From c390a9b94c7d6df5c84d4f54a50736acdd3f7b13 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Thu, 25 Mar 2021 09:59:45 -0400 Subject: [PATCH 01/16] Create inspect.yml --- .github/workflows/inspect.yml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 .github/workflows/inspect.yml diff --git a/.github/workflows/inspect.yml b/.github/workflows/inspect.yml new file mode 100644 index 0000000..e451eea --- /dev/null +++ b/.github/workflows/inspect.yml @@ -0,0 +1,32 @@ +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + pull_request: + workflow_dispatch: + push: + # We recommend triggering a scan when merging to your default branch as a best practice, + # especially if you'd like to compare the results of two scans (e.g., a feature branch against the + # default branch) + branches: + - main + - master +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + # ShiftLeft requires Java 1.8. Post the package step override the version + - name: Setup Java JDK + uses: actions/setup-java@v1.3.0 + with: + java-version: 1.8 + - name: NextGen Static Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --app ShiftLeftJS --tag branch=${{ github.head_ref }} --js --cpg $(pwd) + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 0a63e6936460b2ac986b57a7252f84c5d8e304b1 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Thu, 25 Mar 2021 15:55:45 -0400 Subject: [PATCH 02/16] Create main.yml --- .github/workflows/main.yml | 43 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000..90c0ffb --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,43 @@ +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + pull_request: + workflow_dispatch: + push: + # We recommend triggering a scan when merging to your default branch as a best practice, + # especially if you'd like to compare the results of two scans (e.g., a feature branch against the + # default branch) + branches: + - main + - master +jobs: + NG-SAST-Build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + # We are building this application with Java 11 + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 11.0.x + - name: Package with maven + run: mvn compile package + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + # ShiftLeft requires Java 1.8. Post the package step override the version + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 1.8 + - name: NextGen Static Analysis + run: | + ${GITHUB_WORKSPACE}/sl analyze --wait --app HelloShiftLeft --java --cpg target/hello-shiftleft-0.0.1.jar + ${GITHUB_WORKSPACE}/sl check-analysis --app HelloShiftLeft --source 'tag.branch=main' --target scan.30 --report --github-pr-number=${{github.event.number}} --github-pr-user=${{ github.repository_owner }} --github-pr-repo=${{ github.event.repository.name }} --github-token=${{ secrets.GITHUB_TOKEN }} + + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +© 2021 GitHub, Inc. From bf33110eb0d39fd86e68ca13158138d6a2d1170e Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Thu, 25 Mar 2021 16:06:45 -0400 Subject: [PATCH 03/16] Update main.yml --- .github/workflows/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 90c0ffb..2704838 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -20,6 +20,8 @@ jobs: # We are building this application with Java 11 - name: Setup Java JDK uses: actions/setup-java@v1.4.3 + env: + ACTIONS_ALLOW_UNSECURE_COMMANDS: 'true' with: java-version: 11.0.x - name: Package with maven @@ -30,6 +32,8 @@ jobs: # ShiftLeft requires Java 1.8. Post the package step override the version - name: Setup Java JDK uses: actions/setup-java@v1.4.3 + env: + ACTIONS_ALLOW_UNSECURE_COMMANDS: 'true' with: java-version: 1.8 - name: NextGen Static Analysis From a347e43c20c678a24072b897cd7c0ca182a8ba51 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Thu, 25 Mar 2021 16:12:52 -0400 Subject: [PATCH 04/16] Update main.yml From 69759ef75aab92935eaa3662ec43acf26a8e94ba Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Thu, 25 Mar 2021 16:18:34 -0400 Subject: [PATCH 05/16] Update main.yml --- .github/workflows/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 2704838..f099a7e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -44,4 +44,3 @@ jobs: env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} -© 2021 GitHub, Inc. From 5c12103b174580fdae825eab935a2fae4007eb45 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Fri, 26 Mar 2021 12:20:53 -0400 Subject: [PATCH 06/16] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f099a7e..a6c8dfe 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -39,7 +39,7 @@ jobs: - name: NextGen Static Analysis run: | ${GITHUB_WORKSPACE}/sl analyze --wait --app