Dongtai IAST
is an open-source Interactive Application Security Testing (IAST) tool that enables real-time detection of common vulnerabilities in Java applications and third-party components through passive instrumentation. It is particularly suitable for use in the testing phase of the development pipeline.
.
├── deploy
├── dongtai_common common functions and classes for each service to call
├── dongtai_conf configuration files
├── dongtai_engine vulnerability detection and vulnerability processing part
├── dongtai_protocol protocols for interaction between dongtai-server and agent
├── dongtai_web api for interacting with the web
├── static static files
└── test testcases
DongTai IAST
has multiple basic services, including DongTai-web
, DongTai
, agent
, DongTai-Base-Image
and DongTai-Plugin-IDEA
:
DongTai-web
is the product page of DongTai, which is used to handle the interaction between users and cave states.DongTai>>dongtai_web
is responsible for handling user-related operations.DongTai>>dongtai_protocol
is used to process the registration/heartbeat/call method/third-party component/error log data reported byagent
, issue hook strategy, issue probe control commands, etc.DongTai>>dongtai_engine
analyzes whether there are vulnerabilities in HTTP/HTTPS/RPC requests according to the calling method data and taint tracking algorithm, and is also responsible for other related timing tasks.agent
is a probe module of DongTai, including data collection terminals in different programming languages, used to collect data during application runtime and report to theDongTai-OpenAPI
service.DongTai>>deploy
is used for the deployment of DongTai IAST, including docker-compose single-node deployment, Kubernetes cluster deployment, etc. If you want a deployment plan, you can add features or contribute to the deployment plan.DongTai-Base-Image
contains the basic services that DongTai depends on runtime, including MySql, Redis.DongTai-Plugin-IDEA
is the IDEA plug-in corresponding to the Java probe. You can run the Java probe directly through the plug-in and detect the vulnerabilities directly in IDEA.
The usage scenarios of "DongTai IAST" include but not limited to:
- Embed the
DevSecOps
process to realize automatic detection of application vulnerabilities/third-party component combing/third-party component vulnerability detection. - Common vulnerability mining for open source software/open source components.
- Security testing before release, etc.
DongTai IAST
supports SaaS Service and Localized Deployment. Please refer to Deployment Document for localized deployment.
- Log in to the [DongTai IAST] (https://iast.io).
- Have a quick start with Online Guideline.
DongTai IAST
supports a variety of deployment schemes which refer to Deployment Document:
- Stand-alone Deployment
- Docker-compose
- docker - pending upgrade
- Cluster Deployment
git clone [email protected]:HXSecurity/DongTai.git
cd DongTai
chmod u x build_with_docker_compose.sh
./build_with_docker_compose.sh
Contributions are welcomed and greatly appreciated. Further reading — CONTRIBUTING.md for details on submitting patches and contribution workflow.
Any questions? Let's discuss in #DongTai discussions