Privado is an open source static code analysis tool to discover data flows in the code.
Privado CLI (previously, Privado-Inc/privado-datasafety) is the user-facing open-source interface responsible for interacting with the final bundle generated from privado powered by the scan engine privado-core, which not only discovers data-elements, PIIs, and third-parties but help discover in-depth dataflows from code to external sinks such as Databases, Third Parties, APIs, and help find data leakages such as logs.
To read more about Privado and how it works, refer this repository.
To start off, make sure docker
is installed. To install docker, you can follow the steps stated in the official documentation. Linux users should also follow docker post installation steps in order to run Privado CLI without root (sudo
) privileges.
You can install Privado CLI in multiple manners:
The installation script will download and setup the latest stable release for you as per your OS and arch. Run:
curl -o- https://raw.githubusercontent.com/Privado-Inc/privado-cli/main/install.sh | bash
To uninstall, simply delete ~/.privado/bin
.
If you are a GoLang fan, you can use the go install
command to install the Privado CLI:
go install github.com/Privado-Inc/privado-cli@latest
This will place the privado
binary in your GOPATH
's bin directory. This directory must be added to the $PATH
environment variable. You can learn more here.
We use GitHub Releases to ship versioned privado
releases for supported platforms. You can download a executable of Privado CLI for your platform.
To know your architecture, you can run:
$ uname -m
For detailed platform-specific instructions to setup privado
, refer below:
MacOSX
To setup privado
for macOS (arm64) i.e. Macbook with M1 chip, download privado-darwin-arm64.tar.gz
from the latest release.
Navigate to the download directory and run:
$ tar -xf ~/.privado/privado-darwin-arm64.tar.gz
$ chmod +x privado
$ mv privado /usr/local/bin/
To setup privado
for macOS (amd64), download privado-darwin-amd64.tar.gz
from the latest release.
Navigate to the download directory and run:
$ tar -xf ~/.privado/privado-darwin-amd64.tar.gz
$ chmod +x privado
$ mv privado /usr/local/bin/
Linux
To setup privado
on your linux system, download the respective zip from latest release for your platform. Navigate to the download directory and run the following commands:
$ tar -xf ~/.privado/privado-linux-arm64.tar.gz
$ chmod +x privado
$ mv privado /usr/bin/privado
$ tar -xf ~/.privado/privado-linux-amd64.tar.gz
$ chmod +x privado
$ mv privado /usr/bin/privado
Windows
To setup privado
on your windows system, download privado-windows-amd64.zip
from latest release. Navigate to the download directory and run the following bash
commands:
$ mkdir -p $HOME/.privado/bin
$ unzip -o privado-windows-amd64.zip -d $HOME/.privado/bin
$ chmod +x $HOME/.privado/bin/privado
$ echo "export PATH=\$PATH:$HOME/.privado/bin" >> $HOME/.bashrc
Open a new session or source profile for effects to take place in the same session:
$ source $HOME/.bashrc
When using WSL, we recommend moving the binary to /usr/bin
instead for optimal experience across users. Refer to steps for Linux for more information.
If you do not wish to use the pre-built binaries shipped in releases, you can choose to build Privado CLI locally. To do this, make sure that GoLang is installed and follow the following steps:
- Clone the repository:
git clone https://github.com/Privado-Inc/privado-cli.git
- Change directory:
cd privado
- Skip this step if you intend to build the
main
branch.
To build a particular release, checkout the intended tag:git checkout <tag>
- Build with Go:
go build -o privado
- You can now run
./privado
.
For convenience, we recommend moving privado
to a $PATH
directory. You can refer to manual installation steps for more details.
Privado CLI works on the client-end and does not share any code files, or snippets during the scan process.
To scan a repository, simply run:
privado scan <path/to/repository>
Depending on repository size and system configuration, time to scan can vary. Post completion, you can choose to visualize the results on Privado Cloud.
Results are saved to the <repository>/.privado
directory. We suggest keeping .privado
folder a part of your repository to encourage privacy discovery & transparency.
The section contains detailed reference to privado
commands.
Flag | Description |
---|---|
-h, --help |
Help about any command, or sub-command |
Command | Description | Usage | Supported Flags |
---|---|---|---|
completion |
Generate the autocompletion script for privado for the specified shell | privado completion [command] |
- |
config |
Set config for Privado CLI | privado config [metrics] [flags] |
--enable , --disable |
help |
Help about any command | privado help [command] |
- |
scan |
Scan a codebase or repository to identify dataflows and privacy issues | privado scan [flags] |
-c, --config <path-to-config> : Specifies the config (with rules) directory to be passed to privado-core for scanning. These external rules and configurations are merged with the default set that Privado defines --disable-deduplication : When specified, the engine does not remove duplicate and subset dataflows. This option is useful if you wish to review all flows (including duplicates) manually -o, --overwrite : If specified, the warning prompt for existing scan results is disabled and any existing results are overwritten -i, --ignore-default-rules : If specified, the default rules are ignored and only the specified rules (-c) are considered --skip-dependency-download : When specified, the engine skips downloading all locally unavailable dependencies. Skipping dependency download can yield incomplete results --upload : If specified, will automatically attempt to upload the scan result to Privado Dashboard --skip-upload : If specified, the result artifacts will not be uploaded to Privado Dashboard --debug : To enable process debug output for debugging purposes |
update |
Updates Privado CLI to the latest version | privado update |
- |
version |
Prints the installed version of Privado CLI | privado version |
- |
Privado CLI was engineered with security in mind. Our tool runs the scan locally on your machine and your code never leaves your system.
Privado OSS is distributed under the GNU LESSER GENERAL PUBLIC LICENSE (LGPL 3.0). This application may only be used in compliance with the License. In lieu of applicable law or written agreement, software distributed under the License is distributed "AS IS", VOID OF ALL WARRANTIES OR CONDITIONS. For specific details regarding permissions and restrictions, see COPYING and COPYING.LESSER.