Get Started
The guide walks you through a quick start with Selefra.
Install
Pay attention to script permissions, If you do not have permissions, please
sudo chmod 777 selefra
curl https://raw.githubusercontent.com/selefra/selefra/main/install.sh | bash
You can download packages to install from releases (opens in a new tab) (newest version recommended)
Create a New Project
- If this is the first time to run
selefra init
, Selefra will install PostgreSQL on your local environment. - Root cannot use the built-in PostgreSQL, please refer to here to solve it.
Now that you've set up the environment, let's create your first Selefra project.
Create working directory
mkdir selefra-demo && cd selefra-demo
Initialize working directory
selefra init
When it prompts:
[Use arrows to move, Space to select, and enter to complete the selection]
[✔] AWS # We choose AWS installation
[ ] azure
[ ] GCP
[ ] k8s
Use space
to select a provider and press enter
to create a demo project.
In the next step, let's learn the structure of typical project files generated from the demo project.
Review Project
selefra init
generates this file structure by default:
logs
includes CLI and plugin log files.selefra.yaml
contains settings for the project and providers' plugins.providers.yaml
contains provider credentials and account settings.rules.yaml
is the core of any Selefra project, it defines analysis tasks in SQL and YAML syntax.
Project Structure
.
├── logs
├── selefra.yaml
├── providers.yaml
└── rules.yaml
Let's examine selefra.yaml
:
Selefra Cli configuration, Use AWS Provider
selefra:
name: selefra-demo
cloud:
project: selefra-demo
cli_version: v0.0.9
log_level: info
providers:
- name: aws
source: aws
version: v0.0.13
Let's examine providers.yaml
:
Configure AWS provider to check AWS data
providers:
- name: aws
cache: 1d
provider: aws
max_goroutines: 100
# Optional. by default assumes all regions
# regions:
# - us-east-1
# - us-west-2
Let's examine rules.yaml
:
This program extracts configuration data from AWS S3 Bucket resources and analyzes whether Versioning is disabled (should be enabled).
rules:
- name: bucket_versioning_is_disabled
query: |-
SELECT
*
FROM
aws_s3_buckets
WHERE
versioning_status IS DISTINCT
FROM
'Enabled';
output: "S3 bucket versioning is disabled, arn: {{.arn}}"
Next, let's move on to apply project.
Certified AWS
View this document , Authenticate AWS, let us have access
Apply Project
Let’s go ahead and build your code:
selefra apply
This command will initialize the project, extract resource data, and run a policy:
_____ _ __
/ ___| | | / _|
\ `--. ___ | | ___ | |_ _ __ __ _
`--. \ / _ \| | / _ \| _|| '__| / _` |
/\__/ /| __/| || __/| | | | | (_| |
\____/ \___||_| \___||_| |_| \__,_|
Testing Selefra operation environment...
- Client verification completed
- Providers verification completed
- Profile verification completed
Complete the Selefra runtime environment test!
waiting for server to start.... done
server started
Initializing provider plugins...
- aws@v0.1.0 all ready updated!
Selefra has been successfully installed providers!
Checking Selefra provider updates...
- aws@v0.1.0 all ready updated!
Selefra has been finished update providers!
Selefra will load and apply selefra policy with sql and prompt...
Loading and initializing Selefra policy...
- "mfa_delete_is_disable" Rule Completed
- "bucket_logging_disable" Rule Completed
- "ebs_encryption_is_disabled_by_default" Rule Completed
Loaded: 3 policies to loaded, 0 Severity, 0 High, 2 Medium, 1 Low, 0 Informational.
[Medium]MFA delete is disable······································14
Description:Ensure MFA Delete is enable on S3 buckets.
Results:
MFA delete is disable, arn: arn:aws:s3:::xxx arn:aws:s3:::xxx us-east-1 S3 https://selefra-demo.s3.us-east-1.amazonaws.com 587534146112
MFA delete is disable, arn: arn:aws:s3:::xxx S3 https://xxxx.amazonaws.com 587534146112 arn:aws:s3:::xxxx-sqd64 us-east-1
......
MFA delete is disable, arn: arn:aws:s3:::xxxx https://xxxx-xxxx.s3.us-east-1.amazonaws.com 587534146112 arn:aws:s3:::xxxx-20221209081852541200000001 us-east-1 S3
MFA delete is disable, arn: arn:aws:s3:::xxxx https://config-bucket-587534146112.s3.us-east-1.amazonaws.com 587534146112 arn:aws:s3:::config-bucket-587534146112 us-east-1 S3
[Low]S3 bucket logging disable·····································14
Description:Ensure S3 bucket logging is enabled.
