diff --git a/.github/workflows/2ms.yml b/.github/workflows/2ms.yml new file mode 100644 index 000000000..2653ce8cd --- /dev/null +++ b/.github/workflows/2ms.yml @@ -0,0 +1,49 @@ +name: Pipeline Example With 2MS + +on: + pull_request: + workflow_dispatch: + push: + branches: [master] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + # - name: Run 2ms Scan + # run: | + # docker run -v $(pwd):/repo checkmarx/2ms:2.8.1 git /repo > 2ms_results.txt 2>&1 + # echo "=== 2MS Scan Results ===" + # cat 2ms_results.txt + + # # Optional: fail if HIGH severity issues are found + # if grep -q "HIGH" 2ms_results.txt; then + # echo "❌ High severity issues found!" + # exit 1 + # else + # echo "✅ No high severity issues found." + # fi + + # - name: Run 2ms Scan + # run: | + # echo "🔍 Running Checkmarx 2MS Scan..." + # echo "📁 Current workspace: $GITHUB_WORKSPACE" + # ls -R "$GITHUB_WORKSPACE" + + # echo "🚀 Launching Docker scan..." + # docker run -v "$GITHUB_WORKSPACE:/repo" checkmarx/2ms:2.8.1 git --exclude node_modules /repo + + - name: Run 2ms Scan (debug mode, no redirect) + run: | + echo "🔍 Running Checkmarx 2MS Scan..." + echo "📁 Workspace path: $GITHUB_WORKSPACE" + ls -la "$GITHUB_WORKSPACE" + + echo "🚀 Running 2MS without redirection..." + docker run -v "$GITHUB_WORKSPACE:/repo" checkmarx/2ms:2.8.1 git /repo + diff --git a/.github/workflows/kics.yml b/.github/workflows/kics.yml new file mode 100644 index 000000000..9f98ec1ae --- /dev/null +++ b/.github/workflows/kics.yml @@ -0,0 +1,26 @@ +name: KICS IaC Scan + +on: + push: + branches: [master] + pull_request: + branches: [master] + +jobs: + kics-scan: + runs-on: ubuntu-latest + + steps: + - name: Checkout Code + uses: actions/checkout@v3 + + - name: Run KICS Scan + uses: checkmarx/kics-github-action@v1.6 + with: + path: '.' # Path to scan, this will scan the entire repo + output_path: 'kics_results' # Path where results will be stored + + - name: Display KICS Scan Results + run: | + echo "KICS Scan Output:" + cat kics_results/* || echo "No results found" diff --git a/.github/workflows/vorpal.yml b/.github/workflows/vorpal.yml new file mode 100644 index 000000000..e40ec43d0 --- /dev/null +++ b/.github/workflows/vorpal.yml @@ -0,0 +1,40 @@ +name: Vorpal Code Scan + +# on: +# push: +# branches: [master] +# pull_request: +# branches: [master] + +# name: vorpal-reviewdog + +on: + push: + branches: [master] # Adjust this to your default branch + pull_request: + branches: [master] + +jobs: + vorpal: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: + - uses: actions/checkout@v4 + + - name: Vorpal with reviewdog + uses: checkmarx/vorpal-reviewdog-github-action@v1.0.0 + with: + source_path: 'app/assets/js/chart/chart-data-morris.js,app/assets/js/tour/redirects-steps.js,app/data/allocations-dao.js,app/data/benefits-dao.js,app/data/contributions-dao.js,app/data/memos-dao.js,app/data/profile-dao.js,app/data/research-dao.js,app/data/user-dao.js,vulnerable_code/application.js,vulnerable_code/vulns.js' # Adjust file patterns as needed + filter_mode: file + github_token: ${{ secrets.GITHUB_TOKEN }} + reporter: github-pr-check + level: error + fail_on_error: false + + - name: Display Vorpal Scan Results + if: always() + run: | + echo "Vorpal Scan Results:" + cat /github/workspace/result.errorformat || echo "No issues found." diff --git a/README.md b/README.md index 6b3754fd0..cbdb69898 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,22 @@ +# Amadeus Security Demo – NodeGoat + Checkmarx OSS + +This repo demonstrates how Checkmarx open-source tools can elevate application security: + +- ✅ IaC Scan with **KICS** – Finds insecure