changes to vulns

.github/workflows/2ms.yml

@@ -0,0 +1,49 @@
+name: Pipeline Example With 2MS
+
+on:
+  pull_request:
+  workflow_dispatch:
+  push:
+    branches: [master]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      # - name: Run 2ms Scan
+      #   run: |
+      #     docker run -v $(pwd):/repo checkmarx/2ms:2.8.1 git /repo > 2ms_results.txt 2>&1
+      #     echo "=== 2MS Scan Results ==="
+      #     cat 2ms_results.txt
+
+      #     # Optional: fail if HIGH severity issues are found
+      #     if grep -q "HIGH" 2ms_results.txt; then
+      #       echo "❌ High severity issues found!"
+      #       exit 1
+      #     else
+      #       echo "✅ No high severity issues found."
+      #     fi
+
+      # - name: Run 2ms Scan
+      #   run: |
+      #      echo "🔍 Running Checkmarx 2MS Scan..."
+      #      echo "📁 Current workspace: $GITHUB_WORKSPACE"
+      #      ls -R "$GITHUB_WORKSPACE"
+
+      #      echo "🚀 Launching Docker scan..."
+      #      docker run -v "$GITHUB_WORKSPACE:/repo" checkmarx/2ms:2.8.1 git --exclude node_modules /repo
+
+      - name: Run 2ms Scan (debug mode, no redirect)
+        run: |
+          echo "🔍 Running Checkmarx 2MS Scan..."
+          echo "📁 Workspace path: $GITHUB_WORKSPACE"
+          ls -la "$GITHUB_WORKSPACE"
+
+          echo "🚀 Running 2MS without redirection..."
+          docker run -v "$GITHUB_WORKSPACE:/repo" checkmarx/2ms:2.8.1 git /repo
+

.github/workflows/kics.yml

@@ -0,0 +1,26 @@
+name: KICS IaC Scan
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+jobs:
+  kics-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+
+      - name: Run KICS Scan
+        uses: checkmarx/[email protected]
+        with:
+          path: '.'  # Path to scan, this will scan the entire repo
+          output_path: 'kics_results'  # Path where results will be stored
+
+      - name: Display KICS Scan Results
+        run: |
+          echo "KICS Scan Output:"
+          cat kics_results/* || echo "No results found"

.github/workflows/vorpal.yml

@@ -0,0 +1,40 @@
+name: Vorpal Code Scan
+
+# on:
+#   push:
+#     branches: [master]
+#   pull_request:
+#     branches: [master]
+
+# name: vorpal-reviewdog
+
+on:
+  push:
+    branches: [master]  # Adjust this to your default branch
+  pull_request:
+    branches: [master] 
+
+jobs:
+  vorpal:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Vorpal with reviewdog
+        uses: checkmarx/[email protected]
+        with:
+          source_path: 'app/assets/js/chart/chart-data-morris.js,app/assets/js/tour/redirects-steps.js,app/data/allocations-dao.js,app/data/benefits-dao.js,app/data/contributions-dao.js,app/data/memos-dao.js,app/data/profile-dao.js,app/data/research-dao.js,app/data/user-dao.js,vulnerable_code/application.js,vulnerable_code/vulns.js'      # Adjust file patterns as needed
+          filter_mode: file
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          reporter: github-pr-check
+          level: error
+          fail_on_error: false
+
+      - name: Display Vorpal Scan Results
+        if: always()
+        run: |
+          echo "Vorpal Scan Results:"
+          cat /github/workspace/result.errorformat || echo "No issues found."

README.md

@@ -1,3 +1,22 @@
+# Amadeus Security Demo – NodeGoat + Checkmarx OSS
+
+This repo demonstrates how Checkmarx open-source tools can elevate application security:
+
+- ✅ IaC Scan with **KICS** – Finds insecure cloud configs
+- ✅ Code Scan with **Vorpal** – Highlights insecure code patterns
+- ✅ Secret Detection with **2MS** – Detects hardcoded secrets
+
+### Files to Trigger Results
+
+| Tool     | Test File                              | Purpose                      |
+|----------|----------------------------------------|------------------------------|
+| KICS     | `iac/open-sg.tf`                       | Public S3, open ports        |
+| Vorpal   | `vulnerable_code/application.js`       | `eval()`     |
+| 2MS      | `config/secrets-db.env `               | tokens & passwords      |
+
+➡️ View results in the [Actions](../../actions) tab.
+
+
 # NodeGoat
 
 Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.

config/secrets-db.env

@@ -0,0 +1,5 @@
+AWS_SECRET_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
+DB_PASSWORD=MyDbPassword123!
+SLACK_TOKEN=xoxb-1234-5678-abcdef
+PRIVATE_KEY=-----BEGIN RSA PRIVATE KEY-----
+sk_test_51H6jX...  # Stripe test key

iac/open-sg.tf

@@ -0,0 +1,28 @@
+resource "aws_s3_bucket" "bad_example" {
+  bucket = "my-unsecure-bucket"
+  acl    = "public-read"  # Public access, flagged
+
+  tags = {
+    Name        = "PublicBucket"
+    Environment = "Dev"
+  }
+}
+
+resource "aws_security_group" "example" {
+  name        = "allow_all"
+  description = "Security group with open ports"
+  ingress {
+    from_port   = 0
+    to_port     = 65535
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]  # Open to the world
+  }
+}
+provider "aws" {
+  region = "us-west-2"
+}
+
+resource "aws_s3_bucket" "my_insecure_bucket" {
+  bucket = "my-insecure-bucket"
+  acl    = "public-read"  # This will trigger an alert for an insecure configuration
+}

secrets/test_secrets.js

@@ -0,0 +1,13 @@
+// This file contains fake but recognizable secrets for 2MS
+// These are fake but realistic secrets for testing 2MS
+
+const AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY";
+const STRIPE_API_KEY = "sk_live_51H6jX3y8YwD4Y0abcXYZabcXYZ1234567890";
+const GITHUB_TOKEN = "ghp_1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcd";
+const PRIVATE_KEY = `
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA7xyzEXAMPLEKEY...
+-----END RSA PRIVATE KEY-----
+`;
+#done
+

vulnerable_code/application.js

@@ -0,0 +1,14 @@
+const express = require('express');
+const app = express();
+const bodyParser = require('body-parser');
+app.use(bodyParser.urlencoded({ extended: true }));
+
+// Insecure eval usage
+app.post('/eval', (req, res) => {
+  const input = req.body.code;
+  eval(input);  // ❌ High severity
+  res.send("Evaluated input");
+});
+
+// Hardcoded password
+const dbPassword = "supersecretpassword";  // ❌ Should be flagged

vulnerable_code/vulns.js

@@ -0,0 +1,17 @@
+const express = require('express');
+const app = express();
+
+app.get('/user/:id', function(req, res) {
+  const userId = req.params.id;
+  // Potential SQL Injection vulnerability
+  const query = "SELECT * FROM users WHERE id = '" + userId + "'";
+  db.query(query, function(err, result) {
+    if (err) throw err;
+    res.send(result);
+  });
+});
+
+app.listen(3000, () => {
+  console.log('Server is running on port 3000');
+});
+#yes_done_done