PoiEx is an experimental VS Code extension built to identify and visualize the Points of Intersection between a web application and the underlying infrastructure.
Since it was designed to simplify manual code review activities, it was also packed with: Semgrep support, notes taking and collaboration capabilities.
Read the launch post on the Doyensec blog for practical examples and tips.
Download and install the VSIX extension from GitHub Releases. Make sure you have Semgrep installed before running PoiEx.
A Point of Intersection (PoI) marks where your code interacts with its underlying infrastructure, revealing connections between the implemented logic and the Infrastructure as Code (IaC). PoiEx identifies and visualizes PoIs, allowing testers and cloud security specialists to better understand and identify security vulnerabilities in your cloud applications.
The extension relies on Inframap to generate an interactive IaC diagram. Each entity in the diagram is clickable to reveal the PoIs, Semgrep results and the IaC definition, linked to the selected entity. By then clicking on a PoI, the user can jump to the relevant code section.
Below an example infrastructure diagram generation and PoIs exploration.
Note: If you do not have a Terraform IaC definition file but you have access to the live infrastructure, you can use reverse-terraforming tools such as terraformer to generate an IaC file from existing infrastructure.
PoiEx allows users to:
-
Scan the application's code and the IaC definition at the same time with Semgrep, generating explorable results in a user-friendly view inside VS Code's Problems section
-
Visualize the infrastructure diagram generated with Inframap. Additionally, the diagram is enhanced to be interactive, each entity in the diagram is clickable and reveals the enumerated PoIs that are linked to the selected entity. By then clicking on a PoI, it jumps to the relevant code section to review the code in which it is embedded.
-
Take notes using the VS Code Comments API, allowing it to be used also as a standalone code-analysis tool
-
Collaborate with other reviewers on encrypted projects pushed to a MongoDB instance
A custom set of Semgrep rules has been developed. Each pair of language and Cloud Service Provider (CSP) needs a different ruleset, as a rule is generally able to match only one language and one CSP.
The table below summarizes the currently supported CSPs and languages:
| Language/CSP | GCP | AWS |
|---|---|---|
| Python | Yes | Yes |
| JavaScript | Yes | Yes |
| Go | No | Yes |
| TypeScript | No | Yes |
Non-IaC related features were added to support manual reviews in different ways. Such functionalities are unrelated to the cloud infrastructure analysis and they are usable in any code review activity.
A few examples are attached below. Please refer to the launch blogpost for detailed use cases.
Scan the application's code and the IaC definition at the same time with Semgrep, generating explorable results in a user-friendly view, inside VS Code's Problems section. The Semgrep ruleset is fully customizable via direct arguments in the Settings page.
It is also possible to flag the findings as false positive,hot or resolved and have them synced in collaboration mode.
It is possible to start comment threads directly within the codebase for adding details and reactions.
When collaboration mode is disabled, each project is stored in a local SQLite database. In this mode, projects are not synchronized or shared across different collaborators.
PoiEx allows for real-time synchronization of findings and comments with other users. This mode requires a MongoDB instance shared across all collaborators. Read more in the collaboration guide.
poiex.enableIaC: Enable IaC features of this extensionpoiex.authorName: Author name for commentspoiex.semgrepArgs: Semgrep command line argumentspoiex.semgrepTimeout: Semgrep execution timeout (in seconds)poiex.collab.enabled: Enable collaboration via MongoDBpoiex.collab.uri: URI of the remote MongoDB serverpoiex.collab.database: Name of the MongoDB databasepoiex.collab.expireAfter: Auto-delete comments on the remote database after a certain amount of seconds (set to 0 to disable)
This project was made with love on the Doyensec Research Island by Michele Lizzit for his master's thesis at ETH Zurich, under the mentoring of Francesco Lacerenza.
We took inspiration from vscode-security-notes by RefactorSecurity.
Download the latest release and contribute with a star, bug reports or suggestions.
