Skip to main content

init

Descriptionโ€‹

Initializes a package store for the rl-secure CLI.

Package storeโ€‹

Package stores are special directories used by rl-secure to keep all the data about your projects, packages, and package versions (analyzed files).

More specifically, package stores contain the following data:

  • copies of - or symbolic links to - scanned software packages (required for rl-secure sync)
  • policy configuration files for the whole package store, as well as for individual projects and packages
  • reports and other relevant analysis metadata for report creation

To use rl-secure, you must initialize at least one package store.

You can have multiple package stores in different locations and use them with the same rl-secure installation. When you have multiple package stores, you can specify which one to use with the --rl-store or -s option when running rl-secure commands.

The package store directory is always called .rl-secure and created inside the directory you specified when initializing the store. Depending on your operating system, the package store directory may be treated as "hidden" and may not be visible by default when you try to browse its contents. Graphical file managers usually have a setting to display hidden files and folders. You can also access the package store from the command-line interface and use the appropriate commands to show all files in the package store.

A package store can be created either locally or on a shared storage. Choosing the location of your package store depends on your use-case or the desired CI workflow.

Password vaultโ€‹

The password vault feature lets you securely save passwords that rl-secure will use to decrypt password-protected files during analysis. Without passwords, rl-secure cannot fully process such files, which results in incomplete analysis results.

When you initialize a package store, it does not use the password vault by default. To ensure that your password-protected files can be decrypted and analyzed, you can add the password vault to your package store during initialization. This will allow you to save passwords for every password-protected file you want to analyze. That way, you don't need to type in passwords when reanalyzing files.

To initialize the vault, specify a value for the "master" vault key with the --vault-key option. This key allows you to access the password vault for that package store and modify passwords inside it. It also keeps your password vault safe from any possible attacks.

Once initialized, the password vault for your package store cannot be removed. You can only remove individual passwords from the vault.

Initial SAFE Levels settingsโ€‹

When you initialize a package store, it uses the SAFE Levels feature which is set to level 5 (L5) by default. All projects and packages created in the package store inherit and use L5 automatically. To set a different level when initializing the store, use the --rl-level option.

To disable SAFE Levels for a package store altogether, set the --rl-level option to 0 (zero).

You can change the level setting in the package store policy configuration at any time, or override it for specific projects and packages in their respective policy configuration files.

Configuration changes require synchronization, so make sure to run rl-secure sync after modifying policy configuration files.

Usageโ€‹

rl-secure init [<rl-store>]

Optionsโ€‹

OptionDescription
-h, --helpDisplay usage information and exit.
-s, --rl-store ย  ย Filesystem path to a directory where to initialize the package store. If not provided, it is initialized in the current directory.
--vault-keyInitialize a new package store with the password vault. The value specified with this parameter will be used as the password vault key. Note that this value is case-sensitive and can be changed at any time.
--rl-levelInitialize the package store with the specified SAFE Level setting. Specify the level as an integer value from 0 to 5 (for example, --rl-level=4). When set to 0, the package store is initialized without SAFE Levels.

By default, the initial level setting applies to all projects and packages created in the store. You can override the setting for specific projects and packages in their policy configuration files.

Examplesโ€‹

Initialize a package storeโ€‹

This example initializes a new package store in the default or specified location. The default location is always the current working directory.

Because we do not specify or disable SAFE Levels in this example, the new package store is initialized with the default SAFE Levels setting (which is L5).

rl-secure init