cloud configs +- ✅ Code Scan with **Vorpal** – Highlights insecure code patterns +- ✅ Secret Detection with **2MS** – Detects hardcoded secrets + +### Files to Trigger Results + +| Tool | Test File | Purpose | +|----------|----------------------------------------|------------------------------| +| KICS | `iac/open-sg.tf` | Public S3, open ports | +| Vorpal | `vulnerable_code/application.js` | `eval()` | +| 2MS | `config/secrets-db.env ` | tokens & passwords | + +➡️ View results in the [Actions](../../actions) tab. + + # NodeGoat Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them. diff --git a/config/secrets-db.env b/config/secrets-db.env new file mode 100644 index 000000000..e4d870e7a --- /dev/null +++ b/config/secrets-db.env @@ -0,0 +1,5 @@ +AWS_SECRET_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE +DB_PASSWORD=MyDbPassword123! +SLACK_TOKEN=xoxb-1234-5678-abcdef +PRIVATE_KEY=-----BEGIN RSA PRIVATE KEY----- +sk_test_51H6jX... # Stripe test key diff --git a/iac/open-sg.tf b/iac/open-sg.tf new file mode 100644 index 000000000..2ba442335 --- /dev/null +++ b/iac/open-sg.tf @@ -0,0 +1,28 @@ +resource "aws_s3_bucket" "bad_example" { + bucket = "my-unsecure-bucket" + acl = "public-read" # Public access, flagged + + tags = { + Name = "PublicBucket" + Environment = "Dev" + } +} + +resource "aws_security_group" "example" { + name = "allow_all" + description = "Security group with open ports" + ingress { + from_port = 0 + to_port = 65535 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] # Open to the world + } +} +provider "aws" { + region = "us-west-2" +} + +resource "aws_s3_bucket" "my_insecure_bucket" { + bucket = "my-insecure-bucket" + acl = "public-read" # This will trigger an alert for an insecure configuration +} diff --git a/secrets/test_secrets.js b/secrets/test_secrets.js new file mode 100644 index 000000000..dc9d34405 --- /dev/null +++ b/secrets/test_secrets.js @@ -0,0 +1,13 @@ +// This file contains fake but recognizable secrets for 2MS +// These are fake but realistic secrets for testing 2MS + +const AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"; +const STRIPE_API_KEY = "sk_live_51H6jX3y8YwD4Y0abcXYZabcXYZ1234567890"; +const GITHUB_TOKEN = "ghp_1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcd"; +const PRIVATE_KEY = ` +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA7xyzEXAMPLEKEY... +-----END RSA PRIVATE KEY----- +`; +#done + diff --git a/vulnerable_code/application.js b/vulnerable_code/application.js new file mode 100644 index 000000000..e95ae120d --- /dev/null +++ b/vulnerable_code/application.js @@ -0,0 +1,14 @@ +const express = require('express'); +const app = express(); +const bodyParser = require('body-parser'); +app.use(bodyParser.urlencoded({ extended: true })); + +// Insecure eval usage +app.post('/eval', (req, res) => { + const input = req.body.code; + eval(input); // ❌ High severity + res.send("Evaluated input"); +}); + +// Hardcoded password +const dbPassword = "supersecretpassword"; // ❌ Should be flagged diff --git a/vulnerable_code/vulns.js b/vulnerable_code/vulns.js new file mode 100644 index 000000000..d992d0d4d --- /dev/null +++ b/vulnerable_code/vulns.js @@ -0,0 +1,17 @@ +const express = require('express'); +const app = express(); + +app.get('/user/:id', function(req, res) { + const userId = req.params.id; + // Potential SQL Injection vulnerability + const query = "SELECT * FROM users WHERE id = '" + userId + "'"; + db.query(query, function(err, result) { + if (err) throw err; + res.send(result); + }); +}); + +app.listen(3000, () => { + console.log('Server is running on port 3000'); +}); +#yes_done_done