|
useunsafe
Package useunsafe is used for testing.
|
Package useunsafe is used for testing. |