From d0136b83620f1821462385e8a8d34a1dfd757608 Mon Sep 17 00:00:00 2001 From: jboursier Date: Tue, 27 Sep 2022 14:54:59 +0200 Subject: [PATCH 1/2] (Missing changes..) Improve the PR body content Allow to specify a custom target branch for the PR --- src/cli.py | 16 ++++++++++++---- src/ghas_cli/utils/repositories.py | 14 +++++++++----- 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/src/cli.py b/src/cli.py index cbec2dc..3624903 100644 --- a/src/cli.py +++ b/src/cli.py @@ -299,6 +299,12 @@ def repositories_enable_dependabot( "--repository", prompt="Repository name", ) +@click.option( + "-b", + "--branch", + prompt="Branch name to create", + default="appsec-ghas-codeql_enable", +) @click.option( "-t", "--token", @@ -311,12 +317,14 @@ def repositories_enable_dependabot( ) @click.option("-o", "--organization", prompt="Organization name", type=str) def repositories_create_codeql_pr( - repository: str, - organization: str, - token: str, + repository: str, organization: str, token: str, branch: str ) -> None: """Create a CodeQL PR""" - click.echo(repositories.create_codeql_pr(organization, token, repository)) + click.echo( + repositories.create_codeql_pr( + organization, token, repository, target_branch=branch + ) + ) ######### diff --git a/src/ghas_cli/utils/repositories.py b/src/ghas_cli/utils/repositories.py index 224d513..cddb2c0 100644 --- a/src/ghas_cli/utils/repositories.py +++ b/src/ghas_cli/utils/repositories.py @@ -368,15 +368,19 @@ def load_codeql_base64_template(language) -> tuple: return language, str(base64.b64encode(template.encode(encoding="utf-8")), "utf-8") -def create_codeql_pr(organization: str, token: str, repository: str) -> bool: +def create_codeql_pr( + organization: str, + token: str, + repository: str, + target_branch: str = "appsec-ghas-codeql_enable", +) -> bool: """ - 1. Retrieve the repository main language. Select the `codeql-analysis.yml` file for that language. + 1. Retrieve the repository languages. Select the `codeql-analysis.yml` file for that language. 2. Create a branch 3. Push a .github/workflows/codeql-analysis.yml to the repository on that branch - 3. Create an associated issue + 3. Create an associated PR """ headers = network.get_github_headers(token) - target_branch = "appsec-ghas-codeql_enable" # Get the default branch default_branch = get_default_branch(organization, token, repository) @@ -438,7 +442,7 @@ def create_codeql_pr(organization: str, token: str, repository: str) -> bool: # Create PR payload = { "title": "Security Code Scanning - configuration files", - "body": f"This PR creates the Security scanning (CodeQL) configuration files for your repository languages ({languages}).\n\n We also just opened an informative issue in this repository to give you the context and assistance you need. In most cases you will be able to merge this PR as is and start benefiting from security scanning right away, as a check in each PR, and in the [Security tab](https://github.com/{organization}/{repository}/security/code-scanning) of this repository. \nHowever, we encourage you to review the configuration files and tag @Malwarebytes/security-appsec (or `#github-appsec-security` on Slack) if you have any questions.\n\nWe are here to help! :thumbsup:\n\n - Application Security team.", + "body": f"This PR creates the Security scanning (CodeQL) configuration files for your repository languages ({languages}).\n\n We also just opened an informative issue in this repository to give you the context and assistance you need. In most cases you will be able to merge this PR as is and start benefiting from security scanning right away, as a check in each PR, and in the [Security tab](https://github.com/{organization}/{repository}/security/code-scanning) of this repository. \nHowever, we encourage you to review the configuration files and tag @{organization}/security-appsec (or `#github-appsec-security` on Slack) if you have any questions.\n\nWe are here to help! :thumbsup:\n\n - Application Security team.", "head": target_branch, "base": default_branch, } From 451f46778bb2daa212a133e81f6873ab9729747a Mon Sep 17 00:00:00 2001 From: jboursier Date: Tue, 27 Sep 2022 15:29:55 +0200 Subject: [PATCH 2/2] Ugly hack to workaround the `yaml` parsing issue with `on:` keywords --- src/ghas_cli/utils/repositories.py | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/src/ghas_cli/utils/repositories.py b/src/ghas_cli/utils/repositories.py index cddb2c0..43926e9 100644 --- a/src/ghas_cli/utils/repositories.py +++ b/src/ghas_cli/utils/repositories.py @@ -356,16 +356,31 @@ def get_languages( return list(lang) -def load_codeql_base64_template(language) -> tuple: +def load_codeql_base64_template(language: str, default_branch: str = "main") -> tuple: language = language.lower() try: with open(f"./templates/codeql-analysis-{language.lower()}.yml", "r") as f: - template = f.read() + # Ugly af but `yaml` transforms `on:` to `True:` which is obviously annoying to parse Github Actions files.. + template = f.readlines() + template_new = "" + for l in template: + if l == ' branches: ["main"]\n': + template_new += f" branches: ['{default_branch}']\n" + else: + template_new += l except Exception as e: with open(f"./templates/codeql-analysis-default.yml", "r") as f: - template = f.read() language = "default" - return language, str(base64.b64encode(template.encode(encoding="utf-8")), "utf-8") + template = f.readlines() + template_new = "" + for l in template: + if l == ' branches: ["main"]\n': + template_new += f" branches: ['{default_branch}']\n" + else: + template_new += l + return language, str( + base64.b64encode(template_new.encode(encoding="utf-8")), "utf-8" + ) def create_codeql_pr( @@ -424,7 +439,7 @@ def create_codeql_pr( ) for language in languages: - lang, template = load_codeql_base64_template(language) + lang, template = load_codeql_base64_template(language, default_branch) payload = { "message": f"Enable CodeQL analysis for {language}", "content": template,