Docs
Get Started

Get Started

The guide walks you through a quick start with Selefra.

Install

💡

Pay attention to script permissions, If you do not have permissions, please sudo chmod 777 selefra

Script installation
Install to /usr/local/bin/selefra
curl https://raw.githubusercontent.com/selefra/selefra/main/install.sh | bash
Download Selefra CLI

You can download packages to install from releases (opens in a new tab) (newest version recommended)

Create a New Project

💡
  • If this is the first time to run selefra init , Selefra will install PostgreSQL on your local environment.
  • Root cannot use the built-in PostgreSQL, please refer to here to solve it.

Now that you've set up the environment, let's create your first Selefra project.

Create working directory

shell
mkdir selefra-demo && cd selefra-demo

Initialize working directory

shell
selefra init

When it prompts:

shell
[Use arrows to move, Space to select, and enter to complete the selection]
 
[✔] AWS # We choose AWS installation
[ ] azure
[ ] GCP
[ ] k8s

Use space to select a provider and press enter to create a demo project.

In the next step, let's learn the structure of typical project files generated from the demo project.

Review Project

selefra init generates this file structure by default:

  • logs includes CLI and plugin log files.
  • selefra.yaml contains settings for the project and providers' plugins.
  • providers.yaml contains provider credentials and account settings.
  • rules.yaml is the core of any Selefra project, it defines analysis tasks in SQL and YAML syntax.

Project Structure

folder
.
├── logs
├── selefra.yaml
├── providers.yaml
└── rules.yaml

Let's examine selefra.yaml:

Selefra Cli configuration, Use AWS Provider

selefra.yaml
selefra:
  name: selefra-demo
  cloud:
    project: selefra-demo
  cli_version: v0.0.9
  log_level: info
  providers:
    - name: aws
      source: aws
      version: v0.0.13

Let's examine providers.yaml:

Configure AWS provider to check AWS data

providers.yaml
providers:
  - name: aws
    cache: 1d
    provider: aws
    max_goroutines: 100
    # Optional. by default assumes all regions
    # regions:
    #   - us-east-1
    #   - us-west-2

Let's examine rules.yaml:

This program extracts configuration data from AWS S3 Bucket resources and analyzes whether Versioning is disabled (should be enabled).

rules.yaml
rules:
  - name: bucket_versioning_is_disabled
    query: |-
      SELECT
        *
      FROM
        aws_s3_buckets
      WHERE
        versioning_status IS DISTINCT
      FROM
        'Enabled';
    output: "S3 bucket versioning is disabled, arn: {{.arn}}"

Next, let's move on to apply project.

Certified AWS

View this document , Authenticate AWS, let us have access

Apply Project

Let’s go ahead and build your code:

shell
selefra apply

This command will initialize the project, extract resource data, and run a policy:

shell
 _____        _         __
/  ___|      | |       / _|
\ `--.   ___ | |  ___ | |_  _ __   __ _
 `--. \ / _ \| | / _ \|  _|| '__| / _` |
/\__/ /|  __/| ||  __/| |  | |   | (_| |
\____/  \___||_| \___||_|  |_|    \__,_|
 
Testing Selefra operation environment...
 
	- Client verification completed
	- Providers verification completed
	- Profile verification completed
 
Complete the Selefra runtime environment test!
waiting for server to start.... done
server started
 
Initializing provider plugins...
 
	- aws@v0.1.0 all ready updated!
 
Selefra has been successfully installed providers!
 
Checking Selefra provider updates...
 
	- aws@v0.1.0 all ready updated!
 
Selefra has been finished update providers!
 
Selefra will load and apply selefra policy with sql and prompt...
 
Loading and initializing Selefra policy...
 
	- "mfa_delete_is_disable" Rule Completed
	- "bucket_logging_disable" Rule Completed
	- "ebs_encryption_is_disabled_by_default" Rule Completed
 
Loaded: 3 policies to loaded, 0 Severity, 0 High, 2 Medium, 1 Low, 0 Informational.
 