Results:
S3 bucket logging disable, arn: arn:aws:s3:::xxxx S3 https://selefra-demo.s3.us-east-1.amazonaws.com 587534146112 arn:aws:s3:::selefra-demo us-east-1
S3 bucket logging disable, arn: arn:aws:s3:::xxxx S3 https://houxian-sqd64.s3.us-east-1.amazonaws.com 587534146112 arn:aws:s3:::houxian-sqd64 us-east-1
......
S3 bucket logging disable, arn: arn:aws:s3:::xxxx 587534146112 arn:aws:s3:::main-app.selefra.io us-east-1 S3 https://main-app.selefra.io.s3.us-east-1.amazonaws.com
S3 bucket logging disable, arn: arn:aws:s3:::xxxx arn:aws:s3:::pre-app.selefra.io us-east-1 S3 https://pre-app.selefra.io.s3.us-east-1.amazonaws.com 587534146112
[Medium]EBS encryption is disabled by default······················17
Description:Ensure that EBS encryption is enabled by default.
Results:
EBS encryption is disabled by default, region id: us-east-1 us-east-1 us-east-1 EC2 587534146112
EBS encryption is disabled by default, region id: eu-west-2 587534146112 eu-west-2 eu-west-2 EC2
EBS encryption is disabled by default, region id: eu-west-3 587534146112 eu-west-3 eu-west-3 EC2
......
EBS encryption is disabled by default, region id: ap-southeast-2 ap-southeast-2 ap-southeast-2 EC2 587534146112
EBS encryption is disabled by default, region id: us-west-2 us-west-2 us-west-2 EC2 587534146112
EBS encryption is disabled by default, region id: ca-central-1 587534146112 ca-central-1 ca-central-1 EC2
Summary: Total 45 Issues, 0 Critical, 0 High, 31 Medium, 14 Low, 0 Informational.
Apply done
The output should print the bucket name with Versioning disabled.
Use GPT
We perform analysis directly through GPT execution:
selefra gpt <"what you want to analyze"> --openai_mode=gpt-3.5 --openai_limit=5 --openai_api_key=<Your Openai Api Key>
Environment Variable
OPENAI_API_KEY
OPENAI_MODE
OPENAI_LIMIT
Three directives support the use of environment variables
export OPENAI_API_KEY="Your Api Key"
export OPENAI_MODE="3.5"
export OPENAI_LIMIT="10"
Let's take the AWS S3 problem as an example and ask the question "Please help me analyze the vulnerabilities in AWS S3?" and we will get the following return content:
_____ _ __
/ ___| | | / _|
\ `--. ___ | | ___ | |_ _ __ __ _
`--. \ / _ \| | / _ \| _|| '__| / _` |
/\__/ /| __/| || __/| | | | | (_| |
\____/ \___||_| \___||_| |_| \__,_|
Testing Selefra operation environment...
- Client verification completed
- Providers verification completed
- Profile verification completed
Complete the Selefra runtime environment test!
waiting for server to start.... done
server started
Initializing provider plugins...
- aws@v0.1.0 all ready updated!
Selefra has been successfully installed providers!
Checking Selefra provider updates...
- aws@v0.1.0 all ready updated!
Selefra has been finished update providers!
Selefra will load and apply selefra policy with sql and prompt...
Loading and initializing Selefra policy...
- "CloudChat" Rule Completed
Loaded: 1 policies to loaded, 0 Severity, 0 High, 0 Medium, 1 Low, 0 Informational.
[Low]GPT mode automatic analysis···································11
Description:In GPT mode, it will automatically analyze whether there is risk information according to the query content.
Results:
ars:aws:s3:::xxx,S3 Bucket Misconfiguration GPT
ars:aws:s3:::xxx,S3 Bucket Misconfiguration GPT
......
ars:aws:s3:::xxx,S3 Bucket Misconfiguration GPT
ars:aws:s3:::xxx,S3 Bucket Misconfiguration GPT
Summary: Total 11 Issues, 0 Critical, 11 High, 0 Medium, 0 Low, 0 Informational.
Selefra Exit
We can directly get what risk your <recouse_id> has.In the next section, you will build projects that extend to larger surfaces.