Skip to content

Interface to initiate code scan with Privado to identify data flows and privacy issues

License

LGPL-3.0, GPL-3.0 licenses found

Licenses found

LGPL-3.0
COPYING.LESSER
GPL-3.0
COPYING
Notifications You must be signed in to change notification settings

Privado-Inc/privado-cli

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Privado CLI

slack

What is Privado CLI?

Privado is an open source static code analysis tool to discover data flows in the code.

Privado CLI (previously, Privado-Inc/privado-datasafety) is the user-facing open-source interface responsible for interacting with the final bundle generated from privado powered by the scan engine privado-core, which not only discovers data-elements, PIIs, and third-parties but help discover in-depth dataflows from code to external sinks such as Databases, Third Parties, APIs, and help find data leakages such as logs.

To read more about Privado and how it works, refer this repository.

Prerequisite - Docker

To start off, make sure docker is installed. To install docker, you can follow the steps stated in the official documentation. Linux users should also follow docker post installation steps in order to run Privado CLI without root (sudo) privileges.

Installation

You can install Privado CLI in multiple manners:

Install using curl:

The installation script will download and setup the latest stable release for you as per your OS and arch. Run:

curl -o- https://raw.githubusercontent.com/Privado-Inc/privado-cli/main/install.sh | bash

To uninstall, simply delete ~/.privado/bin.

Install using Go

If you are a GoLang fan, you can use the go install command to install the Privado CLI:

go install github.com/Privado-Inc/privado-cli@latest

This will place the privado binary in your GOPATH's bin directory. This directory must be added to the $PATH environment variable. You can learn more here.

Install Release Manually

We use GitHub Releases to ship versioned privado releases for supported platforms. You can download a executable of Privado CLI for your platform.

To know your architecture, you can run:

$ uname -m

For detailed platform-specific instructions to setup privado, refer below:

MacOSX

ARM64 (M1 Chip)

To setup privado for macOS (arm64) i.e. Macbook with M1 chip, download privado-darwin-arm64.tar.gz from the latest release.

Navigate to the download directory and run:

$ tar -xf ~/.privado/privado-darwin-arm64.tar.gz
$ chmod +x privado
$ mv privado /usr/local/bin/

AMD64 (Intel Chip)

To setup privado for macOS (amd64), download privado-darwin-amd64.tar.gz from the latest release.

Navigate to the download directory and run:

$ tar -xf ~/.privado/privado-darwin-amd64.tar.gz
$ chmod +x privado
$ mv privado /usr/local/bin/
Linux

To setup privado on your linux system, download the respective zip from latest release for your platform. Navigate to the download directory and run the following commands:

ARM64

$ tar -xf ~/.privado/privado-linux-arm64.tar.gz
$ chmod +x privado
$ mv privado /usr/bin/privado

AMD64

$ tar -xf ~/.privado/privado-linux-amd64.tar.gz
$ chmod +x privado
$ mv privado /usr/bin/privado
Windows

To setup privado on your windows system, download privado-windows-amd64.zip from latest release. Navigate to the download directory and run the following bash commands:

$ mkdir -p $HOME/.privado/bin
$ unzip -o privado-windows-amd64.zip -d $HOME/.privado/bin
$ chmod +x $HOME/.privado/bin/privado
$ echo "export PATH=\$PATH:$HOME/.privado/bin" >> $HOME/.bashrc

Open a new session or source profile for effects to take place in the same session:

$ source $HOME/.bashrc

When using WSL, we recommend moving the binary to /usr/bin instead for optimal experience across users. Refer to steps for Linux for more information.

Build Privado CLI Locally

If you do not wish to use the pre-built binaries shipped in releases, you can choose to build Privado CLI locally. To do this, make sure that GoLang is installed and follow the following steps:

  1. Clone the repository: git clone https://github.com/Privado-Inc/privado-cli.git
  2. Change directory: cd privado
  3. Skip this step if you intend to build the main branch.
    To build a particular release, checkout the intended tag: git checkout <tag>
  4. Build with Go: go build -o privado
  5. You can now run ./privado.

For convenience, we recommend moving privado to a $PATH directory. You can refer to manual installation steps for more details.

Running a Scan

Privado CLI works on the client-end and does not share any code files, or snippets during the scan process.

To scan a repository, simply run:

privado scan <path/to/repository>

Depending on repository size and system configuration, time to scan can vary. Post completion, you can choose to visualize the results on Privado Cloud.

Results are saved to the <repository>/.privado directory. We suggest keeping .privado folder a part of your repository to encourage privacy discovery & transparency.

Command Reference

The section contains detailed reference to privado commands.

Privado CLI Global Flags

Flag Description
-h, --help Help about any command, or sub-command

Privado CLI Commands

Command Description Usage Supported Flags
completion Generate the autocompletion script for privado for the specified shell privado completion [command] -
config Set config for Privado CLI privado config [metrics] [flags] --enable, --disable
help Help about any command privado help [command] -
scan Scan a codebase or repository to identify dataflows and privacy issues privado scan [flags] -c, --config <path-to-config>:
Specifies the config (with rules) directory to be passed to privado-core for scanning. These external rules and configurations are merged with the default set that Privado defines

--disable-deduplication:
When specified, the engine does not remove duplicate and subset dataflows. This option is useful if you wish to review all flows (including duplicates) manually

-o, --overwrite:
If specified, the warning prompt for existing scan results is disabled and any existing results are overwritten

-i, --ignore-default-rules :
If specified, the default rules are ignored and only the specified rules (-c) are considered

--skip-dependency-download :
When specified, the engine skips downloading all locally unavailable dependencies. Skipping dependency download can yield incomplete results

--upload :
If specified, will automatically attempt to upload the scan result to Privado Dashboard

--skip-upload :
If specified, the result artifacts will not be uploaded to Privado Dashboard

--debug:
To enable process debug output for debugging purposes
update Updates Privado CLI to the latest version privado update -
version Prints the installed version of Privado CLI privado version -

How Privado CLI handles your data?

Privado CLI was engineered with security in mind. Our tool runs the scan locally on your machine and your code never leaves your system.

License

Privado OSS is distributed under the GNU LESSER GENERAL PUBLIC LICENSE (LGPL 3.0). This application may only be used in compliance with the License. In lieu of applicable law or written agreement, software distributed under the License is distributed "AS IS", VOID OF ALL WARRANTIES OR CONDITIONS. For specific details regarding permissions and restrictions, see COPYING and COPYING.LESSER.