[Medium]MFA delete is disable······································14
Description:Ensure MFA Delete is enable on S3 buckets.
Results:
	MFA delete is disable, arn: arn:aws:s3:::xxx     arn:aws:s3:::xxx us-east-1 S3 https://selefra-demo.s3.us-east-1.amazonaws.com 587534146112
	MFA delete is disable, arn: arn:aws:s3:::xxx     S3 https://xxxx.amazonaws.com 587534146112 arn:aws:s3:::xxxx-sqd64 us-east-1
    ......
	MFA delete is disable, arn: arn:aws:s3:::xxxx   https://xxxx-xxxx.s3.us-east-1.amazonaws.com 587534146112 arn:aws:s3:::xxxx-20221209081852541200000001 us-east-1 S3
	MFA delete is disable, arn: arn:aws:s3:::xxxx     https://config-bucket-587534146112.s3.us-east-1.amazonaws.com 587534146112 arn:aws:s3:::config-bucket-587534146112 us-east-1 S3
[Low]S3 bucket logging disable·····································14
Description:Ensure S3 bucket logging is enabled.
Results:
	S3 bucket logging disable, arn: arn:aws:s3:::xxxx    S3 https://selefra-demo.s3.us-east-1.amazonaws.com 587534146112 arn:aws:s3:::selefra-demo us-east-1
	S3 bucket logging disable, arn: arn:aws:s3:::xxxx     S3 https://houxian-sqd64.s3.us-east-1.amazonaws.com 587534146112 arn:aws:s3:::houxian-sqd64 us-east-1
    ......
	S3 bucket logging disable, arn: arn:aws:s3:::xxxx     587534146112 arn:aws:s3:::main-app.selefra.io us-east-1 S3 https://main-app.selefra.io.s3.us-east-1.amazonaws.com
	S3 bucket logging disable, arn: arn:aws:s3:::xxxx     arn:aws:s3:::pre-app.selefra.io us-east-1 S3 https://pre-app.selefra.io.s3.us-east-1.amazonaws.com 587534146112
[Medium]EBS encryption is disabled by default······················17
Description:Ensure that EBS encryption is enabled by default.
Results:
	EBS encryption is disabled by default, region id: us-east-1     us-east-1 us-east-1 EC2 587534146112
	EBS encryption is disabled by default, region id: eu-west-2     587534146112 eu-west-2 eu-west-2 EC2
	EBS encryption is disabled by default, region id: eu-west-3     587534146112 eu-west-3 eu-west-3 EC2
    ......
	EBS encryption is disabled by default, region id: ap-southeast-2     ap-southeast-2 ap-southeast-2 EC2 587534146112
	EBS encryption is disabled by default, region id: us-west-2     us-west-2 us-west-2 EC2 587534146112
	EBS encryption is disabled by default, region id: ca-central-1     587534146112 ca-central-1 ca-central-1 EC2
 
Summary: Total 45 Issues, 0 Critical, 0 High, 31 Medium, 14 Low, 0 Informational.
 
Apply done

The output should print the bucket name with Versioning disabled.

Use GPT

We perform analysis directly through GPT execution:

shell
selefra gpt <"what you want to analyze"> --openai_mode=gpt-3.5 --openai_limit=5 --openai_api_key=<Your Openai Api Key>

Environment Variable

OPENAI_API_KEY OPENAI_MODE OPENAI_LIMIT Three directives support the use of environment variables

shell
export OPENAI_API_KEY="Your Api Key"
export OPENAI_MODE="3.5"
export OPENAI_LIMIT="10"

Let's take the AWS S3 problem as an example and ask the question "Please help me analyze the vulnerabilities in AWS S3?" and we will get the following return content:

shell
 _____        _         __
/  ___|      | |       / _|
\ `--.   ___ | |  ___ | |_  _ __   __ _
 `--. \ / _ \| | / _ \|  _|| '__| / _` |
/\__/ /|  __/| ||  __/| |  | |   | (_| |
\____/  \___||_| \___||_|  |_|    \__,_|
 
Testing Selefra operation environment...
 
	- Client verification completed
	- Providers verification completed
	- Profile verification completed
 
Complete the Selefra runtime environment test!
waiting for server to start.... done
server started
 
Initializing provider plugins...
 
	- aws@v0.1.0 all ready updated!
 
Selefra has been successfully installed providers!
 
Checking Selefra provider updates...
 
	- aws@v0.1.0 all ready updated!
 
Selefra has been finished update providers!
 
Selefra will load and apply selefra policy with sql and prompt...
 
Loading and initializing Selefra policy...
 
	- "CloudChat" Rule Completed
 
Loaded: 1 policies to loaded, 0 Severity, 0 High, 0 Medium, 1 Low, 0 Informational.
 
[Low]GPT mode automatic analysis···································11
Description:In GPT mode, it will automatically analyze whether there is risk information according to the query content.
Results:
	ars:aws:s3:::xxx,S3 Bucket Misconfiguration            GPT
	ars:aws:s3:::xxx,S3 Bucket Misconfiguration            GPT
    ......
	ars:aws:s3:::xxx,S3 Bucket Misconfiguration            GPT
	ars:aws:s3:::xxx,S3 Bucket Misconfiguration            GPT
 
Summary: Total 11 Issues, 0 Critical, 11 High, 0 Medium, 0 Low, 0 Informational.
 
Selefra Exit
 

We can directly get what risk your <recouse_id> has.In the next section, you will build projects that extend to larger surfaces.

Join the Selefra newsletter, and get the latest product updates, blogs and case studies.
Selefra is an open-source policy-as-code software that provides analytics for multi-cloud and SaaS.
Join our Slack Community
© 2023 Selefra.All rights reserved.
StatusTermsPrivacyCookies
Cookie Settings