Add setup and improvements

syn-4ck · Jan 20, 2024 · 7a1067f · 7a1067f
1 parent 4f4431b
commit 7a1067f
Show file tree

Hide file tree

Showing 40 changed files with 5,555 additions and 42,328 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,36 @@
+name: Build Python Wheel
+
+on: [push, pull_request]
+
+jobs:
+  build_wheel:
+    name: Build Wheel
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v2
+
+    - name: Set up Python
+      uses: actions/setup-python@v2
+      with:
+        python-version: '3.8' # specify the Python version you want to use
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip -y
+        pip install wheel -y
+
+    - name: Build wheel
+      run: python setup.py bdist_wheel
+
+    - name: Upload wheel
+      uses: actions/upload-artifact@v2
+      with:
+        name: wheel
+        path: dist
+
+    - name: Install tool
+      run: find dist/ -name '*.whl' -type f | xargs pip install -y
+
+    - name: Run tool
+      run: fafnir --help
diff --git a/.github/workflows/deploy-docker.yml b/.github/workflows/deploy-docker.yml
@@ -0,0 +1,29 @@
+name: Deploy Docker Image
+
+on: [release]
+
+jobs:
+    docker:
+      runs-on: ubuntu-latest
+      steps:
+        - name: Checkout
+          uses: actions/checkout@v3
+
+        - name: Set up QEMU
+          uses: docker/setup-qemu-action@v3
+
+        - ame: Set up Docker Buildx
+          uses: docker/setup-buildx-action@v3
+
+        - name: Login to Docker Hub
+          uses: docker/login-action@v3
+          with:
+            username: ${{ secrets.DOCKERHUB_USERNAME }}
+            password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+        - name: Build and push
+          uses: docker/build-push-action@v5
+          with:
+            context: .
+            push: true
+            tags: ghsyn4ck/fafnir:latest, ghsyn4ck/fafnir:${{ github.event.release.tag_name }}
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -0,0 +1,38 @@
+name: Build Docker Image
+
+on: [push, pull_request]
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -t docker.io/ghsyn4ck/fafnir:${{ github.sha }} .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/ghsyn4ck/fafnir:${{ github.sha }}'
+          exit-code: '1'
+          format: 'sarif'
+          output: 'trivy-container-results.sarif'
+
+      - name: Upload SARIF file
+        uses: actions/upload-artifact@v4.0.0
+        if: always()
+        with:
+            # Artifact name
+            name: trivy-results
+            # A file, directory or wildcard pattern that describes what to upload
+            path: trivy-results.sarif
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-container-results.sarif'
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -0,0 +1,23 @@
+name: Code lint
+
+on: [push, pull_request]
+
+jobs:
+  flake8:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.8
+
+      - name: Install dependencies
+        run: pip install flake8 -y
+
+      - name: Run Flake8
+        working-directory: src
+        run: flake8 . --ignore E501,W503
diff --git a/.github/workflows/security-analysis.yml b/.github/workflows/security-analysis.yml
@@ -0,0 +1,94 @@
+name: Security Code Analysis - SAST & SCA
+
+on: [push, pull_request]
+
+permissions:
+    contents: read # for actions/checkout to fetch code
+    security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+    actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+jobs:
+  trivy_scan:
+    name: Trivy
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v2
+
+    - name: Run Trivy vulnerability scanner in fs mode
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: 'fs'
+        scan-ref: '.'
+        exit-code: '1'
+        trivy-config: 'trivy.yaml'
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+
+    # Upload SARIF file generated in previous step
+    - name: Upload SARIF file
+      uses: actions/upload-artifact@v4.0.0
+      if: always()
+      with:
+        # Artifact name
+        name: trivy-results
+        # A file, directory or wildcard pattern that describes what to upload
+        path: trivy-results.sarif
+
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v1
+      if: always()
+      with:
+        sarif_file: 'trivy-results.sarif'
+
+  bandit_scan:
+    name: Bandit
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v2
+
+    - name: Set up Python
+      uses: actions/setup-python@v2
+      with:
+        python-version: '3.8'
+
+    - name: Install Bandit
+      run: pip install bandit bandit_sarif_formatter -y
+
+    - name: Run Bandit
+      run: bandit --format sarif --output bandit-results.sarif -r src/
+
+    # Upload SARIF file generated in previous step
+    - name: Upload SARIF file
+      uses: actions/upload-artifact@v4.0.0
+      if: always()
+      with:
+        # Artifact name
+        name: bandit-results
+        # A file, directory or wildcard pattern that describes what to upload
+        path: bandit-results.sarif
+
+    - name: Upload Bandit scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v1
+      if: always()
+      with:
+        sarif_file: 'bandit-results.sarif'
+
+  codeQL_scan:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+        uses: actions/checkout@v2
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: python
+        queries: security-extended
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:python"
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,18 @@
+FROM  python:3-alpine3.19
+
+ENV VERSION=1.0.0
+
+RUN apk update && apk upgrade
+
+WORKDIR /app
+
+COPY . .
+
+RUN pip install --upgrade pip
+
+RUN pip install wheel
+RUN python setup.py bdist_wheel
+RUN pip install dist/fafnir-${VERSION}-py3-none-any.whl
+
+RUN adduser -D fafnir
+USER fafnir
diff --git a/README.md b/README.md
@@ -71,6 +71,8 @@ To check the options available in the CLI, you can run the following command:
 
