DevSec Tools is a suite of tools that are useful for DevSecOps workflows. Its goal is to simplify and streamline the process of developing, securing, and operating software and systems for the web.
This package provices lower-level Go libraries and a CLI tool for running security scans. It is the CLI equivalent to devsec.tools.
devsec-tools --helpTip
If you do not provide a scheme, devsec-tools will assume https:. If you explicitly want to test http:, you should specify that in the domain name.
devsec-tools http apple.comdevsec-tools http http://localhost:8080devsec-tools http google.com-
DST_CACHE_HOSTS— When running as a Lambda function, this is one or more endpoints (delimited by;) that should be used for Valkey caching.# Example: local dev DST_CACHE_HOSTS="localhost:6379" # Example: production DST_CACHE_HOSTS="server1.host.com:6379;server2.host.com:6379;server3.host.com:6379"
-
DST_LOG_JSON— Setting this value totruewill enable JSON logging without requiring the CLI flag. It will also switch to JSON logging when running as a Lambda function.DST_LOG_JSON="true" -
DST_LOG_VERBOSE— Setting this value to1will enableINFO-level logging. Setting this value to2will enableDEBUG-level logging, and will reveal caller locations. The default log level isError, which allows bothErrorandFatalmessages.# Equivalent to `devsec-tools -vv` DST_LOG_JSON="2"
-
PORT— When running as a local web server, this will override the port that the local web server runs on (default:8080).PORT=9000 devsec-tools serve
For local testing, the CLI exposes a very simple HTTP/1.1 server at http://localhost:8080.
devsec-tools serveWhen launching the local web server, it will tell you which HTTP methods and endpoints are available. It exposes both GET and POST, as appropriate.
For GET endpoints, any parameters are passed as URL-encoded query string parameters. Using the /http endpoint as an example:
GET /http?url=https%3A%2F%2Fapple.com HTTP/1.1
Host: localhost:8080For POST endpoints, parameters are passed as a JSON-encoded request body. Using the /http endpoint as an example:
POST /http HTTP/1.1
Host: localhost:8080
Content-Type: application/json; charset=utf-8
{"url":"https://apple.com"}The CLI will write content (e.g., a table, JSON output) to stdout so that it can be piped to other commands.
devsec-tools http https://apple.com╭──────────────┬───────────╮
│ HTTP Version │ Supported │
├──────────────┼───────────┤
│ 1.1 │ YES │
│ 2 │ NO │
│ 3 │ NO │
╰──────────────┴───────────╯
devsec-tools http https://apple.com --json | jq '.'{
"hostname": "https://apple.com",
"http11": true,
"http2": false,
"http3": false
}The CLI will write errors to stderr. Use pipe redirection to use errors in stdout.
devsec-tools http https://apple.xxx2024-12-15T12:55:43.933112-07:00 ERROR The hostname `https://apple.xxx` does not support ANY versions of HTTP. It is probable that the hostname is incorrect.
╭──────────────┬───────────╮
│ HTTP Version │ Supported │
├──────────────┼───────────┤
│ 1.1 │ NO │
│ 2 │ NO │
│ 3 │ NO │
╰──────────────┴───────────╯
devsec-tools http https://apple.xxx --json 2>&1 | jq '.'{
"level": "error",
"msg": "The hostname `https://apple.xxx` does not support ANY versions of HTTP. It is probable that the hostname is incorrect.",
"time": "2024-12-15T12:51:42.76971-07:00"
}
{
"hostname": "https://apple.xxx",
"http11": false,
"http2": false,
"http3": false
}If necessary, you can expose additional information about the requests.
“Single-V” verbose mode will show timestamps for when each test starts. In the following example, you can see that all 3 requests were triggered in the same 1/1000th of a second (13:01:01.705). It will also tell you what precisely it is testing.
devsec-tools http https://apple.com -v2024-12-15T13:01:01.705882-07:00 INFO Checking domain=https://apple.com http=2
2024-12-15T13:01:01.705903-07:00 INFO Checking domain=https://apple.com http=1.1
2024-12-15T13:01:01.705886-07:00 INFO Checking domain=https://apple.com http=3
╭──────────────┬───────────╮
│ HTTP Version │ Supported │
├──────────────┼───────────┤
│ 1.1 │ YES │
│ 2 │ NO │
│ 3 │ NO │
╰──────────────┴───────────╯
“Double-V” verbose mode will show timestamps for when each test starts, as well as when each test completes. In the following example, you can see that all 3 requests were triggered in the same 1/1000th of a second (13:01:08.873).
However, you will see that HTTP/1.1 and HTTP/2 completed the next second (13:01:09) while the HTTP/3 test took the full duration of the default 3-second timeout (13:01:11).
devsec-tools http https://apple.com -vv2024-12-15T13:01:08.873470-07:00 INFO <httptls/httptls.go:152> Checking domain=https://apple.com http=2
2024-12-15T13:01:08.873501-07:00 INFO <httptls/httptls.go:188> Checking domain=https://apple.com http=3
2024-12-15T13:01:08.873500-07:00 INFO <httptls/httptls.go:117> Checking domain=https://apple.com http=1.1
2024-12-15T13:01:09.003969-07:00 DEBUG <httptls/httptls.go:167> Completed domain=https://apple.com http=2
2024-12-15T13:01:09.114025-07:00 DEBUG <httptls/httptls.go:131> Completed domain=https://apple.com http=1.1
2024-12-15T13:01:11.875427-07:00 DEBUG <httptls/httptls.go:209> Completed domain=https://apple.com http=3
╭──────────────┬───────────╮
│ HTTP Version │ Supported │
├──────────────┼───────────┤
│ 1.1 │ YES │
│ 2 │ NO │
│ 3 │ NO │
╰──────────────┴───────────╯
Quiet mode will prevent all logging and error messages from being displayed except for those which are FATAL. It will also prevent any progress animations from displaying.