Initial commit

.coveragerc

@@ -0,0 +1,26 @@
+[run]
+omit = tests/*, app/alembic/*, **/exceptions.py
+
+[report]
+fail_under = 60
+# Regexes for lines to exclude from consideration
+exclude_lines =
+    # Have to re-enable the standard pragma
+    pragma: no cover
+
+    # Don't complain about missing debug-only code:
+    def __repr__
+    if self\.debug
+
+    # Don't complain if tests don't hit defensive assertion code:
+    raise AssertionError
+    raise NotImplementedError
+
+    # Don't complain if non-runnable code isn't run:
+    if 0:
+    if __name__ == .__main__.:
+
+    # Don't complain about abstract methods, they aren't run:
+    @(abc\.)?abstractmethod
+
+ignore_errors = True

.dockerignore

@@ -0,0 +1,32 @@
+.idea
+.cache
+.coverage
+.dockerignore
+.git
+.gitattributes
+.gitignore
+.gitkeep
+.flake8
+.isort.cfg
+.mypy_cache
+.pytest_cache
+.tox
+tox.ini
+mypy.ini
+tests
+distribution
+venv
+**/__pycache__
+*.yml
+*.svg
+*.egg-info/
+*.egg
+env/
+pytest.ini
+README.rst
+README.md
+Dockerfile
+Zenvfile
+infrastructure
+data/
+.env.override.example

.env.dev

@@ -0,0 +1,21 @@
+UVICORN_RELOAD=1
+
+CELERY_BROKER_URL=redis://redis:6379/0
+CELERY_RESULT_BACKEND=redis://redis:6379/0
+
+SECBOT_POSTGRES_DSN=postgresql+asyncpg://secbot:foobar@db:5432/secbot
+
+GITLAB_CONFIGS=[{"host":"https://git.env.local/","webhook_secret_token":"SecretStr","auth_token":"SecretStr","prefix":"GIT_LOCAL"}]
+
+DEFECTDOJO__URL=https://defectdojo.env.local
+DEFECTDOJO__TOKEN=defectdojo_token
+DEFECTDOJO__USER=defectdojo_username
+DEFECTDOJO__USER_ID=10
+
+SLACK_TOKEN=token_here
+
+# Metrics settings
+SRE_METRIC_LABEL_TEAM=SECURITY
+SRE_METRIC_LABEL_SERVICE=security-bot
+TRACING_TAGS_HOST=security-bot.env.local
+TRACING_TAGS_CLUSTER=security-local

.env.override.example

@@ -0,0 +1,9 @@
+# The .env.override.example file streamlines environment-specific settings management during development.
+#
+# To use it:
+# 1. Rename the file to '.env.override' for recognition by the dev environment.
+# 2. Update environment variables with development-specific values in the file.
+# 3. Rebuild the Docker image and restart it, ensuring it reads from the updated .env.override.
+#
+# e.g.
+# DEBUG=true

.flake8

@@ -0,0 +1,14 @@
+[flake8]
+max-line-length = 87
+ignore = E203,W503,E501,W293
+statistics = True
+exclude =
+    .git,
+    __pycache__,
+    .cache/,
+    .pytest_cache/,
+    .mypy_cache/,
+    .venv/,
+    .run/,
+    app/secbot/db/alembic
+

.github/workflows/docker-publish.yml

@@ -0,0 +1,45 @@
+name: Publish Docker image
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  push_to_registries:
+    name: Push Docker image
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: |
+            exness/security-bot
+            ghcr.io/${{ github.repository }}
+      
+      - name: Build and push Docker images
+        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.gitignore

@@ -0,0 +1,152 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Personal override env
+.env.override
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+.idea/
+.DS_Store

.readthedocs.yaml

@@ -0,0 +1,21 @@
+version: 2
+
+build:
+  os: "ubuntu-20.04"
+  tools:
+    python: "3.9"
+  jobs:
+    post_create_environment:
+      - pip install --upgrade pip
+      - pip install poetry
+      - poetry config virtualenvs.create false
+    post_install:
+      - poetry install --no-root
+
+formats:
+  - pdf
+  - epub
+
+sphinx:
+  configuration: docs/conf.py
+  fail_on_warning: true

CONTRIBUTORS.md

@@ -0,0 +1,10 @@
+# Special thanks
+
+- [Exness](https://github.com/exness)
+- [Vulners](https://github.com/vulnerscom)
+
+# Contributors
+
+- [Valerio Rico](https://github.com/V-Rico) - MVP and maintenance
+- [Ivan Zhirov](https://github.com/izhirov) - further development and maintenance
+- [Maxim Sokolov](https://github.com/mcson-the-writer) - documentation

Dockerfile

@@ -0,0 +1,43 @@
+FROM python:3.9-slim
+
+ARG USER_NAME="exness"
+ARG USER_HOME="/${USER_NAME}"
+ARG APP_HOME="/opt"
+
+COPY poetry.lock pyproject.toml /
+
+### Add required binaries ###
+RUN apt-get update && \
+    apt-get install -y git curl && \
+    apt-get clean && \
+    rm -rf /var/cache/*
+
+RUN apt-get update && \
+    apt-get install -qy --no-install-recommends build-essential make && \
+    pip install --no-cache-dir --upgrade pip poetry>=1.0.0 && \
+    poetry config virtualenvs.create false && \
+    poetry install --no-interaction --no-dev && \
+    apt-get remove -qy --purge build-essential && \
+    apt-get autoremove --purge -qy && \
+    apt-get clean && \
+    rm -rf /var/cache/* /poetry.lock /pyproject.toml
+
+### Add worker tools ###
+
+# Install gitleaks
+COPY --from=zricethezav/gitleaks:v8.17.0 /usr/bin/gitleaks /usr/local/bin/gitleaks
+
+### Create service user ###
+RUN groupadd -g 10001 ${USER_NAME} && useradd -g 10001 -u 10001 -s "/usr/sbin/nologin" -md ${USER_HOME} ${USER_NAME}
+
+### Add application source code ###
+COPY docker-entrypoint.sh /usr/local/bin
+COPY --chown=10001:10001 app/ ${APP_HOME}/app
+
+ENV PYTHONPATH="${APP_HOME}"
+
+USER ${USER_NAME}
+EXPOSE 5000 5001
+WORKDIR ${APP_HOME}
+ENTRYPOINT ["docker-entrypoint.sh"]
+CMD ["help"]