HelloShiftLeft --java --cpg target/hello-shiftleft-0.0.1.jar - ${GITHUB_WORKSPACE}/sl check-analysis --app HelloShiftLeft --source 'tag.branch=main' --target scan.30 --report --github-pr-number=${{github.event.number}} --github-pr-user=${{ github.repository_owner }} --github-pr-repo=${{ github.event.repository.name }} --github-token=${{ secrets.GITHUB_TOKEN }} + ${GITHUB_WORKSPACE}/sl check-analysis --app HelloShiftLeft --source 'tag.branch=main' --target scan.30 --report --github-pr-user=${{ github.repository_owner }} --github-pr-repo=${{ github.event.repository.name }} --github-token=${{ secrets.GITHUB_TOKEN }} env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} From 569184bc115028b502d65e271e5f125901c84492 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Fri, 26 Mar 2021 12:44:38 -0400 Subject: [PATCH 07/16] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a6c8dfe..061c362 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -39,7 +39,7 @@ jobs: - name: NextGen Static Analysis run: | ${GITHUB_WORKSPACE}/sl analyze --wait --app HelloShiftLeft --java --cpg target/hello-shiftleft-0.0.1.jar - ${GITHUB_WORKSPACE}/sl check-analysis --app HelloShiftLeft --source 'tag.branch=main' --target scan.30 --report --github-pr-user=${{ github.repository_owner }} --github-pr-repo=${{ github.event.repository.name }} --github-token=${{ secrets.GITHUB_TOKEN }} + ${GITHUB_WORKSPACE}/sl check-analysis --app HelloShiftLeft --source 'tag.branch=main' --target scan.30 --report --github-pr-number=${{github.event.number}} --github-pr-user=${{ github.repository_owner }} --github-pr-repo=${{ github.event.repository.name }} --github-token=${{ secrets.GITHUB_TOKEN }} env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} From 2892416bdb104c499d68cff52d04cc24bf11939d Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Fri, 26 Mar 2021 12:54:40 -0400 Subject: [PATCH 08/16] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 061c362..b13d8ae 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -39,7 +39,7 @@ jobs: - name: NextGen Static Analysis run: | ${GITHUB_WORKSPACE}/sl analyze --wait --app HelloShiftLeft --java --cpg target/hello-shiftleft-0.0.1.jar - ${GITHUB_WORKSPACE}/sl check-analysis --app HelloShiftLeft --source 'tag.branch=main' --target scan.30 --report --github-pr-number=${{github.event.number}} --github-pr-user=${{ github.repository_owner }} --github-pr-repo=${{ github.event.repository.name }} --github-token=${{ secrets.GITHUB_TOKEN }} + ${GITHUB_WORKSPACE}/sl check-analysis --app HelloShiftLeft --source 'tag.branch=main' --target scan.30 --report --github-pr-number=${{ github.event.number }} --github-pr-user=${{ github.repository_owner }} --github-pr-repo=${{ github.event.repository.name }} --github-token=${{ secrets.GITHUB_TOKEN }} env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} From dadb3d556092e058207053e2ac35d4712ec329a5 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Fri, 26 Mar 2021 16:24:43 -0400 Subject: [PATCH 09/16] Update main.yml --- .github/workflows/main.yml | 50 ++++++++++++++++++++++++-------------- 1 file changed, 32 insertions(+), 18 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b13d8ae..099404c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,27 +1,24 @@ # This workflow integrates ShiftLeft NG SAST with GitHub # Visit https://docs.shiftleft.io for help -name: ShiftLeft - +name: NG SAST Scan - ShiftLeft on: - pull_request: - workflow_dispatch: + # Trigger the workflow on push to update the baseline scan + # or pull request going to main push: - # We recommend triggering a scan when merging to your default branch as a best practice, - # especially if you'd like to compare the results of two scans (e.g., a feature branch against the - # default branch) branches: - main - - master + pull_request: + branches: + - main + jobs: - NG-SAST-Build: + NextGen-Static-Analysis: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 # We are building this application with Java 11 - name: Setup Java JDK uses: actions/setup-java@v1.4.3 - env: - ACTIONS_ALLOW_UNSECURE_COMMANDS: 'true' with: java-version: 11.0.x - name: Package with maven @@ -32,15 +29,32 @@ jobs: # ShiftLeft requires Java 1.8. Post the package step override the version - name: Setup Java JDK uses: actions/setup-java@v1.4.3 - env: - ACTIONS_ALLOW_UNSECURE_COMMANDS: 'true' with: java-version: 1.8 + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch - name: NextGen Static Analysis - run: | - ${GITHUB_WORKSPACE}/sl analyze --wait --app HelloShiftLeft --java --cpg target/hello-shiftleft-0.0.1.jar - ${GITHUB_WORKSPACE}/sl check-analysis --app HelloShiftLeft --source 