From 7697cc3dad996daee804b394d9f399ed2edfdc3b Mon Sep 17 00:00:00 2001 From: silas <95582913+silas-x@users.noreply.github.com> Date: Sat, 8 Jan 2022 19:12:47 +0000 Subject: [PATCH 1/5] Create codeql-scan.yml --- .github/workflows/codeql-scan.yml | 50 +++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 .github/workflows/codeql-scan.yml diff --git a/.github/workflows/codeql-scan.yml b/.github/workflows/codeql-scan.yml new file mode 100644 index 0000000..6f2e8f0 --- /dev/null +++ b/.github/workflows/codeql-scan.yml @@ -0,0 +1,50 @@ +# GitHub SAST (static application security testing) tool that scans code for security bugs and unsafe coding practices + +name: "CodeQL Scan" + +# Events that triggers CodeQL to run +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + +# Option to configure as a scheduled action to monitor for drift in code +# schedule: +# - cron: '0 6 * * 1' + +jobs: + analyze: + name: CodeQL Analysis + runs-on: ubuntu-latest + # Skip any PR created by dependabot to avoid permission issues (if used) + if: (github.actor != 'dependabot[bot]') + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + # Add more languages if relevnt to the project + language: [ 'python' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # Initialises the CodeQL tools for scanning (sorry Americans) + - name: Initialise CodeQL + uses: github/codeql-action/init@v1 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # Run the analysis and upload results to the security tab + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 From bcda27443f398e71b8108dab4e050799c3b71691 Mon Sep 17 00:00:00 2001 From: silas <95582913+silas-x@users.noreply.github.com> Date: Sat, 8 Jan 2022 19:13:20 +0000 Subject: [PATCH 2/5] Create trivy-scan.yml --- .github/workflows/trivy-scan.yml | 51 ++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 .github/workflows/trivy-scan.yml diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml new file mode 100644 index 0000000..c956a13 --- /dev/null +++ b/.github/workflows/trivy-scan.yml @@ -0,0 +1,51 @@ +# Trivy configured to scan for vulnerable dependencies in the project software composition + +name: Trivy Scan + +# Events that triggers Trivy to run +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + +jobs: + build: + name: Trivy Vulnerability Scanner + runs-on: ubuntu-latest + # Skip any PR created by dependabot to avoid permission issues (if used) + if: (github.actor != 'dependabot[bot]') + steps: + # Checking out the repo to scan + - name: Checkout code + uses: actions/checkout@v2 + + # Run Trivy to fail the job on critical vulnerabiliies with fix available + - name: Run Trivy for critical vulnerabilities + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' # Filesystem mode + ignore-unfixed: true # Ignore vulnerabilities with no available fix + format: 'table' # Table output mode as next step will report in security tab + severity: 'CRITICAL' # Error only on critical vulnerabilities + exit-code: '1' # Fail the job if a critical vulnerability with fix available is found + + # Run Trivy reporting all vulnerabilities to the security tab + - name: Run Trivy for reporting all vulnerabilities + uses: aquasecurity/trivy-action@master + if: always() # Run this step even if job fails due to critical vuln + with: + scan-type: 'fs' # Filesystem mode + ignore-unfixed: true # Ignore vulnerabilities with no available fix + format: 'template' # Template output mode + template: '@/contrib/sarif.tpl' # SARIF template to be compatible with GitHub security tab + output: 'trivy-results.sarif' # Output file name + severity: 'CRITICAL,HIGH,MEDIUM' # Report on critical/high/medium vulnerabiliies + exit-code: '0' # No failing as for reporting purposes + + # Generate the output as SARIF and upload to the security tab + - name: Upload Trivy results + uses: github/codeql-action/upload-sarif@v1 + if: always() # Upload even if the job has failed due to a vulnerability + with: + sarif_file: 'trivy-results.sarif' From f73df4574e9a2c13c2577e17b4adc244f161ed0f Mon Sep 17 00:00:00 2001 From: silas <95582913+silas-x@users.noreply.github.com> Date: Sun, 9 Jan 2022 17:43:21 +0000 Subject: [PATCH 3/5] New feature: dockerfile lint --- .github/workflows/semgrep-scan.yml | 53 ++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 .github/workflows/semgrep-scan.yml diff --git a/.github/workflows/semgrep-scan.yml b/.github/workflows/semgrep-scan.yml new file mode 100644 index 0000000..10e51db --- /dev/null +++ b/.github/workflows/semgrep-scan.yml @@ -0,0 +1,53 @@ +# Flexible static application security testing based on various rulesets depending on +# various parameters such as language, dockerfile, etc. + +name: Semgrep Scanner + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + +# schedule: +# - cron: '0 6 * * 1' + +jobs: + semgrep: + name: Semgrep Scan + runs-on: ubuntu-latest + # Set permissions to allow writing security events + permissions: + security-events: write + # Skip any PR created by dependabot to avoid permission issues + if: (github.actor != 'dependabot[bot]') + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - uses: returntocorp/semgrep-action@v1 + with: + config: >- # more at semgrep.dev/explore + p/docker + + # Instead of `config:`, use rules set in Semgrep App. + # Get your token from semgrep.dev/manage/settings. + # publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} + + # Never fail the build due to findings on pushes. + # Instead, just collect findings for semgrep.dev/manage/findings + # auditOn: push + + # Upload findings to GitHub Advanced Security Dashboard [step 1/2] + generateSarif: "1" + + # Change job timeout (default is 1800 seconds; set to 0 to disable) + # env: + # SEMGREP_TIMEOUT: 300 + + # Upload findings to GitHub Advanced Security Dashboard [step 2/2] + - name: Upload SARIF file for GitHub Advanced Security Dashboard + uses: github/codeql-action/upload-sarif@v1 + with: + if: always() + sarif_file: semgrep.sarif From 0a43ab4fe0f91b0f470120af83bf4b4eb00753f3 Mon Sep 17 00:00:00 2001 From: silas <95582913+silas-x@users.noreply.github.com> Date: Sun, 9 Jan 2022 17:51:37 +0000 Subject: [PATCH 4/5] Syntax fix --- .github/workflows/semgrep-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep-scan.yml b/.github/workflows/semgrep-scan.yml index 10e51db..b83fc21 100644 --- a/.github/workflows/semgrep-scan.yml +++ b/.github/workflows/semgrep-scan.yml @@ -48,6 +48,6 @@ jobs: # Upload findings to GitHub Advanced Security Dashboard [step 2/2] - name: Upload SARIF file for GitHub Advanced Security Dashboard uses: github/codeql-action/upload-sarif@v1 - with: if: always() + with: sarif_file: semgrep.sarif From 7e22864f54481b7bcf8dc53327f983afa72d221f Mon Sep 17 00:00:00 2001 From: silas <95582913+silas-x@users.noreply.github.com> Date: Sun, 9 Jan 2022 17:57:35 +0000 Subject: [PATCH 5/5] Including Bandit --- .github/workflows/semgrep-scan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/semgrep-scan.yml b/.github/workflows/semgrep-scan.yml index b83fc21..9516cc7 100644 --- a/.github/workflows/semgrep-scan.yml +++ b/.github/workflows/semgrep-scan.yml @@ -29,6 +29,7 @@ jobs: with: config: >- # more at semgrep.dev/explore p/docker + p/gitlab-bandit # Instead of `config:`, use rules set in Semgrep App. # Get your token from semgrep.dev/manage/settings.