diff --git a/.github/checkov.yaml b/.github/checkov.yaml new file mode 100644 index 00000000..bba5a482 --- /dev/null +++ b/.github/checkov.yaml @@ -0,0 +1,7 @@ +enable-secret-scan-all-files: true +framework: +- secrets +quiet: true +skip-path: +- docs +summary-position: bottom diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml new file mode 100644 index 00000000..47a7814e --- /dev/null +++ b/.github/codeql-config.yml @@ -0,0 +1,4 @@ +name: "CodeQL config" + +paths-ignore: + - tests diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..5ace4600 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 07d6439b..98ce04fb 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -9,6 +9,7 @@ on: - 'INTHEWILD.md' - 'README.md' - '.github/**' + - '.pre-commit-config.yaml' # Allows you to run this workflow manually from the Actions tab workflow_dispatch: @@ -17,6 +18,10 @@ concurrency: cancel-in-progress: true jobs: + security: + uses: ./.github/workflows/security-shared.yml + secrets: inherit + test: runs-on: [self-hosted, public, linux, x64] steps: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 00000000..9e0afb1e --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,50 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ main ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ main ] + schedule: + - cron: '17 4 * * 2' + workflow_dispatch: + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: [self-hosted, public, linux, x64] + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3 + - name: Set up Go + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4 + with: + go-version: '1.19' # To match codeql go version + - name: Initialize CodeQL + uses: github/codeql-action/init@83f0fe6c4988d98a455712a27f0255212bba9bd4 # v2 + with: + languages: go + config-file: ./.github/codeql-config.yml + - name: Build + run: go build + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@83f0fe6c4988d98a455712a27f0255212bba9bd4 # v2 diff --git a/.github/workflows/security-shared.yml b/.github/workflows/security-shared.yml new file mode 100644 index 00000000..824e218a --- /dev/null +++ b/.github/workflows/security-shared.yml @@ -0,0 +1,46 @@ +# !!! Important !!! +# This a reusable workflow and is used in the PR and push to main branch flow separately +# to be able to protect it behind a manual approval in the PR flow + +name: security-shared + +on: + workflow_call: + +permissions: + contents: read + +jobs: + gosec: + runs-on: [self-hosted, public, linux, x64] + env: + GO111MODULE: on + steps: + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Run Gosec Security Scanner + uses: securego/gosec@c5ea1b7bdd9efc3792e513258853552b0ae31e06 # v2 + with: + args: './...' + trufflehog-secrets: + runs-on: [self-hosted, public, linux, x64] + steps: + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: detect secrets + uses: edplato/trufflehog-actions-scan@0af17d9dd1410283f740eb76b0b8f6b696cadefc # v0.9 + with: + scanArguments: "--regex --entropy=False --exclude_paths .github/exclude-patterns.txt --max_depth=1" + checkov-secrets: + runs-on: [self-hosted, public, linux, x64] + steps: + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Scan for secrets + uses: bridgecrewio/checkov-action@master # use latest and greatest + with: + api-key: ${{ secrets.BC_API_KEY }} + config_file: .github/checkov.yaml diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index e7533c47..5b8b070f 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -1,47 +1,24 @@ +# !!! Important !!! +# any change to this workflow will not take into effect on the same PR and only after, +# because of security implications from target 'pull_request_target' + name: security on: - push: - branches: [ main ] - pull_request: - branches: [ main ] + pull_request_target: # this is needed to use the API key in a PR + branches: + - main + +permissions: + contents: read jobs: - gosec: - runs-on: [self-hosted, public, linux, x64] - env: - GO111MODULE: on - steps: - - name: Checkout Source - uses: actions/checkout@v2 - - name: Run Gosec Security Scanner - uses: securego/gosec@master - with: - args: './...' - codeql: - runs-on: [self-hosted, public, linux, x64] - permissions: - security-events: write - steps: - - name: Checkout repository - uses: actions/checkout@v2 - - name: Install Go - uses: actions/setup-go@v2 - with: - go-version: '1.19' # To match codeql go version - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: go - - name: Build - run: go build - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - detect-secrets: - runs-on: [self-hosted, public, linux, x64] + start-security-scan: + runs-on: ubuntu-latest + environment: scan-security steps: - - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3 - - name: detect secrets - uses: edplato/trufflehog-actions-scan@0af17d9dd1410283f740eb76b0b8f6b696cadefc # v0.9 - with: - scanArguments: "--regex --entropy=False --exclude_paths .github/exclude-patterns.txt --max_depth=1" \ No newline at end of file + - run: echo start security scan # just needs a simple step to better control the follow-up jobs + security: + needs: start-security-scan + uses: ./.github/workflows/security-shared.yml + secrets: inherit diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index e44c2e4a..7d87cb9d 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -5,19 +5,21 @@ on: branches: - main +permissions: + contents: read + jobs: unit-test: strategy: matrix: go: [ 1.19 ] - runs-on: [self-hosted, public, linux, x64] + runs-on: ubuntu-latest steps: + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3 - name: Install Go - uses: actions/setup-go@v2 + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4 with: go-version: ${{ matrix.go }} - - name: Checkout code - uses: actions/checkout@v2 - name: Prepare external plugin tests run: | go build -buildmode=plugin -o tests/yor_plugins/example/extra_tags.so tests/yor_plugins/example/*.go @@ -26,12 +28,11 @@ jobs: run: go build -v && go test ./src/... linter: name: golangci-lint - runs-on: [self-hosted, public, linux, x64] + runs-on: ubuntu-latest steps: - - name: Check out code into the Go module directory - uses: actions/checkout@v2 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3 - name: golangci-lint - uses: reviewdog/action-golangci-lint@v1 + uses: reviewdog/action-golangci-lint@79d32f10b2ea0d4cebb755d849b048c4b40c3d50 # v2 with: tool_name: golangci-lint fail_on_error: true @@ -42,16 +43,15 @@ jobs: go: [ 1.19 ] runs-on: [self-hosted, public, linux, x64] steps: + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3 - name: Install Go - uses: actions/setup-go@v2 + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4 with: go-version: ${{ matrix.go }} - - name: Checkout code - uses: actions/checkout@v2 - name: build run: go build - name: Clone Terragoat - vulnerable terraform - uses: actions/checkout@v2 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3 with: repository: bridgecrewio/terragoat # clone https://github.com/bridgecrewio/terragoat/ fetch-depth: 0 diff --git a/src/terraform/structure/terraform_parser.go b/src/terraform/structure/terraform_parser.go index 30d56e66..2d86c42b 100644 --- a/src/terraform/structure/terraform_parser.go +++ b/src/terraform/structure/terraform_parser.go @@ -341,7 +341,7 @@ func (p *TerraformParser) modifyBlockTags(rawBlock *hclwrite.Block, parsedBlock // The line is: // tags = null // => we should replace it! - rawTagsTokens = newTagsTokens + rawTagsTokens = newTagsTokens // checkov:skip=CKV_SECRET_6 false positive } else { rawTagsTokens = InsertTokens(rawTagsTokens, newTagsTokens[2:len(newTagsTokens)-2]) }