Step-by-step guide: How to scan your Google Apps Script project for CASA

During the CASA Tier 2 security assessment, it is necessary to scan your code by yourself, as it is not possible to use PWC’s default fortify scanner.

Today, I’m going to take you step by step through the process of scanning your project using Fluidattack open source CLI, the scanning solution recommended by Google.

Prerequisites: Install docker and/or docker desktop. You can follow this articles:

• For Windows
• For Mac

This guide is freely inspired by Google’s CASA Tier 2 documentation. I’ve modified some steps to avoid bugs and errors on Google Apps Script projects.

Prepare your scan

1. Create a folder to contain your scan files in your “Documents” folder.
2. Name the folder. Here it will be named: “Scan Casa”.

3. Upload the CASA scan Dockerfile and the Dockerignore file in the folder.

4. Create a folder named after your application. Here the folder will be named: “Folgo”.

5. Download your Google Apps Script project:

For the more experienced, you can simply use clasp or download your github repository. For information, your Google Apps Script files need to have a .js extension to be analyzed.

Alternatively, you can copy your code. To do this:

• Create a Folder with your application name.
• Create a file with name: Code.js
• Simply copy and paste all your Google Apps Script files into this file.

If you’re working with non-Apps Script code, such as cloud functions, html pages… You can also add them to this folder.

6. Within this folder add the config.yaml file.

7. Open the config.yaml file. Edit the “namespace” parameter by replacing “AppName” by your Application name. For me by “Folgo”.

8. The final folder structure should appear as such:

Execute scan

1. Open your terminal

On Windows:

• Click on the Start button or press the Windows key.
• Type “cmd” or “Command Prompt” in the search bar.
• Click on the “Command Prompt” application in the search results.

On Mac:

• Press Command + Space to open Spotlight Search.
• Type “Terminal” and press Enter.

2. If you have the desktop application, open it, otherwise proceed to the next step.

3. In your terminal, go to your Scan Casa folder

To navigate through your folders with the “Cd” command. To go to the “Scan Casa” folder I used the command:

cd Documents

Then:

cd "Scan Casa"

4. Then build the docker image by running the below command:

docker build -t casascan .

5. Initiate the scan by running the below command (note this step will take a while to complete):

Replace {Folder Name} by your folder name.

docker run casascan m gitlab:fluidattacks/universe@trunk /skims scan {Folder Name}/config.yaml

For me it will be

docker run casascan m gitlab:fluidattacks/universe@trunk /skims scan Folgo/config.yaml

As a result, you should see this screen if all went well:

And this one if you have vulnerabilities in your code:

Get your scan result

When your scan is complete. You should now get your CSV file with your results.

1. Run the command:

docker ps -a

This command will show you all the containers you have.

In the first column, copy and paste the id of the container used to scan your application.

To find it, the image must be called “casascan”. This is probably the first line of the table.

2. Copy the scan results to your host by running below command:

docker cp {Container ID}:/usr/scan/Fluid-Attacks-Results.csv SAST-Results.csv

For me it will be:

docker cp e1b8dc3f0a23:/usr/scan/Fluid-Attacks-Results.csv SAST-Results.csv

3. Open your CSV results in your Scan folder

If you’ve had any vulnerabilities, see a summary of your vulnerabilities.

If not, you’ll get a CSV file like this one, which tells you that all is well.

A few links:

- Github repo with all needed files

- Step-by-step guide: How to successfully complete Casa tier 2 security assessment for Google Apps Script project