 * **--asynchronous**: Asynchronous mode to run all security tools at the same time
 
+* **--output-type**: Type of report: sarif, json
+
 * **--output-path**: Path to store the reports
 
 * **--disable-apis**: Disable API requests to get external information

diff --git a/VERSION b/VERSION
@@ -0,0 +1 @@
+1.0.0
diff --git a/configuration_file/fafnir_config.yml b/configuration_file/fafnir_config.yml
@@ -1,12 +1,12 @@
-#exclude-tools: # Uncomment the tools you want to exclude from analysis
-  #- semgrep
-  #- bandit
-  #- find-sec-bugs
-  #- osv-scanner
+exclude-tools: # Uncomment the tools you want to exclude from analysis
+  - semgrep
+  - bandit
+  - find-sec-bugs
+  - osv-scanner
   #- trivy-sca
-  #- gitleaks
-  #- checkov
-  #- syft
+  - gitleaks
+  - checkov
+  - syft
 
 tools-config:
   semgrep:

diff --git a/requirements.txt b/requirements.txt
@@ -1,6 +1,4 @@
 docker==6.1.3
 PyYAML==6.0.1
 click==8.1.7
-cvss==2.6
-#guesslang==2.2.1
-#python-magic==0.4.27 
+cvss==2.6
diff --git a/setup.py b/setup.py
@@ -0,0 +1,31 @@
+from setuptools import setup, find_packages
+
+with open('requirements.txt') as f:
+    requirements = f.read().splitlines()
+
+with open('VERSION') as f:
+    version = f.read()
+
+setup(
+    name='fafnir',  # Replace with your project name
+    version = version,
+    author = 'syn-4ck',
+    author_email = 'repoJFM@protonmail.com',
+    url = 'https://github.com/syn-4ck/fafnir',
+    description = 'Software supply chain security tool to automate appsec vulnerability detection',
+    long_description = 'Fafnir is an open-source tool that allows for the complete automation ' +
+        'of launching different security tools detecting vulnerabilities in the application''s, code',
+    license = "MIT license",
+    packages = find_packages(exclude=["tests",".github",".github"]),
+    install_requires = requirements,
+    entry_points={
+        'console_scripts': [
+            'fafnir = src.main:main',
+        ],
+    },
+    classifiers=[
+        "Programming Language :: Python :: 3",
+        "License :: OSI Approved :: Apache License 2.0",
+        "Operating System :: OS Independent",
+    ]
+)
diff --git a/src/config/banner/banner.py b/src/config/banner/banner.py
@@ -1,3 +1,5 @@
+# flake8: noqa
+
 def print_banner(version):
     print(f'''                           
  _____ _    _____ _   _ ___ ____  
@@ -8,4 +10,4 @@ def print_banner(version):
 
 Version {version}
 
-'''.format(version))
+'''.format(version))