Mobb CLI

The community edition version of Mobb, or what we called Bugsy, is a command-line interface (CLI) tool that provides automatic security vulnerability remediation for your code.

What does Bugsy do?

Bugsy has two modes - Scan (no SAST report needed) & Analyze (the user must provide a pre-generated SAST report from one of the supported SAST tools).

Scan

  • Uses Checkmarx or Snyk CLI tools to run a SAST scan on a given open-source GitHub/GitLab repo

  • Analyze the vulnerability report to identify issues that can be remediated automatically

  • Produces the code fixes and redirects the user to the fix report page on the Mobb platform

Analyze

  • Analyzes a Checkmarx/CodeQL/Fortify/Snyk vulnerability report to identify issues that can be remediated automatically

  • Produces the code fixes and redirects the user to the fix report page on the Mobb platform

Disclaimer

This is a community edition version that only analyzes public GitHub repositories. Analyzing private repositories is allowed for a limited amount of time. Bugsy does not detect any vulnerabilities in your code, it uses findings detected by the SAST tools mentioned above.

Link to Bugsy's NPM page: https://www.npmjs.com/package/mobbdev

Usage

You can run Bugsy from the command line, using npx:

npx mobbdev

This will show you Bugsy's usage help:

Bugsy - Trusted, Automatic Vulnerability Fixer 🕵️‍♂️

Usage:
mobbdev <command> [options]


Commands:
  mobbdev scan     Scan your code for vulnerabilities, get automated fixes right away.
  mobbdev analyze  Provide a vulnerability report and relevant code repository, get automated fixes right away.

Options:
  -h, --help  Show help                                                                                        [boolean]

Examples:
  mobbdev scan -r https://github.com/WebGoat/WebGoat  Scan an existing repository

Made with ❤️  by Mobb

To run a new SAST scan on a repo and get fixes, run the Bugsy Scan command. Example:

npx mobbdev scan --repo https://github.com/mobb-dev/simple-vulnerable-java-project

To get fixes for a pre-generated SAST report, run the Bugsy Analyze command. Example:

npx mobbdev analyze --scan-file sast_results.json --repo https://github.com/mobb-dev/simple-vulnerable-java-project

Bugsy will automatically generate a fix for each supported vulnerability identified in the results, and refer the developer to review and commit the fixes to their code.

To see all the options Bugsy allows, use the Scan or Analyze commands with the -h option:

npx mobbdev scan -h
npx mobbdev analyze -h

Using Bugsy as part of a CI/CD pipeline

If you utilize SAST scans as part of the CI/CD pipeline, Bugsy can be easily added and provide an immediate fix for every issue detected. Here is a simple example of a command line that will run Bugsy in your pipeline:

npx mobbdev analyze --ci --scan-file $SAST_RESULTS_FILENAME --repo $CI_PROJECT_URL --ref $CI_COMMIT_REF_NAME --api-key $MOBB_API_KEY

Automatic PR

To enable automatic PR, make sure to enable --auto-pr flag in your npx mobbdev@latest analyze command. For example:

npx mobbdev@latest analyze --auto-pr --ci --scan-file $SAST_RESULTS_FILENAME --repo $CI_PROJECT_URL --ref $CI_COMMIT_REF_NAME --api-key $MOBB_API_KEY

Click here to learn more about the Automatic PR feature.

Contribution

Install the dependencies and run the tests:

pnpm install

# or use npm run build:dev to watch for changes
pnpm run build

# or use npm test:watch to watch for changes
pnpm run test

Debugging

If you're using VSCode, you can use the launch.json file to debug the code. Run the CLI tests configuration to continuously run and debug the tests.

Location of the Mobb Access Token

Bugsy automatically stores your Mobb access token in the mobbdev.json file. Here are the default storage locations of this file:

  • Windows: C:\Users\<USERNAME>\.config\configstore\mobbdev.json

  • Mac: ~/.config/configstore/mobbdev.json

To update your Mobb access token, edit the file in a text editor and replace the value YOUR_MOBB_API_TOKEN with your Mobb access token as shown in the code snippet below.

{
	"apiToken": "YOUR_MOBB_API_TOKEN"
}

If you haven’t generated your Mobb access token yet, click here to learn how to generate one.

To remove the Mobb access token, delete the mobbdev.json file from your file system.

Environment Variables Settings for Mobb Single-Tenants

If your Mobb instance is in a single-tenant environment, you must configure the following environment variables to ensure Bugsy is communicating with the correct Mobb tenant instance.

API_URL=https://api-<YOUR_CUSTOM_MOBB_DOMAIN>/v1/graphql

WEB_LOGIN_URL=https://<YOUR_CUSTOM_MOBB_DOMAIN>/cli-login

WEB_APP_URL=https://<YOUR_CUSTOM_MOBB_DOMAIN>

Note: Replace <YOUR_CUSTOM_MOBB_DOMAIN> with your Mobb tenant domain.

Here is a sample code snippet. In this example, our Mobb domain is TENANT_NAME.mobb.ai:

API_URL=https://api-TENANT_NAME.mobb.ai/v1/graphql WEB_LOGIN_URL=https://TENANT_NAME.mobb.ai/cli-login 
WEB_APP_URL=https://TENANT_NAME.mobb.ai npx mobbdev@latest analyze -f "report.xml" -r 
https://ado-test.onemobb.net/DefaultCollection/_git/Mobb-CX-on-prem-integration
 --ref main --api-key xxxxxxxxxxxxxx --ci

Getting support

If you need support using Bugsy or just want to share your thoughts and learn more, you are more than welcome to join our discord server

Last updated