'tag.branch=main' --target scan.30 --report --github-pr-number=${{ github.event.number }} --github-pr-user=${{ github.repository_owner }} --github-pr-repo=${{ github.event.repository.name }} --github-token=${{ secrets.GITHUB_TOKEN }} - + # Run the analyzer and wait for it to finis, the app is a part of a group and we can dynamicaly capture the branch we're on for tagging. It's a java app and we point to where the binary can be found + run: ${GITHUB_WORKSPACE}/sl analyze --wait --app HelloShiftLeft --tag app.group=HSL --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/hello-shiftleft-*.jar + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + SHIFTLEFT_ORG_ID: ${{ secrets.SHIFTLEFT_ORG_ID }} + - name: Validate Build Rules + # Only run on pull request and compare to Main as set in the build rules file Shiftleft.yml + if: ${{ github.event_name == 'pull_request' }} + # Lets check the previous analysis for this branch to our baseline on Main, + # since we specify a 'branch' we don't have to specify a '--source' + run: | + ${GITHUB_WORKSPACE}/sl check-analysis --app shiftleft-java-demo \ + --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" \ + --report \ + --github-pr-number=${{ github.event.number }} \ + --github-pr-user=${{ github.repository_owner }} \ + --github-pr-repo=${{ github.event.repository.name }} \ + --github-token=${{ secrets.GITHUB_TOKEN }} env: + # For SL to run you'll need a Secret with an access token SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + From 735ea0c08f2b11cfada2663090b2c475e430a53d Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Fri, 21 Oct 2022 14:56:00 -0400 Subject: [PATCH 10/16] Add files via upload --- shiftleft.yaml | 110 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 110 insertions(+) create mode 100644 shiftleft.yaml diff --git a/shiftleft.yaml b/shiftleft.yaml new file mode 100644 index 0000000..dd498a2 --- /dev/null +++ b/shiftleft.yaml @@ -0,0 +1,110 @@ +build_rules: + - id: "No critical or high SAST findings" + finding_types: + - vuln + cvss_31_severity_ratings: + - critical + - high + threshold: 0 + - id: "No secrets" + finding_types: + - secret + threshold: 0 + options: + num_findings: 10 # Return 10 sast findings + - id: "No reachable SCA findings" + finding_types: + - oss_vuln + cvss_31_severity_ratings: + - critical + - high + threshold: 0 + options: + reachable: true + num_findings: 10 # Return 10 reachable sca findings + - id: "No critical or high container findings" + finding_types: + - container + cvss_31_severity_ratings: + - critical + - high + threshold: 0 + options: + num_findings: 10 # Return 10 container findings +# The above rule is perhaps the most common in that it +# is designed to be used with Pull Request and to block +# new vulns from being introduced that aren't already on +# the 'main' branch +# +# Below is enchalada with all the options shown +# +# ID is the name that will be reflected in the PR comments +# - id: build-rule-enchalada +# - vuln +#. - oss_vuln +# - secret +# - insight +# - container +# Do you want to block ALL types by severity? +# cvss_31_severity_ratings: +# - critical +# - high +# - medium +#. - low +# Do you want to focus on just one or more types? +# type: +# - Weak Random +# - Sensitive Data Leak +# - Deserialization +# - Directory Traversal +# - Sensitive Data Exposure +# - Remote Code Execution +# - Command Injection +# - Security Best Practices +# - Unsafe Reflection +# - Regex Injection +# - SQL Injection +# - XML External Entities +# - Template Injection +# - Cross-Site Scripting +# - JSON Injection +# - Potential SQL Injection +# - Potential Regex Injection +# - Header Injection +# - Security Misconfiguration +# - Deprecated Function Use +# - Mail Injection +# - Race Condition +# - Sensitive Data Usage +# - Open Redirect +# - Error Handling +# - HTTP to Database +# - HTTP to Model +# - LDAP Injection +# - Denial of Service +# - CRLF Injection +# - NoSQL Injection +# - Weak Hash +# - Session Injection +# - Server-Side Request Forgery +# - Prototype Pollution +# - Log Forging +# - XPath Injection +# - Insecure Authentication +# - Intent Redirection +# - Authentication Bypass +# - Weak Cipher +# - Crypto +# Focus by OWASP Category? +# owasp_category: +# - a01-2021-broken-access-control +# - a02-2021-cryptographic-failures +# - a03-2021-injection +# - a04-2021-insecure-design +# - a05-2021-security-misconfiguration +# - a06-2021-vulnerable-and-outdated-components +# - a07-2021-identification-and-authentication-failures +# - a08-2021-software-and-data-integrity-failures +# - a09-2021-security-logging-and-monitoring-failures +# - a10-2021-server-side-request-forgery-(ssrf) + \ No newline at end of file From 2e8cd5291786ca1bafdd6e29e6eb332af553131e Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Fri, 21 Oct 2022 14:57:16 -0400 Subject: [PATCH 11/16] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 099404c..9eb5da7 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -47,7 +47,7 @@ jobs: # Lets check the previous analysis for this branch to our baseline on Main, # since we specify a 'branch' we don't have to specify a '--source' run: | - ${GITHUB_WORKSPACE}/sl check-analysis --app shiftleft-java-demo \ + ${GITHUB_WORKSPACE}/sl check-analysis --v2 --app shiftleft-java-demo \ --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" \ --report \ --github-pr-number=${{ github.event.number }} \ From 90a6db42425399b98e42f41e8020ee25fc0541b2 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Fri, 21 Oct 2022 15:05:52 -0400 Subject: [PATCH 12/16] Update main.yml --- .github/workflows/main.yml | 36 ++++++++++++++---------------------- 1 file changed, 14 insertions(+), 22 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9eb5da7..f9780e2 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,18 +1,18 @@ +--- # This workflow integrates ShiftLeft NG SAST with GitHub # Visit https://docs.shiftleft.io for help -name: NG SAST Scan - ShiftLeft +name: ShiftLeft + on: - # Trigger the workflow on push to update the baseline scan - # or pull request going to main push: - branches: + branches: - main + - master pull_request: - branches: - - main + workflow_dispatch: jobs: - NextGen-Static-Analysis: + NextGen-Static-Analyis: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 @@ -21,8 +21,8 @@ jobs: uses: actions/setup-java@v1.4.3 with: java-version: 11.0.x - - name: Package with maven - run: mvn compile package + - name: Build and package with Maven + run: mvn clean package -DskipTests - name: Download ShiftLeft CLI run: | curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl @@ -36,25 +36,17 @@ jobs: run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" id: extract_branch - name: NextGen Static Analysis - # Run the analyzer and wait for it to finis, the app is a part of a group and we can dynamicaly capture the branch we're on for tagging. It's a java app and we point to where the binary can be found - run: ${GITHUB_WORKSPACE}/sl analyze --wait --app HelloShiftLeft --tag app.group=HSL --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/hello-shiftleft-*.jar + run: ${GITHUB_WORKSPACE}/sl analyze --wait --app HelloShiftLeft --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --remediation-config remediation.yaml --vcs-prefix-correction "*=/src/main/java" --java ./target/HelloShiftLeft.jar env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} - SHIFTLEFT_ORG_ID: ${{ secrets.SHIFTLEFT_ORG_ID }} + - name: Validate Build Rules - # Only run on pull request and compare to Main as set in the build rules file Shiftleft.yml - if: ${{ github.event_name == 'pull_request' }} - # Lets check the previous analysis for this branch to our baseline on Main, - # since we specify a 'branch' we don't have to specify a '--source' - run: | - ${GITHUB_WORKSPACE}/sl check-analysis --v2 --app shiftleft-java-demo \ - --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" \ + run: | + ${GITHUB_WORKSPACE}/sl check-analysis --v2 --app HelloShiftLeft \ --report \ - --github-pr-number=${{ github.event.number }} \ + --github-pr-number=${{github.event.number}} \ --github-pr-user=${{ github.repository_owner }} \ --github-pr-repo=${{ github.event.repository.name }} \ --github-token=${{ secrets.GITHUB_TOKEN }} env: - # For SL to run you'll need a Secret with an access token SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} - From c493492607fb533cdd684b241d7b84c0edfbf074 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Fri, 21 Oct 2022 15:13:48 -0400 Subject: [PATCH 13/16] Update main.yml --- .github/workflows/main.yml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f9780e2..2b5635b 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -36,7 +36,21 @@ jobs: run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" id: extract_branch - name: NextGen Static Analysis - run: ${GITHUB_WORKSPACE}/sl analyze --wait --app HelloShiftLeft --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --remediation-config remediation.yaml --vcs-prefix-correction "*=/src/main/java" --java ./target/HelloShiftLeft.jar + run: ${GITHUB_WORKSPACE}/sl analyze --wait --app HelloShiftLeft --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --remediation-config remediation.yaml --vcs-prefix-correction "*=/src/main/java" --java ./target/HelloShiftLeft-1.0.0.jar + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + - name: Validate Build Rules + run: | + ${GITHUB_WORKSPACE}/sl check-analysis --v2 --app java-sec-code \ + --report \ + --github-pr-number=${{github.event.number}} \ + --github-pr-user=${{ github.repository_owner }} \ + --github-pr-repo=${{ github.event.repository.name }} \ + --github-token=${{ secrets.GITHUB_TOKEN }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} From 2075530976fc7ecba224fe6ab6f81e9c783e4d41 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Wed, 13 Sep 2023 20:00:31 -0400 Subject: [PATCH 14/16] Create qwiet.yml --- .github/workflows/qwiet.yml | 38 +++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/qwiet.yml diff --git a/.github/workflows/qwiet.yml b/.github/workflows/qwiet.yml new file mode 100644 index 0000000..45d4e3d --- /dev/null +++ b/.github/workflows/qwiet.yml @@ -0,0 +1,38 @@ +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + push: + branches: + - main + - master + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analyis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + # We are building this application with Java 11 + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 11.0.x + - name: Build and package with Maven + run: mvn clean package -DskipTests + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + # ShiftLeft requires Java 1.8. Post the package step override the version + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 1.8 + - name: NextGen Static Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --app HelloShiftLeft-test --vcs-prefix-correction "*=/src/main/java" --java ./target/HelloShiftLeft-1.0.0.jar + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + From fe2d708c8353c9b6fc1c774fd5215e0aabcbf8b7 Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Wed, 31 Jan 2024 18:10:09 -0500 Subject: [PATCH 15/16] adding ShiftLeft action workflow config --- .github/workflows/shiftleft.yml | 68 +++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 .github/workflows/shiftleft.yml diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml new file mode 100644 index 0000000..b89433c --- /dev/null +++ b/.github/workflows/shiftleft.yml @@ -0,0 +1,68 @@ +--- +# This workflow integrates qwiet.ai preZero with GitHub +# Visit https://docs.shiftleft.io for help +name: qwiet.ai + +on: + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Setup Java JDK v11 + uses: actions/setup-java@v3 + with: + distribution: zulu + java-version: 11 + + - name: Setup Java JDK v8 + uses: actions/setup-java@v3 + with: + distribution: zulu + java-version: 8 + + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + + - name: preZero Static Analysis + run: | + ${GITHUB_WORKSPACE}/sl --version + ${GITHUB_WORKSPACE}/sl analyze --strict --wait \ + --app HelloShiftLeft \ + --tag branch=${{ github.head_ref }} \ + --java --container 18fgsa/s3-resource $(pwd) + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + SHIFTLEFT_API_HOST: www.shiftleft.io + SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 + SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 + +# Build-Rules: +# runs-on: ubuntu-latest +# permissions: write-all +# needs: NextGen-Static-Analysis +# steps: +# - uses: actions/checkout@v3 +# - name: Download ShiftLeft CLI +# run: | +# curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl +# - name: Validate Build Rules +# run: | +# ${GITHUB_WORKSPACE}/sl check-analysis --app HelloShiftLeft \ +# --github-pr-number=${{github.event.number}} \ +# --github-pr-user=${{ github.repository_owner }} \ +# --github-pr-repo=${{ github.event.repository.name }} \ +# --github-token=${{ secrets.GITHUB_TOKEN }} +# env: +# # SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} +# +# SHIFTLEFT_API_HOST: www.shiftleft.io +# SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 +# SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 +# + + From 2cad65acccdafed688088309c4a14b4bba70f63a Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Wed, 31 Jan 2024 18:10:10 -0500 Subject: [PATCH 16/16] adding Qwiet preZero Static Analysis action workflow config --- shiftleft.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 shiftleft.yml diff --git a/shiftleft.yml b/shiftleft.yml new file mode 100644 index 0000000..820144a --- /dev/null +++ b/shiftleft.yml @@ -0,0 +1,15 @@ +version: 2 +build_rules: + - id: Allow no critical findings + severities: + - critical + - id: Allow one OSS or container finding + finding_types: + - oss_vuln + - container + threshold: 1 + - id: Allow no reachable OSS vulnerability + finding_types: + - oss_vuln + options: + reachable: true