diff --git a/.github/workflows/inspect.yml b/.github/workflows/inspect.yml new file mode 100644 index 0000000..e451eea --- /dev/null +++ b/.github/workflows/inspect.yml @@ -0,0 +1,32 @@ +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + pull_request: + workflow_dispatch: + push: + # We recommend triggering a scan when merging to your default branch as a best practice, + # especially if you'd like to compare the results of two scans (e.g., a feature branch against the + # default branch) + branches: + - main + - master +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + # ShiftLeft requires Java 1.8. Post the package step override the version + - name: Setup Java JDK + uses: actions/setup-java@v1.3.0 + with: + java-version: 1.8 + - name: NextGen Static Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --app ShiftLeftJS --tag branch=${{ github.head_ref }} --js --cpg $(pwd) + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000..2b5635b --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,66 @@ +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + push: + branches: + - main + - master + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analyis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + # We are building this application with Java 11 + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 11.0.x + - name: Build and package with Maven + run: mvn clean package -DskipTests + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + # ShiftLeft requires Java 1.8. Post the package step override the version + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 1.8 + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NextGen Static Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --wait --app HelloShiftLeft --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --remediation-config remediation.yaml --vcs-prefix-correction "*=/src/main/java" --java ./target/HelloShiftLeft-1.0.0.jar + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + - name: Validate Build Rules + run: | + ${GITHUB_WORKSPACE}/sl check-analysis --v2 --app java-sec-code \ + --report \ + --github-pr-number=${{github.event.number}} \ + --github-pr-user=${{ github.repository_owner }} \ + --github-pr-repo=${{ github.event.repository.name }} \ + --github-token=${{ secrets.GITHUB_TOKEN }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + - name: Validate Build Rules + run: | + ${GITHUB_WORKSPACE}/sl check-analysis --v2 --app HelloShiftLeft \ + --report \ + --github-pr-number=${{github.event.number}} \ + --github-pr-user=${{ github.repository_owner }} \ + --github-pr-repo=${{ github.event.repository.name }} \ + --github-token=${{ secrets.GITHUB_TOKEN }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} diff --git a/.github/workflows/qwiet.yml b/.github/workflows/qwiet.yml new file mode 100644 index 0000000..45d4e3d --- /dev/null +++ b/.github/workflows/qwiet.yml @@ -0,0 +1,38 @@ +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + push: + branches: + - main + - master + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analyis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + # We are building this application with Java 11 + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 11.0.x + - name: Build and package with Maven + run: mvn clean package -DskipTests + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + # ShiftLeft requires Java 1.8. Post the package step override the version + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 1.8 + - name: NextGen Static Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --app HelloShiftLeft-test --vcs-prefix-correction "*=/src/main/java" --java ./target/HelloShiftLeft-1.0.0.jar + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml new file mode 100644 index 0000000..b89433c --- /dev/null +++ b/.github/workflows/shiftleft.yml @@ -0,0 +1,68 @@ +--- +# This workflow integrates qwiet.ai preZero with GitHub +# Visit https://docs.shiftleft.io for help +name: qwiet.ai + +on: + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Setup Java JDK v11 + uses: actions/setup-java@v3 + with: + distribution: zulu + java-version: 11 + + - name: Setup Java JDK v8 + uses: actions/setup-java@v3 + with: + distribution: zulu + java-version: 8 + + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + + - name: preZero Static Analysis + run: | + ${GITHUB_WORKSPACE}/sl --version + ${GITHUB_WORKSPACE}/sl analyze --strict --wait \ + --app HelloShiftLeft \ + --tag branch=${{ github.head_ref }} \ + --java --container 18fgsa/s3-resource $(pwd) + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + SHIFTLEFT_API_HOST: www.shiftleft.io + SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 + SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 + +# Build-Rules: +# runs-on: ubuntu-latest +# permissions: write-all +# needs: NextGen-Static-Analysis +# steps: +# - uses: actions/checkout@v3 +# - name: Download ShiftLeft CLI +# run: | +# curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl +# - name: Validate Build Rules +# run: | +# ${GITHUB_WORKSPACE}/sl check-analysis --app HelloShiftLeft \ +# --github-pr-number=${{github.event.number}} \ +# --github-pr-user=${{ github.repository_owner }} \ +# --github-pr-repo=${{ github.event.repository.name }} \ +# --github-token=${{ secrets.GITHUB_TOKEN }} +# env: +# # SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} +# +# SHIFTLEFT_API_HOST: www.shiftleft.io +# SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 +# SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 +# + + diff --git a/shiftleft.yaml b/shiftleft.yaml new file mode 100644 index 0000000..dd498a2 --- /dev/null +++ b/shiftleft.yaml @@ -0,0 +1,110 @@ +build_rules: + - id: "No critical or high SAST findings" + finding_types: + - vuln + cvss_31_severity_ratings: + - critical + - high + threshold: 0 + - id: "No secrets" + finding_types: + - secret + threshold: 0 + options: + num_findings: 10 # Return 10 sast findings + - id: "No reachable SCA findings" + finding_types: + - oss_vuln + cvss_31_severity_ratings: + - critical + - high + threshold: 0 + options: + reachable: true + num_findings: 10 # Return 10 reachable sca findings + - id: "No critical or high container findings" + finding_types: + - container + cvss_31_severity_ratings: + - critical + - high + threshold: 0 + options: + num_findings: 10 # Return 10 container findings +# The above rule is perhaps the most common in that it +# is designed to be used with Pull Request and to block +# new vulns from being introduced that aren't already on +# the 'main' branch +# +# Below is enchalada with all the options shown +# +# ID is the name that will be reflected in the PR comments +# - id: build-rule-enchalada +# - vuln +#. - oss_vuln +# - secret +# - insight +# - container +# Do you want to block ALL types by severity? +# cvss_31_severity_ratings: +# - critical +# - high +# - medium +#. - low +# Do you want to focus on just one or more types? +# type: +# - Weak Random +# - Sensitive Data Leak +# - Deserialization +# - Directory Traversal +# - Sensitive Data Exposure +# - Remote Code Execution +# - Command Injection +# - Security Best Practices +# - Unsafe Reflection +# - Regex Injection +# - SQL Injection +# - XML External Entities +# - Template Injection +# - Cross-Site Scripting +# - JSON Injection +# - Potential SQL Injection +# - Potential Regex Injection +# - Header Injection +# - Security Misconfiguration +# - Deprecated Function Use +# - Mail Injection +# - Race Condition +# - Sensitive Data Usage +# - Open Redirect +# - Error Handling +# - HTTP to Database +# - HTTP to Model +# - LDAP Injection +# - Denial of Service +# - CRLF Injection +# - NoSQL Injection +# - Weak Hash +# - Session Injection +# - Server-Side Request Forgery +# - Prototype Pollution +# - Log Forging +# - XPath Injection +# - Insecure Authentication +# - Intent Redirection +# - Authentication Bypass +# - Weak Cipher +# - Crypto +# Focus by OWASP Category? +# owasp_category: +# - a01-2021-broken-access-control +# - a02-2021-cryptographic-failures +# - a03-2021-injection +# - a04-2021-insecure-design +# - a05-2021-security-misconfiguration +# - a06-2021-vulnerable-and-outdated-components +# - a07-2021-identification-and-authentication-failures +# - a08-2021-software-and-data-integrity-failures +# - a09-2021-security-logging-and-monitoring-failures +# - a10-2021-server-side-request-forgery-(ssrf) + \ No newline at end of file diff --git a/shiftleft.yml b/shiftleft.yml new file mode 100644 index 0000000..820144a --- /dev/null +++ b/shiftleft.yml @@ -0,0 +1,15 @@ +version: 2 +build_rules: + - id: Allow no critical findings + severities: + - critical + - id: Allow one OSS or container finding + finding_types: + - oss_vuln + - container + threshold: 1 + - id: Allow no reachable OSS vulnerability + finding_types: + - oss_vuln + options: + reachable: true