What’s Hakiri? Hakiri is a web app that checks your Ruby stacks and code for new vulnerabilities. When a new vulnerability is detected, you get notified via email. Simple and clean.
How did Hakiri come to be? Back in January of 2013, Vasily, the founder of Hakiri, tried to find an easy to use web service that would automatically check his Rails projects for CVE vulnerabilities. It happened right after a devastating Rails vulnerability came out and the whole Rails community freaked out big time. Vasily found out that there was no such tool, so he decided to build one. The original version included a script that matched a CVE database with specific technologies—nothing really fancy. After several iterations a lot of new things were added. Hakiri did not only include the original CVE detection functionality but also a
Gemfile.lock scanner and a static code analysis tool that checks code for common vulnerabilities such as cross site scripting holes and SQL injection.
Now let’s cut to the chase and explore how Hakiri works, shall we?
It’s really easy to get started with Hakiri: simply connect your GitHub account, choose any Ruby repo and branch, and wait for a few seconds before Hakiri runs all of its security tests.
So, what just happened? Hakiri connected to your GitHub account, pulled code from the specified branch, setup a web hook for future code pushes, and, finally, did its magic. After vulnerabilities are detected and the scan is over, your code is always safely removed from our servers.
Next time you push the code, GitHub will notify Hakiri and Hakiri will run security tests on the latest code again. By the way, you can always follow more than one branch, which comes in handy when you have many different stacks (e.g., production, staging, or development).
On top of checking the code Hakiri scans your gems and Rails versions for CVE vulnerabilities. CVE is a system that provides a reference method for publicly known security vulnerabilities and exposures. New CVE vulnerabilities come out almost every week and Hakiri is here to notify you about them.
Hakiri performs static code analysis tests (meaning that we never execute your code) on your repo to find various vulnerabilities. What is it looking for exactly? There are 32 different tests that Hakiri performs with cross-site scripting, SQL injection, remote code execution, format validation, basic auth, mass assignment, and unsafe redirects being my personal favorites.
Now it’s time to fix vulnerabilities if you have any. If you think that Hakiri detected some vulnerability by mistake, you can mark it as false positive and it will never be shown to you again. You can undo this action in the False Positives tab.
How many gems do you have in your project? Twenty? Thirty? Most of them depend on a bunch of other gems you might not even be aware of. Every gem has potential vulnerabilities. And it’s very difficult and painful to keep track of these vulnerabilities—that’s why there is Hakiri.
Thankfully, all gems that are used in your project are listed in
Gemfile.lock. On each code push Hakiri tests gem versions against its database of vulnerabilities and notifies you when vulnerabilities are found.
The last step in securing your stacks is making sure that you are using up to date stack technologies (servers, databases, etc.). There are two ways you can submit stack technologies to Hakiri. The easiest way is to do it through a web interface. Just go to the Technologies section of any of your branches and add some versions. Vulnerabilities, if you have any, will show up right there.
As simple as it is, it’s not the best way to update technologies: there is no automation. If, for example, a version of Unicorn changes on your server, Hakiri won’t be able to know about it. A much better way to update versions is by using Hakiri Toolbelt—a simple command line tool (to install it run
gem install hakiri). To describe your system to Hakiri Toolbelt, you’ll need to create a manifest file with:
$ hakiri manifest:generate
The manifest file includes all currently supported technologies by default. Modify it to include technologies that you actually have on your server. Hakiri Toolbelt will attempt to scrape versions of technologies in the current directory. To change this behavior, change the
command option to a desired command that returns either an actual version of the technology or an equivalent of
technology_name -v. For example, if you want to get a version of Unicorn your
command could look like this:
"command": "bundle exec unicorn -v"
If you want a version of MySQL you might want to write a little script that returns a version value:
"command": "ruby path/to/script/get_mysql.rb"
"command": "mysql -u deploy -e ' SELECT VERSION(); '"
mysql -v returns a version of the MySQL client and not the database itself. That’s why you have to do all this voodoo magic with weird commands.
version option in the manifest file allows you to hardcode a version of any technology. There are certain cases when it comes in handy.
After setting up technologies in the manifest file, you can now scan your system for vulnerabilities:
$ hakiri system:scan
The output will indicate detected versions of technologies and show how many vulnerabilities every one of them has. Have some vulnerabilities? It’s time to upgrade!
Now you need to sync your system technologies with your stack on Hakiri. First, setup an authentication token. Then locate the stack ID in your stack settings.
Finally, run the following command:
$ hakiri system:sync -s your_stack_id
It will ask you whether you really want to update versions of technologies and then make a request to the Hakiri API. Voila! Now, whenever a new vulnerability comes out for any of your technologies you will receive an email (we are working on adding more notification options such as RSS and web hooks).
What happens when you update a technology on the server? Hakiri has no way of knowing about it unless you setup a recurring job. You could, for example, setup a cron job:
0 3 * * * hakiri system:sync -s your_stack_id --force
This job will execute the synchronization process every day at 3am. The
--force argument makes the command execute without asking any questions.
We are working on adding standard Ruby library capabilities to Hakiri Toolbelt, so you can make calls to it as part of your rake scripts.
It’s time to wrap up. Hopefully this brief introduction will serve you well. As always, if you have any questions or feedback, please email us at firstname.lastname@example.org and we’ll get back to you quickly.